FortiClient EMS Administration Guide
File info: application/pdf · 274 pages · 10.55MB
FortiClient EMS Administration Guide
FortiClient EMS
FortiClient EMS, 7.0.1, Administration Guide
Administration Guide - FortiClient EMS 7.0.1 - Amazon AWS
QuickStart Guide. Describes how to install and begin working with the FortiClient EMS system. It provides instructions on installation and deployment, ...
Extracted Text
Administration Guide
FortiClient EMS 7.0.1
FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/training-certification NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com
October 14, 2021 FortiClient EMS 7.0.1 Administration Guide 04-701-706783-20211014
TABLE OF CONTENTS
Introduction
9
FortiClient EMS components
9
Documentation
11
Getting started
12
Getting started with managing Windows, macOS, and Linux endpoints
12
Deploying FortiClient software to endpoints
12
Pushing configuration information to FortiClient
13
Relationship between FortiClient EMS, FortiGate, and FortiClient
14
Getting started with managing Chromebooks
18
Configuring FortiClient EMS for Chromebooks
18
Configuring the Google Admin console
18
Deploying a profile to Chromebooks
18
How FortiClient EMS and FortiClient work with Chromebooks
19
Installation preparation
20
System requirements
20
License types
20
FortiClient EMS
21
Component applications
23
Required services and ports
24
Management capacity
26
FortiClient Telemetry security features
28
Server readiness checklist for installation
28
Upgrading from an earlier FortiClient EMS version
29
Upgrading EMS and FortiClient
29
Upgrading EMS from an earlier version
30
Install preparation for managing Chromebooks
30
Google Workspace account
30
SSL certificates
30
Installation and licensing
32
Downloading the installation file
32
Installing FortiClient EMS
32
Installing FortiClient EMS to specify SQL Server Enterprise or Standard instance 34
Installing FortiClient EMS using the CLI
36
Allowing remote access to FortiClient EMS and using custom port numbers
39
Customizing the SQL Server Express install directory
39
Starting FortiClient EMS and logging in
40
Configuring EMS after installation
40
Licensing FortiClient EMS
41
Licensing EMS by logging in to FortiCloud
42
Uploading a license file
46
Licensing EMS in an air-gapped network
46
License status
47
Help with licensing
48
FortiClient EMS 7.0.1 Administration Guide
3
Fortinet Technologies Inc.
Specifying different ports Upgrading Microsoft SQL Server Express to Microsoft SQL Server Standard or Enterprise Uninstalling FortiClient EMS Installation and setup for managing Chromebooks
Google Admin Console setup Service account credentials Verifying ports and services and connection between EMS and FortiClient Ports and services Connectivity between EMS and FortiClient
GUI Banner Left pane Content pane
Dashboard Viewing the Status System Information widget License Information widget Status charts and widgets Viewing the Vulnerability Scan dashboard Viewing current vulnerabilities Viewing the Endpoint Scan Status Viewing the top 10 vulnerable endpoints with high risk vulnerabilities Viewing top ten vulnerabilities on endpoints Viewing Chromebook Status
Invitations
Endpoint management Windows, macOS, and Linux endpoints Managing groups Adding endpoints Viewing endpoints Managing endpoints Group assignment rules Group assignment rule types Managing group assignment rule priority levels Adding a group assignment rule Enabling/disabling a group assignment rule Deleting a group assignment rule Google Domains Adding a Google domain Viewing domains Editing a domain Deleting a domain
Deployment & Installers Manage Deployment Preparing the AD server for deployment
FortiClient EMS 7.0.1 Administration Guide
Fortinet Technologies Inc.
48
48 49 51 51 58 63 63 64 65 65 66 68 69 69 69 71 71 74 75 77 80 81 84 85 86 86 86 86 88 99 106 106 107 108 110 110 110 110 111 113 113 114 114 114
4
Preparing Windows endpoints for FortiClient deployment
116
Creating a deployment configuration
116
Managing deployment configuration priority levels
117
Enabling/disabling a deployment configuration
118
Deleting a deployment configuration
119
Deploying initial installations of FortiClient (macOS)
119
Deploying FortiClient upgrades from FortiClient EMS
119
Deploying different installer IDs to endpoints using the same deployment package 119
FortiClient Installer
120
Adding a FortiClient deployment package
120
Viewing deployment packages
123
Deleting a FortiClient deployment package
123
Endpoint Policy & Components
124
Manage Policies
124
Adding an endpoint policy
124
Editing an endpoint policy
125
Deleting an endpoint policy
125
Enabling/disabling an endpoint policy
125
Managing endpoint policy priority levels
125
Editing endpoint policy view
127
FortiClient management based on Active Directory user/user groups
127
CA Certificates
129
On-fabric Detection Rules
131
Determining on-fabric/off-fabric status
133
Chromebook Policy
135
Endpoint Profiles
136
Editing a default profile
136
Creating a profile to configure FortiClient
136
Adding a new Chromebook profile
136
Viewing profiles
137
Managing profiles
137
Editing a profile
137
Cloning a profile
138
Syncing profile changes
138
Editing sync schedules
138
Deleting profiles
138
Profile Name
139
Malware Protection
140
AntiVirus Protection
140
Anti-Ransomware
144
Anti-Exploit
144
Cloud-Based Malware Detection
145
Removable Media Access
145
Exclusions
147
Other
148
Sandbox Detection
149
Web Filter
151
FortiClient EMS 7.0.1 Administration Guide
5
Fortinet Technologies Inc.
Importing a Web Filter profile from FortiOS or FortiManager
158
Enabling and disabling Safe Search
160
Support banned word check in URL
161
Application Firewall
163
VPN
164
SSL VPN
165
IPsec VPN
169
Configuring a profile with application-based split tunnel
174
Configuring a profile to allow or block endpoint from VPN tunnel connection based on
the applied Zero Trust tag
177
Configuring a backup VPN connection
180
Using a browser as an external user-agent for SAML authentication in an SSL VPN
connection
182
Vulnerability Scan
184
System Settings
186
Configuring identity compliance for endpoints
193
XML Configuration
195
Creating a profile with XML
195
Importing a profile from an XML file
195
Configuring encrypted ZTNA rules
196
Zero Trust Tags
199
Zero Trust Tagging Rules
199
Adding a Zero Trust tagging rule set
199
Editing a Zero Trust tagging rule set
200
Deleting a Zero Trust tagging rule
200
Importing and exporting a Zero Trust tagging rule set
201
Uploading signatures for FortiGuard Outbreak Alerts service
201
Managing tags
202
Zero Trust tagging rule types
202
Zero Trust Tag Monitor
206
FortiOS dynamic policies using EMS dynamic endpoint groups
207
Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups
207
Configuring FortiOS 6.2 dynamic policies using EMS dynamic endpoint groups
211
Restricting VPN access to rogue/non-compliant devices with Security Fabric
212
Fabric Device Monitor
219
FortiGuard Outbreak Alerts
220
Software Inventory
221
Applications
221
Hosts
222
Quarantine Management
224
Files
224
Viewing quarantined files
224
Allowlisting quarantined files
226
Configuring quarantine management
226
Allowlist
227
Viewing allowlisted files
227
FortiClient EMS 7.0.1 Administration Guide
6
Fortinet Technologies Inc.
Editing file descriptions
228
Deleting a file from the allowlist
228
Administration
229
Administrators
229
Viewing users
229
Configuring user accounts
230
Activating a disabled account
231
Admin roles
232
Adding an admin role
232
Cloning an admin role
232
Deleting admin roles
233
Admin role permissions reference
233
Configuring User Settings
236
Fabric Devices
236
Configuring EMS to share tagging information with multiple FortiGates
237
SAML SSO
238
Licenses
241
Log Viewer
241
Generate Diagnostic Logs
241
Marking all endpoints as uninstalled
241
System Settings
243
Configuring EMS settings
244
Adding an SSL certificate to FortiClient EMS for Chromebook endpoints
248
Configuring Logs settings
249
Configuring FortiGuard Services settings
249
Alerts
251
Configuring EMS Alerts
251
Configuring Endpoint Alerts
252
Configuring SMTP Server settings
253
Viewing alerts
255
Custom Messages
255
Customizing the endpoint quarantine message
255
Customizing Web Filter messages
256
Feature Select
257
Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints 260
Multitenancy
261
Enabling and configuring multitenancy
261
Global and per-site configuration
262
Global configuration
262
Site level configuration
263
Left pane with multitenancy enabled
264
Editing a site
267
Adding a multitenancy administrator
267
Logging into EMS with multitenancy enabled
269
FortiClient EMS 7.0.1 Administration Guide
7
Fortinet Technologies Inc.
Creating a support package
270
Migrating to another EMS instance
271
Limitations
272
Change log
273
FortiClient EMS 7.0.1 Administration Guide
8
Fortinet Technologies Inc.
Introduction
FortiClient Endpoint Management Server (FortiClient EMS) is a security management solution that enables scalable and centralized management of multiple endpoints (computers). FortiClient EMS provides efficient and effective administration of endpoints running FortiClient. It provides visibility across the network to securely share information and assign security policies to endpoints. It is designed to maximize operational efficiency and includes automated capabilities for device management and troubleshooting. FortiClient EMS also works with the FortiClient Web Filter extension to provide web filtering for Google Chromebook users.
FortiClient EMS is designed to meet the needs of small to large enterprises that deploy FortiClient on endpoints and/or provide web filtering for Google Chromebook users. Benefits of deploying FortiClient EMS include:
l Remotely deploying FortiClient software to Windows PCs l Updating profiles for endpoint users regardless of access location l Administering FortiClient endpoint connections, such as accepting, disconnecting, and blocking connections l Managing and monitoring endpoints, such as status, system, and signature information l Identifying outdated FortiClient software versions l Defining web filtering rules in a profile and remotely deploying the profile to the FortiClient Web Filter extension on
Google Chromebook endpoints
You can manage endpoint security for Windows and macOS platforms using a unified organizational security policy. An organizational security policy provides a full understandable view of the security policies defined in the organization. You can see all policy rules, assignments, and exceptions in a single unified view.
FortiClient EMS is part of the Fortinet Endpoint Security Management suite, which ensures comprehensive policy administration and enforcement for an enterprise network.
FortiClient EMS components
FortiClient EMS provides the infrastructure to install and manage FortiClient software on endpoints. FortiClient protects endpoints from viruses, threats, and risks.
FortiClient EMS also provides the infrastructure to install and manage the FortiClient Web Filter extension on Google Chromebook endpoints. FortiClient protects endpoint users by working with FortiClient EMS to filter web content endpoint users view on Google Chromebooks.
The following table lists FortiClient EMS components:
Component FortiClient EMS
Description
Manages FortiClient on endpoints that connect to your network. Manages the FortiClient Web Filter extension installed on Google Chromebook endpoints, which are connected to your Google domain.
FortiClient EMS 7.0.1 Administration Guide
9
Fortinet Technologies Inc.
Introduction
Component
Database FortiClient FortiClient Web Filter Extension
Description
Includes the following software: l Console software that manages security profiles, FortiClient on endpoints, and Chromebook endpoints l Server software that provides secure communication between endpoints and the console and between Chromebook endpoints and the Google Admin console.
Stores security profiles and events. Also stores user information retrieved from the Google Admin console for Chromebooks. The FortiClient EMS installation installs the SQL database.
Helps enforce security and protection on endpoints. It runs on servers, desktops, and portable computers you want to secure. See the FortiClient Administration Guide for information.
Communicates with FortiClient EMS and enforces web filtering on Google Chromebook endpoints.
In the diagram, the undotted lines show how different components connect to manage Windows, macOS, and Linux endpoints using FortiClient EMS. The dotted lines represent how you use components to manage Chromebook endpoints with FortiClient EMS.
FortiClient EMS allows you to:
FortiClient EMS 7.0.1 Administration Guide
10
Fortinet Technologies Inc.
Introduction
l Establish and enforce security profiles l Manage deployment, configuration, and updates l Manage security profiles from an integrated management console l Obtain a consolidated view of multiple security components across all endpoints in your network and Google
domain l Perform integrated installation of security components and set profiles l Monitor endpoints' web browsing activity
An informative video introducing you to FortiClient EMS is available in the Fortinet Video Library.
Documentation
You can access FortiClient EMS documentation from the Fortinet Document Library. The FortiClient EMS documentation set includes the following:
Document Administration Guide
New Features Guide QuickStart Guide
Release Notes REST API Upgrade Paths Compatibility Chart
Description
Describes how to set up FortiClient EMS and use it to manage endpoints. It includes information on how to configure multiple endpoints, configure and manage profiles for the endpoints, and view and monitor endpoints.
Describes new features and enhancements in FortiClient EMS for the release, including configuration information.
Describes how to install and begin working with the FortiClient EMS system. It provides instructions on installation and deployment, and includes a high-level task flow for using the FortiClient EMS system.
Lists any known issues and limitations for the release. This document also defines supported platforms and minimum system requirements.
The FortiClient EMS API allows you to perform configuration operations on EMS. You can view the API documentation on the FortiAPI tab on FNDN.
Provides upgrade path information for different versions of FortiClient EMS.
Provides compatibility information for different versions of FortiClient EMS and other Fortinet products.
FortiClient EMS 7.0.1 Administration Guide
11
Fortinet Technologies Inc.
Getting started
Getting started with managing Windows, macOS, and Linux endpoints
Deploying FortiClient software to endpoints
Following is an overview of how to add endpoints to FortiClient EMS and configure FortiClient EMS to deploy FortiClient to endpoints. You can deploy FortiClient to endpoints using Active Directory (AD) servers and workgroups. There are differences between using AD servers and workgroups. When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you cannot deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS installs on endpoints and endpoints are connected to FortiClient EMS, you can deploy upgrades, uninstallations, and replacements of both FortiClient for Windows and macOS using AD servers. When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after FortiClient installs on endpoints and endpoints are connected to FortiClient EMS, you can use workgroups to uninstall and update FortiClient on endpoints. The following shows a deployment of FortiClient using FortiClient EMS with an AD server: 1. Deploy FortiClient from FortiClient EMS using an AD server to the desired endpoints. 2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.
The following shows a deployment of FortiClient (Windows) using FortiClient EMS with Windows workgroups:
1. You cannot use workgroups with FortiClient EMS to initially install FortiClient on endpoints. You must install FortiClient directly on endpoints. You can configure deployment packages that endpoint users can download to install FortiClient on endpoints. See Viewing deployment packages on page 123.
2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.
FortiClient EMS 7.0.1 Administration Guide
12
Fortinet Technologies Inc.
Getting started
To deploy FortiClient software to endpoints:
1. Add endpoints with an AD server or Windows workgroups. See Adding endpoints on page 86. Endpoints added using an AD service display in Endpoints > Domains, and endpoints added using Windows workgroups display in Endpoints > Workgroups. You can install FortiClient on endpoints using an AD server without connecting FortiClient to FortiClient EMS as long as the username and password are correct for the applied deployment configuration in Deployment in FortiClient EMS. You can only use workgroups to upgrade or uninstall FortiClient if it is already installed on the endpoints and connected to FortiClient EMS. You cannot use workgroups for initial installations of FortiClient. When using workgroups, the deployment configuration credentials in Deployment in FortiClient EMS are not taken into account.
2. Create a FortiClient deployment package in FortiClient EMS. See Adding a FortiClient deployment package on page 120.
3. Create a profile that includes the desired configuration information for FortiClient software on endpoints. See Creating a profile to configure FortiClient on page 136.
4. Prepare domains and workgroups for deployment. See Preparing the AD server for deployment on page 114. 5. Create a deployment configuration with the desired deployment package. Configure the deployment configuration
for the desired workgroup, domain, endpoint group, or organizational group. See Creating a deployment configuration on page 116. Depending on the selected profile's configuration, FortiClient installs on the endpoints to which the profile is applied. After FortiClient installation, the endpoint connects FortiClient Telemetry to FortiClient EMS to receive the profile configuration and complete endpoint management setup. 6. Monitor the installation process using the Endpoints pane. See Viewing the Endpoints pane on page 88.
Pushing configuration information to FortiClient
After the endpoints' FortiClient connects Zero Trust Telemetry to FortiClient EMS, EMS manages the endpoints, and you can use FortiClient EMS to push configuration information to FortiClient software on endpoints.
To push configuration information to FortiClient:
1. Edit an existing profile or create a new profile to configure FortiClient software on endpoints. See Creating a profile to configure FortiClient on page 136.
FortiClient EMS 7.0.1 Administration Guide
13
Fortinet Technologies Inc.
Getting started
2. Edit an existing endpoint policy or create a new endpoint policy that is configured with desired profile. Configure the endpoint policy to apply to the desired domains and workgroups. See Adding an endpoint policy on page 124. After you apply the endpoint policy to endpoint groups, EMS pushes profile changes to endpoints with the next Telemetry communication.
3. Monitor the update using the Endpoints pane. See Viewing the Endpoints pane on page 88.
Relationship between FortiClient EMS, FortiGate, and FortiClient
You can use FortiClient EMS in standalone mode or integrated with FortiGate. The following section illustrates the topology for each configuration and the differences between the scenarios. For details, see the FortiClient 7.0 Compliance Guide.
FortiClient in the Security Fabric
In this scenario, FortiClient Zero Trust Telemetry connects to EMS to receive a profile of configuration information as part of an endpoint policy. EMS is connected to the FortiGate to participate in the Security Fabric. EMS sends FortiClient endpoint information to the FortiGate. The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This feature requires FortiOS 6.2.0 or a later version. FortiClient can also receive a device certificate from EMS that it can use to securely encrypt and tunnel TCP or HTTPS traffic through HTTPS to the FortiGate. This feature requires FortiClient 7.0.0 or a later version and FortiOS 7.0.0 or later.
FortiGate does not provide configuration information for FortiClient and the endpoint. An administrator must configure FortiClient using an EMS endpoint policy.
Following is a summary of how the Zero Trust Telemetry connection works in this scenario. The following assumes that EMS is already connected to the FortiGate as a participant in the Security Fabric, and that FortiClient and FortiOS are also 7.0.0 or a later version: 1. EMS sends its CA certificate to the FortiGate. 2. FortiClient Telemetry connects to EMS. 3. FortiClient receives the following from EMS:
l Licensing. See Windows, macOS, and Linux endpoint licenses on page 22. l Profile of configuration information as part of an endpoint policy. See Endpoint Profiles on page 136. l Device certificate that includes the FortiClient UID. FortiClient installs the received certificate to the current user
certificate store for Chrome and Edge browser, and installs it to the browser certificate store for Firefox. This feature may not be available for Firefox. 4. FortiClient sends security posture information to EMS, including third-party software information, running processes, network information, and so on. 5. EMS dynamically groups the endpoint based on the information it received, using the configured Zero Trust tagging rules. See Zero Trust Tagging Rules on page 199. 6. FortiOS pulls the dynamic endpoint group information from EMS. The FortiOS administrator can use this data to build dynamic firewall policies.
FortiClient EMS 7.0.1 Administration Guide
14
Fortinet Technologies Inc.
Getting started
7. When the endpoint initiates TCP or HTTPS traffic, FortiClient works as a local proxy gateway to securely encrypt and tunnel the traffic through HTTPS to the FortiGate, using the certificate received from EMS.
8. The FortiGate retrieves the UID to identify the device and check other information using the endpoint information that EMS provided to the FortiGate. The FortiGate allows or denies the access as applicable.
9. EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on those groups.
For details about dynamic endpoint groups, see FortiOS dynamic policies using EMS dynamic endpoint groups on page 207.
FortiClient follows the endpoint profile configuration that it receives from EMS. EMS locks FortiClient settings so that the endpoint user cannot manually change FortiClient configuration.
Only EMS can control the connection between FortiClient and EMS. You can only disconnect FortiClient when you are logged into EMS.
The EMS server's IP addresses are embedded in FortiClient deployment packages created in EMS. This allows the endpoint to connect FortiClient Telemetry to the specified EMS server.
EMS sends the following endpoint information to FortiOS:
FortiClient EMS 7.0.1 Administration Guide
15
Fortinet Technologies Inc.
Getting started
l User profile: l Logged-in username l Full name l Email address l Phone number
l User avatar l Social network account IDs l MAC address l OS type l OS version l FortiClient version l FortiClient UUID
FortiGate also opens a websocket with EMS. EMS adds a new FcmNotify daemon to handle the websocket connection. EMS notifies the FortiGate if any of the following device information has changed. FortiOS loads the updated information:
l System information l User avatar l Vulnerabilities l Zero Trust tags
EMS also sends the following endpoint information to FortiAnalyzer:
l Telemetry/system information l User avatar l Software inventory l Processes l Network statistics l Classification tags
FortiClient directly sends the following information to FortiAnalyzer:
l Logs l Windows host events
See the FortiAnalyzer Administration Guide for details.
FortiClient with EMS
In this scenario, EMS provides FortiClient endpoint provisioning. FortiClient EMS connects Telemetry to EMS to receive configuration information in an endpoint profile as part of an endpoint policy from EMS. EMS also sends Zero Trust tagging rules to FortiClient, and use the results from FortiClient to dynamically group endpoints in EMS. Only EMS can control the connection between FortiClient EMS and EMS. You must make any changes to the connection from EMS, not FortiClient EMS. When FortiClient EMS is connected to EMS, EMS locks FortiClient EMS settings so that the endpoint user cannot change any configuration. To disconnect FortiClient EMS from EMS, the EMS administrator must deregister the endpoint in EMS.
In this scenario, EMS and FortiClient EMS cannot participate in the Security Fabric, since a FortiGate is not present.
FortiClient EMS 7.0.1 Administration Guide
16
Fortinet Technologies Inc.
Getting started
Quarantining an endpoint from FortiOS using EMS
In FortiOS 6.0, an administrator can quarantine FortiClient endpoints using EMS by enabling the Quarantine FortiClient via EMS option. The following lists the requirements for this feature:
l The FortiClient endpoint is connected to FortiGate and managed by EMS. l The FortiClient endpoint and FortiGate use the same FortiAnalyzer. l The EMS managing the FortiClient endpoint is configured on the FortiGate. FortiOS allows configuration of up to
three EMS servers to allow endpoint control in different locations.
Configuring Quarantine FortiClient via EMS requires setting the following fields in the FortiOS CLI: automation-stitch and forticlient-ems. See the FortiOS CLI Reference.
If Quarantine FortiClient via EMS is enabled, the following occurs when an indicator of compromise (IOC) is detected on an endpoint in the Security Fabric: 1. An IOC is detected on an endpoint. 2. FortiOS sends the endpoint information to EMS with instructions to quarantine the endpoint. 3. EMS identifies and quarantines the endpoint based on the request from FortiOS.
FortiClient EMS 7.0.1 Administration Guide
17
Fortinet Technologies Inc.
Getting started
You can remove the endpoint from quarantine using EMS as Quarantining an endpoint on page 102 describes or using FortiOS: 1. The administrator identifies that EMS has quarantined an endpoint from one of the following:
a. FortiClient on the endpoint b. Quarantine Management or FortiClient Monitor in FortiOS c. Endpoints pane in EMS 2. The administrator removes the endpoint from quarantine in FortiOS. 3. FortiOS sends the endpoint information to EMS with instructions to remove the endpoint from quarantine. 4. EMS identifies and removes the endpoint from quarantine based on the request from FortiOS.
Getting started with managing Chromebooks
The following tasks are specific to Chromebook management. This section also includes a description of how FortiClient EMS and FortiClient work with Google Chromebooks after setup is complete.
Configuring FortiClient EMS for Chromebooks
To configure FortiClient EMS for Chromebooks: 1. Start and log in to FortiClient EMS. See Starting FortiClient EMS and logging in on page 40. 2. Add SSL certificates. See Adding an SSL certificate to FortiClient EMS for Chromebook endpoints on page 248. 3. Configure FortiClient EMS settings. See System Settings on page 243. 4. Configure user accounts and permissions. See Administrators on page 229. See Administration.
Configuring the Google Admin console
Following is an overview of how to configure the Google Admin console to prepare for adding the Google domain to FortiClient EMS. The document assumes you have created the Google domain.
To configure the Google Admin console: 1. Add the FortiClient Web Filter extension. See Adding the FortiClient Web Filter extension on page 51. 2. Configure the FortiClient Web Filter extension. See Configuring the FortiClient Web Filter extension on page 52. 3. Add root certificates. See Adding root certificates on page 53. 4. Configure unique service account credentials. See Configuring unique service account credentials on page 58. 5. Disallow incognito mode. See Disallowing incognito mode on page 55.
Deploying a profile to Chromebooks
Following is an overview of how to add a Google domain, configure profiles, and push profiles to Google Chromebooks. After you add the extension in the Google Admin console, the extension is downloaded to the Google Chromebook when
FortiClient EMS 7.0.1 Administration Guide
18
Fortinet Technologies Inc.
Getting started
the Chromebook user logs into the Chromebook.
To deploy a profile to Chromebooks:
1. Add the Google domain. See Adding a Google domain on page 110. 2. Define web filtering options in one or more profiles. You can enable Safe Search in profiles. See Adding a new
Chromebook profile on page 136. 3. Edit an existing endpoint policy or create a new endpoint policy that is configured with desired profile. Configure the
endpoint policy to apply to domains to deploy FortiClient on Chromebooks. See Chromebook Policy on page 135. 4. Verify the FortiClient Web Filter extension. See Verifying the FortiClient Web Filter extension on page 57. 5. View Google domains and Google users. See Viewing domains on page 111.
How FortiClient EMS and FortiClient work with Chromebooks
After you install and configure FortiClient EMS, the Google Admin console, and the FortiClient Web Filter extension, the products work together to provide web filtering security for Google Chromebook users logged into the Google domain. Following is a summary of how the products work together after setup is complete: 1. A user logs into the Google Chromebook. 2. The Google Chromebook downloads the FortiClient Web Filter extension. 3. FortiClient connects to FortiClient EMS. 4. FortiClient downloads a profile to the Google Chromebook. The profile contains web filtering settings from
FortiClient EMS. 5. The user browses the Internet on the Google Chromebook. 6. FortiClient sends the URL query to the Fortinet Ratings Server. 7. The Fortinet Ratings Server returns the category result to FortiClient. FortiClient compares the category result with
the profile to determine whether to allow the Google Chromebook user to access the URL.
FortiClient EMS 7.0.1 Administration Guide
19
Fortinet Technologies Inc.
Installation preparation
This section helps you prepare to install FortiClient EMS. Before installing FortiClient EMS, be aware of the following information.
Before installing FortiClient EMS, reading the FortiClient EMS Release Notes to become familiar with relevant software components and other important information about the product is recommended.
System requirements
The minimum system requirements for FortiClient EMS are: l Microsoft Windows Server 2019, 2016, or 2012 R2. On Windows Server 2019, preinstalling Microsoft ODBC Driver 17 for SQL Server (x64) is necessary. l No additional installed services l 2.0 GHz 64-bit processor, six virtual CPUs (6 vCPU) l 8 GB RAM (10 GB RAM or more is recommended) l 40 GB free hard disk l Gigabit (10/100/1000baseT) Ethernet adapter l Internet access is recommended, but optional, during installation. SQL Server may require some dependencies to be downloaded over the Internet. EMS will also try to download information about FortiClient signature updates from FortiGuard.
You should only install FortiClient EMS and the default services for the operating system on the server. You should not install additional services on the same server as FortiClient EMS. Unnecessary services may cause port conflicts and issues during upgrades, and interrupt EMS functionality.
Installing and running EMS on a domain controller is not supported.
License types
This section describes licensing options available for FortiClient EMS. It provides information for each license type to help determine which license best suits your needs.
FortiClient EMS 7.0.1 Administration Guide
20
Fortinet Technologies Inc.
Installation preparation
FortiClient EMS
This section contains licensing information for FortiClient EMS.
Free trial license
After you install EMS, you can enable a free trial license. With the free trial license, you can provision and manage FortiClient on three Windows, macOS, Linux, iOS, and Android endpoints indefinitely. The trial license does not include management of Chromebook endpoints. The trial license includes the same functionality as the Fabric Agent license and does not include Sandbox Cloud support. EMS consumes one license count for each managed endpoint. See To apply a trial license to FortiClient EMS: on page 42. You must have an eligible FortiCloud account to activate an EMS trial license. A FortiCloud account can only have one EMS trial license. You should not use a trial license for production purposes. A trial license does not entitle you to Fortinet technical support. Fortinet may cancel a trial license if the terms of use are violated. The free trial policy terms may change at any time at Fortinet's discretion. You can only have one trial license per customer.
For evaluation, contacting Fortinet sales for an evaluation license is recommended. With an evaluation license, Fortinet provides support as needed during the evaluation period. See How to Buy.
FortiClient EMS 7.0.1 Administration Guide
21
Fortinet Technologies Inc.
Installation preparation
Windows, macOS, and Linux endpoint licenses
The following are the latest license bundles for FortiClient EMS:
License name Endpoint Protection Platform (EPP) Zero Trust Network Access
FortiSASE SIA
Description
Full license that offers all FortiClient features. Includes all features detailed for the Zero Trust Network Access (ZTNA) license, as well as antivirus (AV), antiransomware, anti-exploit, cloud-based malware detection, Application Firewall, software inventory, and advanced threat protection via FortiClient Cloud Sandbox.
Includes support for Fabric Agent for endpoint telemetry, security posture check via ZTNA tagging, remote access (SSL and IPsec VPN), Vulnerability Scan, Web Filter, threat protection via Sandbox (appliance only) and USB device control. Each purchased ZTNA license allows management of one FortiClient Windows, macOS, Linux, iOS, Android, or Chromebook endpoint. You must purchase a minimum of 25 endpoint licenses, and you can have these EMS licenses for a maximum five year term. You can specify the number of endpoints and the term duration at time of purchase. If there is no ZTNA license applied to EMS, no endpoints can register to EMS.
See Licensing.
You can purchase different number of EPP and ZTNA licenses. For example, you can purchase 100 EPP licenses and 200 ZTNA licenses. EMS applies licenses to endpoints based on the features that are enabled in the endpoint's assigned profile.
The following shows a more comprehensive comparison between the features included in the EPP and ZTNA licenses:
Feature Zero Trust Security Zero Trust Agent Central management via EMS Dynamic Security Fabric connector Vulnerability agent and remediation SSL VPN with multifactor authentication (MFA) IPsec VPN with MFA Sandbox appliance Next Generation Endpoint Security AI-powered next generation AV FortiClient Cloud Sandbox
EPP
Yes Yes Yes Yes Yes Yes Yes
Yes Yes
ZTNA
Yes Yes Yes Yes Yes Yes Yes
FortiClient EMS 7.0.1 Administration Guide
22
Fortinet Technologies Inc.
Installation preparation
Feature Automated endpoint quarantine Application inventory Application Firewall Software Inventory
EPP Yes Yes Yes Yes
You must purchase a license for each registered endpoint.
ZTNA
Chromebook licenses
Each purchased Chromebook license allows management of one Google Chromebook user. You must purchase a minimum of 25 Google Chromebook user licenses and can have these EMS licenses for a maximum three year term. You can specify the number of Google Chromebook users and the term duration at time of purchase. FortiClient EMS uses one license seat per logged-in user. If the user logs out, the license seat times out (default timeout being 24 hours), and the license is released. At this point, another user can use this license seat. If the number of Chromebooks that the EMS is managing exceeds the number of Chromebook licenses available, EMS licenses the additional Chromebooks using any available Fabric Agent licenses. For example, consider that your EMS instance has 50 Chromebook licenses, but 80 Chromebooks connect to the EMS instance. EMS licenses 50 Chromebooks using the Chromebook licenses, and licenses the remaining 30 Chromebooks using 30 Fabric Agent licenses, if available. EMS only licenses Chromebooks using Fabric Agent licenses if no Chromebook license is available. See Windows, macOS, and Linux endpoint licenses on page 22 for information about the Fabric Agent license.
EMS sends you an email when you are running out of licenses. Additionally, a log entry is entered when a client is refused connection due to unavailable licenses.
Component applications
Common services or applications do not require a license.
Installation of common services required for FortiClient EMS does not ask you for license information.
FortiClient EMS 7.0.1 Administration Guide
23
Fortinet Technologies Inc.
Installation preparation
Required services and ports
You must ensure that you enable required ports and services for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation opens these.
Communication Usage
Protocol
FortiClient Telemetry Samba (SMB) service
Distributed Computing Environment / Remote Procedure Calls (DCE/RPC)
FortiClient endpoint TCP management
FortiClient EMS uses the SMB service during FortiClient initial deployment.
TCP
FortiClient EMS connects to endpoints using RPC for FortiClient initial deployment.
TCP
Active Directory server connection
Retrieving workstation and user information
TCP
FortiClient download
Downloading FortiClient deployment packages created by FortiClient EMS
TCP
Apache/HTTPS
Web access to FortiClient EMS
TCP
SMTP server/email
Alerts for FortiClient EMS and endpoint events. When an alert is triggered, EMS sends an email notification.
TCP
Port
Incoming/Outgoing
8013 (default)
445
Incoming Outgoing
135 10245000* 4915265535*
Outgoing
389 (LDAP) or 636 (LDAPS)
10443 (default)
Outgoing Incoming
443
Incoming
25 (default) Outgoing
How to customize Installer/GUI
N/A
You can configure ranges noted with *. See How to configure RPC dynamic port allocation to work with firewalls. GUI
Installer
Installer
GUI
FortiClient EMS 7.0.1 Administration Guide
24
Fortinet Technologies Inc.
Installation preparation
Communication Usage
Protocol Port
FortiClient endpoint probing
FortiClient EMS uses ICMP for endpoint probing during FortiClient initial deployment.
FSSO
Connection to FortiOS.
Communication with FortiOS
EMS is the server that opens up the port for FortiOS to connect to as a client.
ICMP
TCP TCP
N/A
8000 8015
Incoming/Outgoing Outgoing
How to customize
N/A
Incoming
N/A
Incoming
N/A
The following ports and services only apply when using FortiClient EMS to manage Chromebooks:
Communication Usage
FortiClient on Chrome OS
Connecting to FortiClient EMS
Protocol TCP
Google Workspace API/Google domain directory
Retrieving Google domain information using API calls
TCP
Port
8443 (default) You can customize this port. 443
Incoming/Outgoing Incoming
Outgoing
How to customize GUI
N/A
You should enable the following ports and services for use on Chromebooks when using FortiClient for Chromebooks:
Communication Usage
FortiClient EMS
Connecting to the profile server
FortiGuard
Rating URLs
Protocol TCP
TCP
Port
Incoming/Outgoing
8443 (default)
Outgoing
443, 3400 Outgoing
How to customize
Via Google Admin console when adding the profile
N/A
FortiClient EMS connects to FortiGuard to download AV and vulnerability scan engine and signature updates. FortiClient EMS can connect to legacy FortiGuard or FortiGuard Anycast. The following table summarizes required services for FortiClient EMS to communicate with FortiGuard:
FortiClient EMS 7.0.1 Administration Guide
25
Fortinet Technologies Inc.
Installation preparation
Usage
Server URL
Proto col
Global
U.S.
Europe
AV/vulnera forticlient.fortinet usforticlient.forti N/A
bility
.net
net.net
signature update
myforticlient.forti net.net
TCP
AV/vulnera bility signature updates with FortiGuard Anycast
fctupdate.fortine t.net
fctusupdate.forti net.net
fcteuupdate.forti net.net
TCP
Por Incoming/Out How to
t going
custom
ize
80 Outgoing
N/A
443 Outgoing
N/A
For the list of required services and ports for FortiClient, see the FortiClient Administration Guide.
Management capacity
FortiClient EMS is intended for enterprise use and has the capacity to manage a large number of endpoints.
Having at least 200 GB of disk space available is recommended.
You can use FortiClient EMS with SQL Server Express, Enterprise, or Standard. When managing more than 5000 endpoints, install SQL Server Enterprise or Standard instead of SQL Server Express, which the EMS installation installs by default. Otherwise, you may experience database deadlocks. See Installing FortiClient EMS to specify SQL Server Enterprise or Standard instance on page 34. The following table summarizes which SQL Server edition to use for different numbers of managed endpoints.
Number of managed endpoints Up to 5000
5000 to 10000
Required SQL Server edition
Other configuration notes
Express. Optionally, you can use SQL Server Enterprise or Standard.
Enterprise or Standard
EMS and SQL Server can be installed on the same Windows Server machine, or two different Windows Server machines.
EMS and SQL Server can be installed on the same Windows Server machine, or two different Windows Server machines.
FortiClient EMS 7.0.1 Administration Guide
26
Fortinet Technologies Inc.
Installation preparation
Number of managed endpoints 10000 to 20000
20000 to 30000
30000 to 40000
40000 to 50000
50000 to 75000
Required SQL Server edition
Other configuration notes
Enterprise or Standard Enterprise or Standard Enterprise or Standard Enterprise or Standard Enterprise or Standard
EMS and SQL Server can be installed on the same Windows Server machine, or two different Windows Server machines.
EMS and SQL Server can be installed on the same Windows Server machine, or two different Windows Server machines.
EMS and SQL Server can be installed on the same Windows Server machine, or two different Windows Server machines.
EMS and SQL Server can be installed on the same Windows Server machine, or two different Windows Server machines.
EMS and SQL Server must be installed on two different Windows Server machines.
The following are suggested host system hardware configurations for FortiClient EMS. The suggested configurations depend on the number of endpoints FortiClient EMS is managing. The following table shows the configurations when EMS and SQL Server are running on the same Windows Server machine:
Number of managed endpoints Up to 5000 5000 to 10000 10000 to 20000 20000 to 30000 30000 to 40000 40000 to 50000
Number of virtual CPUs Memory (RAM) (in GB)
6
8
10
10
12
14
18
18
20
20
22
22
Suggested keep alive interval Default (60 seconds) Default (60 seconds) 120 seconds 120 seconds 120 seconds 120 seconds
The following table shows the configurations when EMS and SQL Server are running on different Windows Server machines:
Number of managed endpoints
10000 to 20000 20000 to 30000
EMS server machine
SQL Server machine
Suggested keep alive interval
Number of virtual CPUs
Memory (RAM) Number of
(in GB)
virtual CPUs
Memory (RAM) (in GB)
8
8
6
9
120 seconds
10
8
6
11
120 seconds
FortiClient EMS 7.0.1 Administration Guide
27
Fortinet Technologies Inc.
Installation preparation
Number of managed endpoints
30000 to 40000 40000 to 50000 50000 to 75000
EMS server machine
SQL Server machine
Suggested keep alive interval
Number of virtual CPUs
Memory (RAM) Number of
(in GB)
virtual CPUs
Memory (RAM) (in GB)
12
9
7
12
120 seconds
14
10
8
13
120 seconds
16
12
10
15
120 seconds
The requirements listed for managing 50000 to 75000 endpoints are considered best practice, even when managing a smaller number of endpoints.
FortiClient Telemetry security features
FortiClient connects to EMS and FortiGate over an SSL connection. All protocol exchanges flow through this secure connection. The connection is closed after protocol exchanges between both parties are complete. The SSL connections require a valid certificate. You can configure Telemetry connections between FortiClient and FortiGate or EMS to require a preshared password or connection key. See Configuring EMS settings on page 244. The default Telemetry port number is 8013. You can change this in EMS and FortiClient. When a port is not provided, FortiClient always attempt to connect to the default port, which is 8013. Changing this in EMS locks out endpoints that are still using the default. At any time, you can disconnect a rogue endpoint from EMS and prevent it from reconnecting to EMS in the future. See Required services and ports on page 24 for a list of TCP/IP ports that EMS uses. You can block all other ports or service requests to the EMS IP address or fully qualified domain name (FQDN).
Server readiness checklist for installation
Use the following checklist to prepare your server for installation:
Checklist
Readiness factor
Temporarily disable security applications. You must temporarily disable any antivirus (AV) software on the target server before you install FortiClient EMS. Installation may be slow or disrupted while these programs are active. A server may be vulnerable to attack when you uninstall or disable security applications.
FortiClient EMS 7.0.1 Administration Guide
28
Fortinet Technologies Inc.
Installation preparation
Checklist
Readiness factor Consider the date and time settings you apply to your server. If managing Chromebooks, syncing the time to the Google server time is recommended. Confirm required services and ports are enabled and available for use by FortiClient EMS. Ensure no conflict exists with port 443 for the Apache service to function properly. Ensure no conflict exists with ports 8013 and 8443 for the EMS service to function properly.
Upgrading from an earlier FortiClient EMS version
FortiClient EMS 7.0.1 supports upgrading from previous EMS versions as outlined in FortiClient and FortiClient EMS Upgrade Paths.
Before any version upgrade or other maintenance, back up the EMS database. Consider performing a full server backup or taking a VM snapshot if possible.
Upgrading EMS and FortiClient
When EMS is managing FortiClient endpoints, you must consider the version compatibilities between EMS and FortiClient before upgrading EMS. Ensure that you follow these instructions when upgrading EMS and FortiClient:
See the EMS Compatibility Chart for EMS and FortiClient compatibility information.
To upgrade EMS and FortiClient:
1. If EMS is already upgraded to the latest version, do the following: a. For endpoints where the FortiClient version is compatible with the EMS version, deploy the latest FortiClient version as an upgrade from EMS. EMS can only upgrade FortiClient versions that it is compatible with. See Deploying FortiClient upgrades from FortiClient EMS on page 119. b. For endpoints where the FortiClient version is incompatible with the EMS version, manually uninstall FortiClient from the endpoint. Then, install the latest FortiClient version on the endpoint. See Uninstalling FortiClient and Installing FortiClient on computers.
2. If EMS is not yet upgraded to the latest version, do one of the following: a. Incrementally upgrade EMS and FortiClient to ensure that they remain compatible with each other at every step of the installation process. For example, if you want to upgrade EMS and FortiClient from 6.2 to 7.0, do the following: i. Upgrade EMS from 6.2 to 6.4 as To upgrade EMS from an earlier version: on page 30 describes. ii. Deploy FortiClient upgrade from 6.2 to 6.4 from EMS as Deploying FortiClient upgrades from FortiClient EMS on page 119 describes. iii. Upgrade EMS from 6.4 to 7.0 as To upgrade EMS from an earlier version: on page 30 describes.. iv. Deploy FortiClient upgrade from 6.4 to 7.0 from EMS as Deploying FortiClient upgrades from FortiClient EMS on page 119 describes.
FortiClient EMS 7.0.1 Administration Guide
29
Fortinet Technologies Inc.
Installation preparation
b. Uninstall FortiClient, then deploy the latest version from EMS: i. Uninstall FortiClient by creating an Uninstall deployment configuration to deploy to endpoints. See Creating a deployment configuration on page 116. ii. Upgrade EMS to the latest version as To upgrade EMS from an earlier version: on page 30 describes.
iii. Deploy the latest FortiClient version to endpoints as Manage Deployment on page 114 describes.
Upgrading EMS from an earlier version
To upgrade EMS from an earlier version:
1. Close FortiClient EMS. 2. Install FortiClient EMS 7.0.1 using the downloaded installer. You may complete the upgrade using one of the
following methods. You can download the installer files from Customer Service & Support. a. Fortinet can enable push notifications on FDS for a new EMS GA build. If Fortinet has enabled this, a
notification appears on the FortiClient EMS GUI. Click the notification, then review and accept the upgrade message. b. Run the full FortiClient EMS installer as an administrator. c. Run the light FortiClient EMS installer as an administrator. This installer connects to the FDS to check for, download, and run the latest full FortiClient EMS installer. d. Run the full FortiClient EMS installer as an administrator using the CLI. This is necessary for FortiClient EMS installations using a remote SQL database. 3. Monitor FortiClient EMS performance for at least two days, including testing use cases.
Install preparation for managing Chromebooks
Google Workspace account
You must sign up for your Google Workspace (formerly G Suite) account before you can use the Google service and manage your Chromebook users. The Google Workspace account is different from the free consumer account. The Google Workspace account is a paid account that gives access to a range of Google tools, services, and technology. You can sign up for a Google Workspace account here. In the signup process, you must use your email address to verify your Google domain. This also proves you have ownership of the domain.
SSL certificates
FortiClient EMS requires an SSL certificate signed by a Certificate Authority (CA) in pfx format. Use your CA to generate a certificate file in pfx format, and remember the configured password. For example, the certificate file name is server.pfx with password 111111. The server where you installed FortiClient EMS should have an FQDN, such as ems.forticlient.com, and you must specify the FQDN in your SSL certificate.
FortiClient EMS 7.0.1 Administration Guide
30
Fortinet Technologies Inc.
Installation preparation
If you are using a public SSL certificate, the FQDN can be included in Common Name or Subject Alternative Name. You must add the SSL certificate to FortiClient EMS. See Adding an SSL certificate to FortiClient EMS for Chromebook endpoints on page 248. You do not need to add the root certificate to the Google Admin console.
If you are using a self-signed certificate (non-public SSL certificate), your certificate's Subject Alternative Name must include DNS:<FQDN>, for example, DNS:ems.forticlient.com. You must add the SSL certificate to FortiClient EMS and the root certificate to the Google Admin console to allow the extension to trust FortiClient EMS. See Adding root certificates on page 53.
FortiClient EMS 7.0.1 Administration Guide
31
Fortinet Technologies Inc.
Installation and licensing
Before you install and license FortiClient EMS on a server, ensure you have: l Reviewed License types on page 20 l Met the requirements listed in Required services and ports on page 24 l Completed the Server readiness checklist for installation on page 28 l Logged into the server as the administrator. The administrator user account is equivalent to a Windows administrator account and provides access to all common services, FortiClient EMS, and other application tasks. You can use this account to initially log into the server and to create other user accounts for normal day-to-day use of the applications.
Installing FortiClient EMS on a dedicated server in a controlled environment is recommended. Installing other software applications can interfere with normal operation of FortiClient EMS.
EMS does not currently support high availability. For increased data reliability, consider Microsoft SQL Server redundancy. See Microsoft's documentation for details.
When installing SQL Server for use with EMS, ensure that Database Engine Services is selected. This is the minimum required feature set for SQL Server when used with EMS.
Downloading the installation file
FortiClient EMS is available for download from the Fortinet Support website. You can also receive the installation file from a sales representative. The following installation file is available for FortiClient EMS: FortiClientEndpointManagement_7.0.1.<build>_x64.exe For information about obtaining FortiClient EMS, contact your Fortinet reseller.
Installing FortiClient EMS
The FortiClient EMS installation package includes:
l FortiClient EMS l Microsoft SQL Server 2017 Express Edition
FortiClient EMS 7.0.1 Administration Guide
32
Fortinet Technologies Inc.
Installation and licensing l Apache HTTP server Installing FortiClient EMS requires local administrator rights. Internet access is recommended, but optional, during installation. SQL Server may require some dependencies to be downloaded over the Internet. EMS will also try to download information about FortiClient signature updates from FortiGuard.
To install EMS: 1. Do one of the following:
a. If you are logged into the system as an administrator, double-click the downloaded installation file. b. If you are not logged in as an administrator, right-click the installation file, and select Run as administrator. 2. If applicable, select Yes in the User Account Control window to allow the program to make changes to your system. 3. In the installation window, select I agree to the license terms and conditions if you agree with the license terms and conditions. If you do not agree, you cannot install the software.
4. (Optional) Click Options to specify a custom directory for the FortiClient EMS installation.
a. Click Browse to locate and select the custom directory. b. Click OK to return to the installation wizard. 5. Click Install. The installation may take 30 minutes or longer. It may appear to stop at times, but this is only because certain steps in the installation process take longer than others.
FortiClient EMS 7.0.1 Administration Guide
33
Fortinet Technologies Inc.
Installation and licensing 6. When the program has installed correctly, the Success window displays. Click Close.
A FortiClient Endpoint Management Server icon is added to the desktop.
Installing FortiClient EMS to specify SQL Server Enterprise or Standard instance
If you are using SQL Server Enterprise or Standard with FortiClient EMS, you must install FortiClient EMS using the CLI to specify the correct SQL Server instance. Ensure you have already installed and configured SQL Server Enterprise or Standard. For descriptions of FortiClient EMS installation CLI options, see Installing FortiClient EMS using the CLI on page 36.
Local existing database
This section lists the CLI commands for when FortiClient EMS and SQL Server Enterprise or Standard are installed on the same machine.
Database type
Command
Local default instance using SQL authentication
FortiClientEndpointManagement_7.0.1.XXXX_x64.exe SQLUser=<username> SQLUserPassword=<password> InstallSQL=0 ScriptDB=1 SQLServerInstance= SQLService=<instance_name> SQLCmdlineOptions="/INSTANCENAME=" DBInitialSize=31MB DBInitialLogSize=4MB DBGrowth=11MB DBLogGrowth=11% DBLoginTimeout=31 DBQueryTimeout=61
Local default instance using local Windows authentication
FortiClientEndpointManagement_7.0.1.XXXX_x64.exe SQLServerInstance= SQLService=<instance_name> SQLCmdlineOptions="/INSTANCENAME=" InstallSQL=0 ScriptDB=1
Local named instance using SQL authentication
FortiClientEndpointManagement_7.0.1.XXXX_x64.exe SQLUser=<username> SQLUserPassword=<password> InstallSQL=0 ScriptDB=1 SQLServerInstance=<instance_name> SQLService=mssql$<instance_name> SQLCmdlineOptions="/INSTANCENAME=<instance_name>"
Local named instance using local Windows authentication
FortiClientEndpointManagement_7.0.1.XXXX_x64.exe SQLServerInstance=<instance_name> SQLService=mssql$<instance_name> SQLCmdlineOptions="/INSTANCENAME=<instance_name>" InstallSQL=0 ScriptDB=1
For example, consider installing FortiClient EMS and pointing to a local instance with the following attributes:
FortiClient EMS 7.0.1 Administration Guide
34
Fortinet Technologies Inc.
Installation and licensing
l Named "database000" l Using SQL authentication l SQL username "janedoe" l SQL password "password123" l Database initial size of 31 MB l Database initial log size of 4 MB l Database growth rate of 11 MB l Database log growth rate of 11% l Database login timeout of 31 seconds l Database SQL query timeout of 61 seconds
The installation command for this example is as follows:
FortiClientEndpointManagement_7.0.1.XXXX_x64.exe SQLUser=janedoe SQLUserPassword=password123 InstallSQL=0 ScriptDB=1 SQLServerInstance=database000 SQLService=mssql$database000 SQLCmdlineOptions="/INSTANCENAME=database000" DBInitialSize=31MB DBInitialLogSize=4MB DBGrowth=11MB DBLogGrowth=11% DBLoginTimeout=31 DBQueryTimeout=61
Remote existing database
To create a backup directory:
Prior to installing FortiClient EMS, create a backup directory on the database server. The SQL Server service that is running on the EMS server and the Apache service that is running on the databaser server must both be able to access the backup directory. You must configure the backup directory as a subdirectory of a shared directory.
1. On the database server, create a shared directory. 2. Create a backup directory inside the shared directory that you created. 3. Right-click the shared directory and select Properties. 4. On the Security tab, ensure all users have full control of the directory.
Installation commands for remote existing databases
For remote instances using Windows authentication (domain user), do the following:
1. Join the EMS and database servers to the same domain. 2. Create a database user that maps to the domain user. 3. In Command Prompt on the EMS server, run gpedit to open the Local Group Policy Editor. 4. In Local Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies
> User Rights Assignment. 5. Double-click the Log on as a service. In the dialog, add the desired username from the Active Directory domain.
Database type
Remote default or named instance using SQL authentication
Command
FortiClientEndpointManagementServer_7.0.1.XXXX_x64.exe SQLServer=<SQL_Server_name> SQLUser=<username> SQLUserPassword=<SQL password> InstallSQL=0 ScriptDB=1 BackupDir=\\WIN-0888\Backup DB InitialSize=31MB DBInitialLogSize=4MB DBGrowth=11MB DBLogGrowth=11% DBLoginTimeout=31 DBQueryTimeout=61
FortiClient EMS 7.0.1 Administration Guide
35
Fortinet Technologies Inc.
Installation and licensing
Database type
Remote default or named instance using Windows authentication (domain user)
Command
FortiClientEndpointManagement_7.0.1.XXXX_x64.exe SQLServer=<SQL_Server_name> WindowsUser=<domain name>\<username> WindowsUserPassword=<password> InstallSQL=0 ScriptDB=1 BackupDir=<backupdirectorypath> DBInitialSize=31MB DBInitialLogSize=4MB DBGrowth=11MB DBLogGrowth=11% DBLoginTimeout=31 DBQueryTimeout=61
For example, consider installing FortiClient EMS and pointing to a remote named instance with the following attributes:
l On a computer with DNS name WIN-088 l Using Windows authentication l Domain name "forticlient.ca" l Database initial size of 31 MB l Database initial log size of 4 MB l Database growth rate of 11 MB l Database log growth rate of 11% l Database login timeout of 31 seconds l Database SQL query timeout of 61 seconds l Backup directory of \\WIN-0888\Backup
The installation command for this example is as follows. This example also includes the optional SQLEncryptConnection option:
FortiClientEndpointManagement_7.0.1.XXXX_x64.exe SQLServer=WIN-0888 WindowsUser=forticlient.ca\janedoe WindowsUserPassword=password123 InstallSQL=0 ScriptDB=1 BackupDir=\\WIN-0888\Backup SQLEncryptConnection=no DBInitialSize=31MB DBInitialLogSize=4MB DBGrowth=11MB DBLogGrowth=11% DBLoginTimeout=31 DBQueryTimeout=61
Installing FortiClient EMS using the CLI
Installing FortiClient EMS using the CLI allows you to enable certain options during installation, such as customizing the EMS installation directory, using custom port numbers, and so on.
You may need to wrap certain CLI option values in double quotation marks. For example, if the backup directory path includes a space, you must wrap the path in double quotation marks, such as: BackupDir="\\WIN-0888 AHAMILTON\Backup". Do not use single quotation marks.
The following table provides a description of all options available when installing FortiClient EMS using the CLI. These options are case-sensitive:
Option AllowedWebHostnames
Description
The default value is localhost, 127.0.0.1. To clear this value, first enter AllowedWebHostnames=*, then enter the desired AllowedWebHostnames value. Otherwise, the value that you enter is appended to [localhost, 127.0.0.1], so that AllowedWebHostNames=localhost, 127.0.01, <new_value>.
FortiClient EMS 7.0.1 Administration Guide
36
Fortinet Technologies Inc.
Installation and licensing Option ApacheServerAdminEmail BackupDir ClientDownloadPort RemoteManagementPort InstallFolder InstallSQL
ScriptDB
ServerHostname SQLAuthType SQLCmdlineOptions="/INSTANCEDIR" SQLCmdlineOptions="/INSTANCENAME" SQLEncryptConnection SQLPort
SQLServer SQLServerInstance SQLService
SQLTrustServerCertificate
Description
Enter the Apache Server administrator's email address. By default, this is admin@<yourcompany>.com.
Enter the desired backup directory UNC path for SQL Server.
Enter the HTTP port number. The default is 80.
Enter the HTTPS port number. The default is 443.
Specify the directory to install EMS to.
Controls whether the installer installfs SQL Server Express on the same server as FortiClient EMS. Enter 1 to install SQL Server Express. Otherwise, enter 0. By default, the EMS installation also installs SQL Server Express.
Controls where the installer attempts to create the database from db scripts. Enter 1 to create the database from db scripts. You should only enter 0 if you have already set up databases on the server and you are only installing EMS components locally.
Enter the preferred hostname (the remote hostname). The default is the local host.
Enter sql.
Enter the desired directory to install SQL Server Express to.
Enter the SQL Server instance name.
(Optional) Enter yes to encrypt the connection to SQL Server. Otherwise, enter no. The default is yes.
Enter the port number the remote SQL Server instance is listening on. You should configure SQL Server to use a static port number.
If using an instance with a custom name, enter the DSN name of the computer where SQL Server is already installed.
Enter the SQL Server instance name.
If using a default database instance, enter the instance name. If using a named database instance, enter mssql$<instance_name>. For example, if your instance is named "database000", enter mssql$database000.
(Optional) Enter yes to trust the SQL Server certificate on the machine where FortiClient EMS is installed. If entering no, you must install the issuing CA certificate of SQL Server's certificate onto the machine you are connecting FortiClient EMS from.
FortiClient EMS 7.0.1 Administration Guide
37
Fortinet Technologies Inc.
Installation and licensing Option SQLUser SQLUserPassword WindowsUser WindowsUserPassword DBInitialSize DBInitialLogSize DBGrowth DBLogGrowth DBLoginTimeout
DBQueryTimeout
EPCPort
Description
Enter the SQL username used to connect to the database instance. You must preconfigure this user in SQL Server.
Enter the SQL password used to connect to the database instance.
Enter the Windows username that EMS services, once installed, uses to connect to the database instance. You must preconfigure this user in SQL Server.
Enter the Windows password that EMS services, once installed, uses to connect to the database instance.
Enter the database initial size. The default value is 30 MB. This option is used exclusively during installation and can be used to override SQL Server model database settings.
Enter the database initial log size. The default value is 3 MB. This option is used exclusively during installation and can be used to override SQL Server model database settings.
Enter the database growth value. The default value is 10 MB. This option is used exclusively during installation and can be used to override SQL Server model database settings.
Enter the database log growth rate. The default value is 10%. This option is used exclusively during installation and can be used to override SQL Server model database settings.
Enter the database login timeout value in seconds. This option is only useful for remote databases. You must increase DBLoginTimeout if there is ephemerally higher than expected latency between the EMS server and the remote SQL server. However, if this latency is always high, then it is likely that EMS will not perform well. In that case, the latency should be fixed. The default value for this option is 30. The installer only uses this option when creating/scripting the EMS databases. This option is unused once EMS is installed.
Enter the database query timeout value in seconds. During installation, a SQL query is used to instruct SQL Server to create a database. The default value for this option is 60. It can take a long time to create the actual database file system due to a slow hard drive. The installer only uses this option when creating/scripting the EMS databases. This option is unused once EMS is installed.
Enter the default listening port that endpoints connect to. The default value for this option is 8013.
FortiClient EMS 7.0.1 Administration Guide
38
Fortinet Technologies Inc.
Installation and licensing
Option StartServices
SQLServerCheck
Description
The default value of this option is 1. Setting this option to 0 results in the installer not starting EMS services when installation is complete.
The default value of this option is 1. Setting this option to 0 results in the installer skipping its initial SQL server accessibility test. Skipping this test may result in installation or upgrade rollbacks, if the SQL server cannot be reached during installation.
Allowing remote access to FortiClient EMS and using custom port numbers
To allow remote access to FortiClient EMS from a web browser, install FortiClient EMS by entering the following command in the CLI. You can also specify custom HTTP and HTTPS port numbers: FortiClientEndpointManagement_7.0.1.XXXX_x64.exe ServerHostname=<preferred_host_name>
ClientDownloadPort=<HTTP_port_number> RemoteManagementPort=<HTTPS_port_number> AllowedWebHostnames=<allowed_web_host_names> ApacheServerAdminEmail=<Apache_Server_ admin_email_address> The example specifies the server hostname as emshost.ems.com, appends emshost.ems.com to the allowed web hostnames, and specifies example@example.com as the Apache server administrator email. This example changes the HTTP and HTTPS ports to 1080 and 22443, respectively. FortiClientEndpointManagement_7.0.1.XXXX_x64.exe ServerHostname=emshost.ems.com ClientDownloadPort=1080 RemoteManagementPort=22443 AllowedWebHostnames=emshost.ems.com ApacheServerAdminEmail=example@example.com
Customizing the SQL Server Express install directory
By default, the FortiClient EMS installation also installs SQL Server Express. Using the CLI to install FortiClient EMS allows you to customize the SQL Server Express install directory. These instructions do not apply for SQL Server Enterprise or Standard, which you must install separately from FortiClient EMS. For information on SQL Server Enterprise or Standard and FortiClient EMS, see Installing FortiClient EMS to specify SQL Server Enterprise or Standard instance on page 34.
Customizing the SQL Server Express install to a local directory
Use the following command to customize the SQL Server Express install to a local directory: FortiClientEndpointManagement_7.0.1.XXXX_x64 SQLCmdlineOptions="/INSTANCENAME=FCEMS
/INSTANCEDIR=<desired_directory>" The example installs FortiClient EMS, installing SQL Server to the C:\sqlserver directory: FortiClientEndpointManagement_7.0.1.XXXX_x64 SQLCmdlineOptions="/INSTANCENAME=FCEMS
/INSTANCEDIR=c:\sqlserver"
FortiClient EMS 7.0.1 Administration Guide
39
Fortinet Technologies Inc.
Installation and licensing
Customizing the SQL Server Express install to a remote directory
Use the following command to customize the SQL Server Express install to a remote directory: FortiClientEndpointManagement_7.0.1.XXXX_x64 InstallFolder=<desired_directory>
SQLServer=<SQL_Server_name> SQLServerInstance= SQLService=MSSQLSERVER The example installs FortiClient EMS, installing SQL Server to the C:\sqlserver directory on a computer with DNS name WIN-088: FortiClientEndpointManagement_7.0.1.XXXX_x64 InstallFolder=c:/sqlserver SQLServer=WIN-0888
SQLServerInstance= SQLService=MSSQLSERVER
Starting FortiClient EMS and logging in
FortiClient EMS runs as a service on Windows computers.
To start FortiClient EMS and log in: 1. Double-click the FortiClient Endpoint Management Server icon. 2. By default, the admin user account has no password. Sign in with the username admin and no password. 3. You must now EMS add a password for increased security. Change the password following the rules shown. Click
Submit.
4. Configure FortiClient EMS by going to System Settings.
Configuring EMS after installation
You can configure an FQDN for EMS. FortiClient's connection to EMS is critical to managing endpoint security. Managing this is relatively easy for internal devices. For external devices or devices that may leave the internal network, you must consider how to maintain this connection. FortiClient can connect to EMS using an IP address or fully qualified domain name (FQDN). An FQDN is preferable for the following reasons:
FortiClient EMS 7.0.1 Administration Guide
40
Fortinet Technologies Inc.
Installation and licensing
l Easy to migrate EMS to a different IP address l Easy to migrate to a different EMS instance l Flexible to dynamically resolve the FQDN
The third reason is particularly valuable for environments where devices may be internal or external from day to day. When using an FQDN, you can configure your internal DNS servers to resolve the FQDN to the EMS internal IP address and register your external IP address with public DNS servers. You must then configure the device with your external IP address to forward communication received on port 8013 to your EMS internal IP address. This allows your external clients to leverage a virtual IP address on the FortiGate so that they can reach EMS, while allowing internal clients to use the same FQDN to reach EMS directly.
Alternatively, you can use a private IP address for the connection. This configuration would require external clients to establish a VPN connection to reach the EMS (VPN policies permitting). This configuration can be problematic if all endpoints need an urgent update but some are not connected to VPN at that time.
You can also configure FortiClient EMS so that you can access it remotely using a web browser instead of the GUI.
To enable remote access to FortiClient EMS:
1. Go to System Settings > EMS Settings. 2. Enable Use FQDN. In the FQDN field, enter the desired FQDN. 3. If desired, in the Custom hostname field, enter the hostname or IP address. Otherwise, EMS uses the Pre-defined
hostname. 4. If desired, select the Redirect HTTP request to HTTPS checkbox. If this option is enabled, if you attempt to remotely
access EMS at http://<server_name>, this automatically redirects to https://<server_name>. 5. Click Save.
To remotely access FortiClient EMS:
l To access EMS from the EMS server, visit https://localhost l To access the server remotely, use the server's hostname: https://<server_name>
Ensure you can ping <server_name> remotely. You can achieve this by adding it into a DNS entry or to the Windows hosts file. You may need to modify the Windows firewall rules to allow the connection.
Licensing FortiClient EMS
There are several licensing options available with FortiClient EMS. You can use these licenses to manage Windows, macOS, Linux, or Chromebook endpoints. For information on the different license types available, see License types on page 20.
There are two ways to activate, upgrade, or renew a FortiClient EMS license:
l Licensing EMS by logging in to FortiCloud on page 42: You can log in to your FortiCloud account to activate EMS using that account. Once an EMS license expires, EMS uses the FortiCloud account to obtain a new license file, if available on that account. You can use this method to apply a trial or paid license to EMS. This is the primary licensing method for EMS.
l Uploading a license file on page 46: You can upload a license file to EMS. This functions in the same way as EMS versions prior to 6.2.0. You must use this backup licensing method only if you cannot license EMS by logging into FortiCare.
You must activate an EMS license before you can manage and provision any endpoints with EMS.
FortiClient EMS 7.0.1 Administration Guide
41
Fortinet Technologies Inc.
Installation and licensing
You can license an EMS instance that is in an isolated environment and completely isolated from the Internet using an Air-Gap license. To obtain an Air-Gap license, contact Fortinet Customer Service & Support.
Although the option to upload a license file is available in the EMS GUI, FortiCloud does not provide EMS 7.0 license files. You cannot use this option to activate, upgrade, or renew an EMS 7.0 license.
Licensing EMS by logging in to FortiCloud
You must license FortiClient EMS to use it for endpoint management and provisioning.
Applying a trial license to FortiClient EMS
To apply a trial license to FortiClient EMS:
The following steps assume that you have already acquired an EMS installation file from FortiCloud or a Fortinet sales representative for evaluation purposes and installed EMS. 1. In EMS, in the License Information widget, click Add beside FortiCloud Account. 2. In the FortiCloud Registration dialog, enter your FortiCloud account credentials. If you do not have a FortiCloud
account, create one. 3. Read and accept the license agreement terms. 4. Click Login & Start Trial. If your FortiCloud account is eligible for an EMS trial license, the License Information
widget updates with the trial license information, and you can now manage three Windows, macOS, Linux, iOS, and Android endpoints indefinitely.
Applying paid licenses to FortiClient EMS
To apply a paid license to FortiClient EMS:
The following steps assume that you have already purchased and acquired your EMS and FortiClient licenses from a Fortinet reseller. 1. Log in to your FortiCloud account on Customer Service & Support. 2. Go to Register Product. 3. In the Registration Code field, enter the Contract Registration Code from your service registration document.
Configure other fields as required, then click Next.
FortiClient EMS 7.0.1 Administration Guide
42
Fortinet Technologies Inc.
Installation and licensing
4. Do one of the following: a. If this is the first license that you are applying to this EMS server, do the following: i. Click Register. ii. In the Hardware ID field, enter the hardware ID found in Dashboard > Status > License Information widget > Configure License in EMS. If you register the license prior to installing EMS, you must enter the hardware ID after installation. Configure other fields as required, then click Next. iii. Complete the registration, then click Confirm. iv. In EMS, go to Dashboard > Status > License Information widget > Configure License. v. For License Source, select FortiCare. vi. In the FortiCloud Account field, enter your FortiCloud account ID or email address. vii. In the Password field, enter your FortiCloud account password. viii. Click Login & Update License. Once your account information is authenticated, EMS updates the Configure License page with the serial number and license information that it retrieved from FortiCloud. b. As described in Windows, macOS, and Linux endpoint licenses on page 22, you can apply multiple license types to the same EMS server. For example, if you have already applied an EPP license to your EMS server, you can apply another license type, such as a ZTNA license, to the same EMS server. If desired, add another license type: i. On the Registration Confirmation page, when applying an additional license type, you must select Renew on the contract registration screen, regardless of the license types of the first and subsequent licenses. Selecting Renew combines the new license with any existing licenses for the EMS server and allows you to add the new license type to EMS while retaining previously applied license(s).
When applying an additional license type to EMS, selecting Register instead of Renew creates an additional license file instead of combining the new license with the existing license(s). You will not be able to apply the new and existing licenses to the same EMS server.
ii. In the Serial Number field, enter the EMS serial number or select the EMS instance from the list. You can find the serial number in Dashboard > Status > License Information widget > Configure License in EMS. Click Next.
iii. Complete the registration, then click Confirm.
EMS reports the following information to FortiCare. FortiCloud displays this information in its dashboard and asset management pages:
FortiClient EMS 7.0.1 Administration Guide
43
Fortinet Technologies Inc.
Installation and licensing
l EMS software version l Number of FortiClient endpoints currently actively licensed under and being managed by this EMS l Endpoint license expiry statuses. You can use this information to plan license renewals.
Using a second license to extend the license expiry date does not increase the number of licensed clients. To increase the number of licensed clients, contact Fortinet Support for a coterm contract.
If you previously activated another license with the same EMS hardware ID, you receive a duplicated UUID error. In this case, contact Customer Support to remove the hardware ID from the old license.
To apply multiple paid licenses to FortiClient EMS:
You may want to apply multiple paid licenses of the same type to at the same time. For example, if you want EMS to manage 525 ZTNA endpoints, you can purchase two ZTNA licenses: one for 500 endpoints, and another for 25 endpoints. In this scenario, you need to register the licenses at the same time. The following steps assume that you have already purchased and acquired your EMS and FortiClient licenses from a Fortinet reseller. 1. Log in to your FortiCloud account on Customer Service & Support. 2. Go to Register Product. 3. In the Registration Code field, enter the Contract Registration Codes from your service registration documents.
Separate the codes with a comma. For example, to register the 3922U and 1057U codes in the following screenshots, you would enter 3922U,1057U in the Registration Code field. Configure other fields as required, then click Next.
FortiClient EMS 7.0.1 Administration Guide
44
Fortinet Technologies Inc.
Installation and licensing
4. Do one of the following: a. If these are the first licenses that you are applying to this EMS server, do the following: i. Click Register. ii. In the Hardware ID field, enter the hardware ID found in Dashboard > Status > License Information widget > Configure License in EMS. If you register the licenses prior to installing EMS, you must enter the hardware ID after installation. Configure other fields as required, then click Next. iii. Complete the registration, then click Confirm. iv. In EMS, go to Dashboard > Status > License Information widget > Configure License. v. For License Source, select FortiCare. vi. In the FortiCloud Account field, enter your FortiCloud account ID or email address. vii. In the Password field, enter your FortiCloud account password. viii. Click Login & Update License. Once your account information is authenticated, EMS updates the Configure License page with the serial number and license information that it retrieved from FortiCloud. b. As described in Windows, macOS, and Linux endpoint licenses on page 22, you can apply multiple license types to the same EMS server. For example, if you have already applied an EPP license to your EMS server, you can apply other license types, such as a ZTNA license, to the same EMS server. If desired, add another license type: i. On the Registration Confirmation page, when applying an additional license type, you must select Renew on the contract registration screen, regardless of the license types of the first and subsequent licenses. Selecting Renew combines the new licenses with any existing licenses for the EMS server and allows you to add the new license types to EMS while retaining previously applied license(s).
When applying an additional license types to EMS, selecting Register instead of Renew creates an additional license file instead of combining the new licenses with the existing license(s). You will not be able to apply the new and existing licenses to the same EMS server.
ii. In the Serial Number field, enter the EMS serial number or select the EMS instance from the list. You can find the serial number in Dashboard > Status > License Information widget > Configure License in EMS. Click Next.
iii. Complete the registration, then click Confirm.
EMS reports the following information to FortiCare. FortiCloud displays this information in its dashboard and asset management pages:
FortiClient EMS 7.0.1 Administration Guide
45
Fortinet Technologies Inc.
Installation and licensing
l EMS software version l Number of FortiClient endpoints currently actively licensed under and being managed by this EMS l Endpoint license expiry statuses. You can use this information to plan license renewals.
Using a second license to extend the license expiry date does not increase the number of licensed clients. To increase the number of licensed clients, contact Fortinet Support for a coterm contract.
If you previously activated another license with the same EMS hardware ID, you receive a duplicated UUID error. In this case, contact Customer Support to remove the hardware ID from the old license.
Uploading a license file
You must use this backup licensing method only if you cannot license EMS by logging into FortiCare. Contact Fortinet Support to activate, upgrade, or renew your FortiClient EMS license. After you have the license file, you can add it to FortiClient EMS.
To upload a license file for activation, upgrade, or renewal:
1. Go to Dashboard > Status > License Information widget > Configure License. 2. For License Source, select File Upload. 3. Click Browse and locate the license key file. 4. Click Upload.
Licensing EMS in an air-gapped network
If you are deploying EMS in an air-gapped or isolated network where EMS cannot access the Internet, you can configure EMS to receive updates from FortiManager to deploy to FortiClient. In offline mode, FortiManager allows export and import of FortiGuard packages from FortiManager for provisioning as a FortiGuard distribution server. You can export FortiGuard packages from an online FortiManager to import to an offline FortiManager that will provide signature, engine, and FortiClient installer updates to EMS. EMS receives AntiVirus, Web Filter, Application Firewall, Vulnerability Scan, and Sandbox signatures and engines updates and FortiClient installers from FortiManager and deploys updates to FortiClient while in an air-gapped or isolated network. This feature is also useful if you have experienced hardware failure and need to install EMS on another server. Fortinet customer support can provide a key file to allow you to apply your original license to EMS on the new server.
To configure EMS for an air-gapped network:
1. Contact Fortinet Customer Service & Support. Provide them with your original EMS license file and the IP address of the new machine where you will install EMS. They provide you with a key file.
2. Install EMS. See Installing FortiClient EMS. 3. Go to System Settings > EMS settings. Ensure that the value in the Listen on IP field matches the IP address that
you gave to Customer Service & Support in step 1. Otherwise, EMS will not be able to validate the key file. 4. In EMS, on the License Information widget, select Config License.
FortiClient EMS 7.0.1 Administration Guide
46
Fortinet Technologies Inc.
Installation and licensing
5. For License Source, select File Upload. 6. In License File, browse to and upload your original license file. 7. EMS detects that the hardware ID associated with the license has changed and prompts you to upload the key file.
Browse to and upload the key file that Customer Service & Support provided to you. If the key file matches the license file, the EMS license is activated.
8. Enable EMS to use FortiManager for signature updates: a. Go to System Settings > FortiGuard Servings. b. Enable Use FortiManager for client software/signature updates. c. Configure the fields for the desired FortiManager. d. Click Save.
9. Enable endpoint profiles to use FortiManager for signature updates: a. Go to Endpoint Profiles > Manage Profiles. b. Select the desired profile. c. On the System Settings tab, under Update, enable Use FortiManager for Client Signature Update. d. Configure the fields for the same FortiManager as you configured in step 8. e. Configure the update schedule as desired. f. Click Save.
License status
The Dashboard > Status > License Information widget displays your license statuses. EMS supports multiple licenses, including separate licenses for Telemetry and endpoint protection and management, for FortiClient Cloud Sandbox integration, and for Chromebook endpoint management. Each license's status can change. The options are:
License status Unlicensed
Non-expired license
Description
If you just installed FortiClient EMS, EMS is unlicensed by default. Log in to your FortiCloudaccount or upload a license file to update the license status. You can upgrade the license on your FortiCloud account.
FortiClient EMS 7.0.1 Administration Guide
47
Fortinet Technologies Inc.
Installation and licensing
License status Expired license
Description
You can renew the license on your FortiCloud account. You have ten days after the license expiry date to renew the license. During this grace period, the License Information widget displays the expiry date, which has already passed, and FortiClient EMS functions as if the license has not expired. FortiClient EMS also displays a daily notification that the license has expired and that you are currently using FortiClient EMS as part of the ten day grace period. After ten days, FortiClient EMS reverts to unlicensed mode for that license.
After applying a trial license to EMS, you can purchase a license and register the EMS installation on your FortiCloud account as To apply a paid license to FortiClient EMS: on page 42 describes, then click Sync License Now in Dashboard > Status > License Information widget > Configure License to apply a paid license to EMS.
Help with licensing
For licensing issues with FortiClient EMS, contact the licensing team at Fortinet Technical Assistance Center (TAC): l Phone: +1-866-648-4638 l Technical support: support.fortinet.com/
Specifying different ports
In cases where there are pre-existing services running on default FortiClient EMS ports, you can specify another port using the CLI to run the installer. You can use the following commands:
Command ClientDownloadPort RemoteManagementPort
Port usage Download FortiClient from FortiClient EMS EMS administration
Upgrading Microsoft SQL Server Express to Microsoft SQL Server Standard or Enterprise
The FortiClient EMS installation also installs Microsoft SQL Server Express, which has a file size limit of 10 GB per database. Log entries recorded in the database are rotated on a schedule of seven days (one week) by default. If the FortiClient deployment is large, the database size may reach the 10 GB limit over time. The FortiClient EMS administrator may upgrade the default SQL Server installation from Express to Standard or Enterprise edition. The database file size limit for these editions is in the PB range, which is unlimited for most practical usage. When managing more than 5000 endpoints, installing SQL Server Standard or Enterprise instead of SQL Server Express is recommended.
FortiClient EMS 7.0.1 Administration Guide
48
Fortinet Technologies Inc.
Installation and licensing
Microsoft SQL Server Express is free. All other editions require a license from Microsoft.
See the following Microsoft documentation on upgrading between editions called Upgrade to a Different Edition of SQL Server (Setup).
The EMS database is saved in the C:\Program Files\Microsoft SQL Server\MSSQL12.FCEMS\MSSQL\DATA\FCM_ root.mdf file in the EMS host server. This file's size should remain below the 10 GB limit for Microsoft SQL Server Express.
Upgrading a database edition outside normal production hours is recommended.
The minimum SQL Server version that FortiClient EMS supports is 2017.
To upgrade SQL Server Express to Standard or Enterprise:
1. Attach the SQL Server 2017 installation media to the FortiClient EMS server. The installation media is a DVD or ISO file. If using the DVD, insert the DVD into the EMS host computer (host server). If your host server is a virtual machine, use the ISO file.
2. Run the SQL Server setup application wizard. 3. In the SQL Server Installation Center wizard, go to Installation > Upgrade from a previous version of SQL Server. 4. Enter the product key. 5. Accept the license terms, then click Next. 6. Under Select Instance, in the Specify the instance of SQL Server dropdown list, select FCEMS. Then, click Next. 7. Under Ready to upgrade edition, click Upgrade. 8. After the upgrade is complete, click Finish.
To test the SQL server upgrade:
Running a short test on FortiClient EMS after the upgrade to verify proper operations is recommended. A simple test may be to:
1. Connect FortiClient on one or two test endpoints to FortiClient EMS. 2. Create a new custom group in FortiClient EMS and add the test endpoints to it. 3. Create a new endpoint profile. 4. Create a new endpoint policy that is configured with the newly created profile. Assign the policy to the new custom
group. 5. Check that FortiClient on the test endpoints received the new profile.
Monitor the system closely over the first few days for any unusual behavior.
Uninstalling FortiClient EMS
Use the Programs and Features pane of the Microsoft Windows Control Panel to uninstall FortiClient EMS.
FortiClient EMS 7.0.1 Administration Guide
49
Fortinet Technologies Inc.
Installation and licensing
FortiClient EMS installs the following dependencies. If other applications on the same computer are not using them, you can uninstall them manually after removing FortiClient EMS.
l Browser for SQL Server 2017 l Microsoft ODBC Driver 13 for SQL Server l Microsoft SQL Server 2012 Native Client l Microsoft SQL Server 2017 (64-bit) l Microsoft SQL Server 2017 Setup (English) l Microsoft SQL Server 2017 T-SQL Language Service l Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325.0 l Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325.0 l Microsoft VSS Writer for SQL Server 2017
To uninstall EMS:
1. Select Start > Control Panel > Programs > Uninstall a program. 2. Select FortiClient Endpoint Management Server, and click Uninstall. 3. Follow the uninstallation wizard prompts.
FortiClient EMS 7.0.1 Administration Guide
50
Fortinet Technologies Inc.
Installation and setup for managing Chromebooks
The following sections only apply if you plan to use FortiClient EMS to manage Chromebooks:
Google Admin Console setup
This section describes how to add and configure the FortiClient Web Filter extension on Chromebooks enrolled in the Google domain. Following is a summary of how to set up the Google Admin console: 1. Log into the Google Admin console. See Logging into the Google Admin console on page 51. 2. Add the FortiClient Web Filter extension. See Adding the FortiClient Web Filter extension on page 51. 3. Configure the FortiClient Web Filter extension. See Configuring the FortiClient Web Filter extension on page 52. 4. Add the root certificate. See Adding root certificates on page 53.
If you are using another Chromebook extension that uses external rendering servers, the FortiClient Web Filter settings may be bypassed. Check with the third-party extension vendor if this is the case.
Logging into the Google Admin console
Log into the Google Admin console using your Google domain admin account. The Admin console displays.
Adding the FortiClient Web Filter extension
FortiClient EMS software is not available for public use. You can only enable the feature using the following extension ID: igbgpehnbmhgdgjbhkkpedommgmfbeao
1. In the Google Admin console, go to Devices > Chrome Management > Settings > User & browser settings > Managed Guest Session Settings.
FortiClient EMS 7.0.1 Administration Guide
51
Fortinet Technologies Inc.
2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and browsers, select the top-level organization. Otherwise, select a child.
3. Under Apps and Extensions, beside Force-installed Apps and Extensions, click Manage force-installed apps. 4. Select Chrome Web Store, and search for the following extension ID: igbgpehnbmhgdgjbhkkpedommgmfbeao. 5. Click Add. The extension displays under Total to force install: 1. Click SAVE.
Configuring the FortiClient Web Filter extension
You must configure the FortiClient Chromebook Web Filter extension to enable the Google Admin console to communicate with FortiClient EMS. FortiClient EMS hosts the services that assign endpoint profiles of web filtering policies to groups in the Google domain. FortiClient EMS also handles the logs and web access statistics that the FortiClient Web Filter extensions send.
FortiClient EMS is the profile server.
To configure the FortiClient Web Filter extension:
1. In FortiClient EMS, locate the server name and port by going to System Settings > EMS Settings. 2. Create a text file that contains the following text:
{ "ProfileServerUrl": { "Value": "https://< ProfileServer >:< port for Profile Server >"}
} For example: {
"ProfileServerUrl": { "Value": "https://ems.mydomain.com:8443"} } 3. In the Google Admin console, go to Devices > Chrome management > User & browser settings. 4. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and browsers, select the top-level organization. Otherwise, select a child.
FortiClient EMS 7.0.1 Administration Guide
52
Fortinet Technologies Inc.
5. Under Apps and Extensions, click the apps & extensions page link.
6. Click a domain or organizational unit (OU). 7. In the right pane, under Policy for extensions, paste the JSON content from step 2. 8. Click Save. 9. Go to Devices > Chrome management > Apps & extensions to view your configured Chrome apps.
Adding root certificates
Communication with the FortiClient Chromebook Web Filter extension
The FortiClient Chromebook Web Filter extension communicates with FortiClient EMS using HTTPS connections. The HTTPS connections require an SSL certificate. You must obtain an SSL certificate and add it to FortiClient EMS to allow the extension to trust FortiClient EMS. If you use a public SSL certificate, you only need to add the public SSL certificate to FortiClient EMS. See Adding an SSL certificate to FortiClient EMS for Chromebook endpoints on page 248. However, if you prefer to use a certificate not from a common CA, you must add the SSL certificate to FortiClient EMS and push your certificate's root CA to the Google Chromebooks. Otherwise, the HTTPS connection between the FortiClient Chromebook Web Filter extension and FortiClient EMS does not work. See Uploading root certificates to the Google Admin console on page 55.
Communication with FortiAnalyzer for logging
This section applies only if you are sending logs from FortiClient to FortiAnalyzer. If you are not sending logs, skip this section.
Sending logs to FortiAnalyzer requires you enable ADOMs in FortiAnalyzer and add FortiClient EMS to FortiAnalyzer. FortiClient EMS is added as a device to the FortiClient ADOM in FortiAnalyzer. See the FortiAnalyzer Administration Guide.
FortiClient supports logging to FortiAnalyzer. If you have a FortiAnalyzer and configure FortiClient to send logs to FortiAnalyzer, a FortiAnalyzer CLI command must be enabled and an SSL certificate is required to support communication between the FortiClient Web Filter extension and FortiAnalyzer. If you use a public SSL certificate, you only need to add the public SSL certificate to FortiAnalyzer. See Adding an SSL certificate to FortiAnalyzer. However, if you prefer to use a certificate not from a common CA, you must add the SSL certificate to FortiAnalyzer and push your certificate's root CA to the Google Chromebooks. Otherwise, the HTTPS connection between the FortiClient
FortiClient EMS 7.0.1 Administration Guide
53
Fortinet Technologies Inc.
Chromebook Web Filter extension and FortiAnalyzer does not work. See Uploading root certificates to the Google Admin console on page 55.
The FortiAnalyzer IP address should be specified in the SSL certificate. If you are using a public SSL certificate, the FortiAnalyzer IP address can be assigned to Common Name or Alternative Name. If you are using a self-signed (nonpublic) SSL certificate, your certificate's Subject Alternative Name must include IP:<FortiAnalyzer IP>.
You must use the FortiAnalyzer CLI to add HTTPS-logging to the allow-access list in FortiAnalyzer. This command is one step in the process that allows FortiAnalyzer to receive logs from FortiClient.
In FortiAnalyzer CLI, enter the following command:
config system interface edit "port1" set allowaccess https ssh https-logging next
end
Adding an SSL certificate to FortiAnalyzer
To add an SSL certificate to FortiAnalyzer:
1. In FortiAnalyzer, go to System Settings > Certificates > Local Certificates. 2. Click Import. The Import Local Certificate dialog appears. 3. In the Type list, select Certificate or PKCS #12 Certificate. 4. Beside Certificate File, click Browse to select the certificate. 5. Enter the password and certificate name. 6. Click OK.
Selecting a certificate for HTTPS connections
To select a certificate for HTTPS connections:
1. In FortiAnalyzer, go to System Settings > Admin > Admin Settings. 2. From the HTTPS & Web Service Certificate dropdown list, select the certificate to use for HTTPS connections, and
click Apply.
Summary of where to add certificates
The following table summarizes where to add certificates to support communication with the FortiClient Web Filter extension and FortiAnalyzer.
Scenario
Allow the FortiClient Chromebook Web Filter extension to trust EMS
Certificate and CA
Public SSL certificate SSL certificate not from a common CA
Where to add certificates
l Add SSL certificate to FortiClient EMS.
l Add SSL certificate to FortiClient EMS. l Add your certificate's root CA to the Google Admin
console.
FortiClient EMS 7.0.1 Administration Guide
54
Fortinet Technologies Inc.
Scenario
Allow the FortiClient Chromebook Web Filter extension to trust FortiAnalyzer for logging
Certificate and CA
Public SSL certificate SSL certificate not from a common CA
Where to add certificates
l Add SSL certificate to FortiAnalyzer.
l Add SSL certificate to FortiAnalyzer. l Add your certificate's root CA to the Google Admin
console.
Uploading root certificates to the Google Admin console
1. In the Google Admin console, go to Device Management > Network > Certificates (root certificate) (crt certificate). 2. Add the root certificate. 3. Select the Use this certificate as an HTTPS certificate authority checkbox.
Do not forget to select the Use this certificate as an HTTPS certificate authority checkbox.
Disabling access to Chrome developer tools
Disabling access to Chrome developer tools is recommended. This blocks users from disabling the FortiClient Web Filter extension.
To disable access to Chrome developer tools:
1. In the Google Admin console, go to Devices > Chrome Management > User & browser settings. 2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and
browsers, select the top-level organization. Otherwise, select a child. 3. For the Developer Tools option, select Never allow use of built-in developer tools.
Disallowing incognito mode
When users browse in incognito mode, Chrome bypasses extensions. You should disallow incognito mode for managed Google domains.
To disallow incognito mode:
1. In the Google Admin console, go to Devices > Chrome management > User & browser settings. 2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and
browsers, select the top-level organization. Otherwise, select a child.
FortiClient EMS 7.0.1 Administration Guide
55
Fortinet Technologies Inc.
3. Under Security, set Incognito mode to Disallow incognito mode.
4. Click Save.
Disabling guest mode
You should disallow guest mode for managed Google domains.
To disallow guest mode:
1. In the Google Admin console, go to Devices > Chrome management > Device settings. 2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and
browsers, select the top-level organization. Otherwise, select a child. 3. Under Sign-in settings, for Guest mode, select Disable guest mode. 4. Click Save.
Blocking the Chrome task manager
You should block users from ending processes with the Chrome task manager for managed Google domains.
To block the Chrome task manager:
1. In the Google Admin console, go to Devices > Chrome Management > User & browser settings > Apps and extensions.
2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and browsers, select the top-level organization. Otherwise, select a child.
3. Under Task manager select Block users from ending processes with the Chrome task manager from the dropdown list.
FortiClient EMS 7.0.1 Administration Guide
56
Fortinet Technologies Inc.
4. Click Save.
Verifying the FortiClient Web Filter extension
After you add the Google domain to FortiClient EMS, the Google Admin console automatically pushes the FortiClient Web Filter extension to the Chromebooks when users log into the Google domain. You can verify the feature has become available on the Chromebooks. 1. Open the Google Chrome browser. 2. Enter the following in the address bar: chrome://extensions
3. Visit any gambling site, such as https://www.777.com, and confirm the site is blocked.
FortiClient EMS 7.0.1 Administration Guide
57
Fortinet Technologies Inc.
Service account credentials
FortiClient EMS requires service account credentials that the Google Developer console generates. You can use the default service account credentials provided with FortiClient EMS or generate and use unique service account credentials, which is more secure.
The service account credentials must be the same in FortiClient EMS and the Google Admin console.
Configuring default service account credentials
FortiClient EMS includes the following default service account credentials that the Google Developer console generates:
Option Client ID Email address
Service account certificate
Default setting
102515977741391213738
account1@forticlientwebfilter.iam.gserviceaccount.com
A certificate in .pem format for the service account credentials
Where used Google Admin console FortiClient EMS
FortiClient EMS
The service account credentials are a set. If you change one credential, you must change the other two credentials.
To configure the default service account credentials, you must add the client ID's default value to the Google Admin console. Service account credentials do not require other configuration. See Adding service account credentials to the Google Admin console on page 62.
Configuring unique service account credentials
When using unique service account credentials for improved security, you must complete the following steps to add the unique service account credentials to the Google Admin console and FortiClient EMS: 1. Create unique service account credentials using the Google Developer console. See Creating unique service
account credentials on page 58. 2. Add the unique service account credentials to the Google Admin console. See Adding service account credentials
to the Google Admin console on page 62. 3. Add the unique service account credentials to FortiClient EMS. See Adding service account credentials to EMS on
page 63.
Creating unique service account credentials
Creating a unique set of service account credentials provides more security. Unique service account credentials include the following:
FortiClient EMS 7.0.1 Administration Guide
58
Fortinet Technologies Inc.
l Client ID (a long number) l Service account ID (email address) l Service account certificate (a certificate in .pem format) 1. Go to Google API Console. 2. Log in with your Google Workspace account credentials. 3. Create a new project:
a. Click the toolbar list. The browser displays the following dialog.
b. Select your organization, if you see an organization dropdown list. c. Click the + button. d. In the Project name field, enter your project name, then click Create.
FortiClient EMS 7.0.1 Administration Guide
59
Fortinet Technologies Inc.
4. Enable the Admin SDK: a. Select your project from the toolbar list, then go to the Library tab. b. Under Google Workspace APIs, click Admin SDK.
c. Click ENABLE.
5. Create a service account: a. Go to the Credentials tab and select Create Credentials > Service account key. b. From the Service account list, select New Service Account. Enter a service account name. c. From the Role list, select Project > Viewer.
FortiClient EMS 7.0.1 Administration Guide
60
Fortinet Technologies Inc.
d. Select P12 as the Key type and click Create.
After you create the service account, a private key with the P12 extension is saved on your computer. The private key with the P12 extension is the only copy you receive. Keep it in a safe place. You should also remember the password prompted on the screen. At this time, that password should be notasecret.
6. Go to the Credentials page > Manage service accounts. 7. Edit the service account you just created and select the Enable Google Apps Domain-Wide Delegation checkbox.
Enter a Product name for the consent screen if this field appears.
FortiClient EMS 7.0.1 Administration Guide
61
Fortinet Technologies Inc.
8. Click Save.
9. Click View Client ID to see your service account information. Record the client ID, service account, and the associated private key (downloaded in step 5d).
To use the private key in EMS, it needs to be converted to .pem format. You can use the following openssl command to convert it. Remember to use the notasecret password. C:\OpenSSL-Win64\bin>openssl pkcs12 -in demo-976b9d6e9328.p12 -out
serviceAccount-demo.pem -nodes -nocerts Enter Import Password:
Adding service account credentials to the Google Admin console
This section describes how to add the client ID from the service account credentials to the Google Admin console. These settings allow Google to trust FortiClient EMS, which enables FortiClient EMS to retrieve information from the Google domain.
1. In the Google Admin console, go to Security > Advanced settings > Manage API client access. You may need to click show more to see Advanced settings.
FortiClient EMS 7.0.1 Administration Guide
62
Fortinet Technologies Inc.
2. Set the following options: a. For the Client Name option, add the client ID from the service account credentials. b. For the API Scopes option, add the following string: https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.d irectory.user.readonly
The API scopes are case-sensitive and must be lowercase. You may need to copy the string into a text editor and remove spaces created by words wrapping to the second line in the PDF.
3. Click Authorize.
Adding service account credentials to EMS
The section describes how to add the service account ID and service account certificate from the service account credentials to FortiClient EMS. 1. In FortiClient EMS, go to System Settings > EMS Settings. 2. Enable EMS for Chromebooks Settings.
The default service account credentials display. Overwrite the default settings with the unique set of service account credentials received from Fortinet.
3. The Service account field shows the configured email address provided for the service account credentials. Click the Update service account button and configure the following information:
Service Account Email Private key
Enter a new email address for the service account credentials.
Click Browse and select the certificate provided with the service account credentials.
4. Click Save. 5. Update the client ID in the Google Admin console.
The service account credentials are a set. If you change one credential, you must change the other two credentials.
Verifying ports and services and connection between EMS and FortiClient
Ports and services
On the EMS server, run the following CLI command to verify the services are bound to a port: netstat -ano | find "<port number>"
FortiClient EMS 7.0.1 Administration Guide
63
Fortinet Technologies Inc.
a: displays all connections and listening ports n: displays addresses and port numbers in numerical form o: displays process ID (PID) associated with each connection The following shows that Windows is listening to port TCP/8013 on a particular interface: 192.168.1.200 in this case. The PID is 2732.
You can confirm the process by finding that PID on the Task Manager Details tab:
If you want to deploy FortiClient to your domain-joined endpoints and have followed the Preparing the AD server for deployment on page 114 instructions, you can use the same steps to verify the ports for SMB and RPC. See the FortiClient Administration Guide.
Connectivity between EMS and FortiClient
In addition to the services running correctly, there must be connectivity between EMS and the endpoint. This section defines connectivity as a route and traffic on a given port. You can use Command Prompt and the built-in Telnet application to verify this. Ensure that Telnet is enabled on your device by going to Control Panel > Turn Windows features on or off, and ensuring that the Telnet Client checkbox is selected. In this example, 192.168.1.200 is the endpoint IP address, and 445 is the port that is being checked: telnet 192.168.1.200 445 If the command is successful, Command Prompt returns _. Since the service on 445 is not Telnet, this is the expected result.
If the command is unsuccessful, Command Prompt returns a warning that the connection could not be opened.
FortiClient EMS 7.0.1 Administration Guide
64
Fortinet Technologies Inc.
GUI
The FortiClient EMS GUI consists of the following areas:
Banner
Option Download icon Invitations
Multitenancy site
Help icon
Getting Started
Technical Documentation How-To Videos Forums Product Videos
Create Support Package FortiGuard Bell icon <Logged in username>
Description
Displays if a new version of FortiClient EMS is available on FDS.
You can configure invitation codes that endpoints users can use to connect to EMS. See
If multitenancy is enabled and you are logged into an account that can access multiple sites, you can go to another site by selecting it from a dropdown list. If you are logged in to the global site, you can also configure sites. See Multitenancy on page 261.
Provides access to links to the FortiClient EMS Release Notes and other resources.
Link to the FortiClient EMS documentation.
Link to the Fortinet Video Library.
Link to Fortinet Customer Service and Support forum.
Links to the following FortiClient EMS videos: l Introduction to FortiClient EMS: introductory video for FortiClient EMS, which gives an overview of features, modes, and system requirements for FortiClient EMS 1.0. l How to License FortiClient EMS: shows how to license or renew FortiClient EMS 1.0 with more endpoints. l Adding a Domain to FortiClient EMS: shows how to add an AD domain to FortiClient EMS
Create a support package to provide to the Fortinet technical support team for troubleshooting.
View list of engine and signature versions for this version of FortiClient EMS.
Click the bell icon to display all alert logs.
Click the dropdown list beside the <logged in username> to do one of the following:
l Change the password for this user. Enter a new password that complies
FortiClient EMS 7.0.1 Administration Guide
65
Fortinet Technologies Inc.
GUI Option
Description
with the displayed rules. l Log out of FortiClient EMS.
Left pane
The left navigation pane displays content in the right pane. The following describes the left pane when multitenancy is disabled. For descriptions of the left pane with multitenancy enabled, see Left pane with multitenancy enabled on page 264.
Option Dashboard
Status Vulnerability Scan
Chromebook Status
Endpoints
All Endpoints Manage Domains Domains
Workgroups Group Assignment Rules
Google Domains
All Users Manage Domains Domains
Deployment & Installers
Description
Displays a dashboard of information about all managed endpoints. Displays the Current Vulnerabilities Summary chart that provides a centralized vulnerability summary for all managed endpoints. You can observe high-risk hosts and critical vulnerabilities existing on endpoints. You can also access links on how to fix or repair the vulnerabilities. Displays a dashboard of information about all managed Chromebooks. Only available if the EMS for Chromebooks Settings option is enabled in System Settings > EMS Settings.
Manage all endpoints. Add and manage AD domains. Manage endpoints from AD domains. You can also add an AD domain if none exist. Manage endpoints from workgroups. Configure rules to automatically place endpoints into custom groups based on their installer ID, IP address, or OS. Only available if the EMS for Chromebooks Settings option is enabled in System Settings > EMS Settings. Manage users from all Google domains. Add and manage Google domains. Manage users from specific Google domains. You can also add a Google domain if none exist.
FortiClient EMS 7.0.1 Administration Guide
66
Fortinet Technologies Inc.
GUI
Option
Manage Deployment
FortiClient Installers Endpoint Policy & Components
Manage Policies
CA Certificates On-fabric Detection Rules Chromebook Policy
Endpoint Profiles Manage Profiles Import from FortiGate/FortiManager
Zero Trust Tags Zero Trust Tagging Rules Zero Trust Tag Monitor Fabric Device Monitor
Software Inventory Applications
Hosts Quarantine Management
Files
Administration
Allowlist
Administrators Admin Roles User Settings
Description Create deployment configurations to deploy FortiClient to endpoints. Add and manage FortiClient deployment packages.
Create endpoint policies and manage policy updates for Windows, macOS, and Linux endpoints. Upload and import CA certificates into FortiClient EMS. Configure on-fabric detection rules for endpoints. Create endpoint policies and manage policy updates for Chromebook endpoints. Only available if the EMS for Chromebooks Settings option is enabled in System Settings > EMS Settings.
Create profiles and manage profile updates for all profiles. Import Web Filter profiles from FortiOS or FortiManager.
Define Zero Trust tagging rules. View tagged endpoints. View all FortiGates connected to EMS for Zero Trust tagging and the list of tags that are shared with each FortiGate.
View applications installed on endpoints. Display applications by application or application vendor name. View applications installed on endpoints, sorted by endpoint.
View and allowlist files on endpoints that Sandbox or AV has quarantined. View and delete allowlisted files from the Allowlist pane.
Add and manage FortiClient EMS administrators. Add and manage FortiClient EMS admin roles and permissions. Configure the inactivity timeout and other user settings.
FortiClient EMS 7.0.1 Administration Guide
67
Fortinet Technologies Inc.
GUI
Option
Fabric Devices SAML SSO Configure License Log Viewer
System Settings EMS Settings
Log Settings FortiGuard Services
EMS Alerts Endpoint Alerts SMTP Server Custom Messages
Feature Select
Description View Fabric devices connected to EMS. Configure SAML SSO authentication. Upgrade or renew the FortiClient EMS license. View log messages generated by FortiClient EMS and download raw logs.
Change the IP address and port and configure other EMS settings for FortiClient EMS, including enabling Chromebook management. Specify what level of log messages to capture in FortiClient EMS logs and when to automatically delete logs and alerts. Configure the FortiGuard server location. Configure FortiManager to use for client software/signature updates and configure FortiCloud settings. Enable alerts for FortiClient EMS events. Enable alerts for endpoint events. Set up an SMTP server to enable email alerts. Customize the message that displays on an endpoint when it has been quarantined by FortiClient EMS Choose which features to show and hide in EMS.
Content pane
The right pane displays the user interface controls that correspond to the selection made in the left pane. The status and menu icons in the top-right display controls what you can use to configure additional settings for user management and each individual endpoint.
FortiClient EMS 7.0.1 Administration Guide
68
Fortinet Technologies Inc.
Dashboard
You can use the Dashboard to view summary information about the system and endpoints. You can view summary information about vulnerability scans on endpoints.
Viewing the Status
To view the Status: 1. In the left pane, click Dashboard > Status.
A System Information widget and charts and widgets of summary information display. See System Information widget on page 69 and Status charts and widgets on page 71.
2. For most Status widgets, clicking a donut chart section leads to the Endpoints pane. The Endpoints pane displays with more details about the endpoints that belong to the selected donut chart section. See Viewing the Endpoints pane on page 88.
3. Click a section of the Endpoint Alerts widget. The Endpoint Event Summary displays with more details about the endpoints that belong to that chart section. The endpoint details that display on this page depend on the endpoint alert type. In the example, the selected alert was that the AV signature on the endpoint is out-of-date. Therefore, Endpoint Event Summary displays the current installed AV signature version and the latest available AV signature version that you can upgrade the endpoint to.
System Information widget
The following information displays in the System Information widget when multitenancy is disabled. If multitenancy is enabled, this information displays in the global site System Information widget. See Global and per-site configuration on
FortiClient EMS 7.0.1 Administration Guide
69
Fortinet Technologies Inc.
Dashboard
page 262. Option Hostname Version
Database
System Time Uptime
Description
Name of the computer where you installed FortiClient EMS. Version number for FortiClient EMS. Also displays the build number. If the current build is an interim build, also displays (Interim) beside the build number. Options to back up and restore the database. See To back up the database: on page 70 and To restore the database: on page 70. Time and date that the computer where you installed FortiClient EMS uses. Number of days, hours, minutes, and seconds FortiClient EMS has been running.
EMS cannot create or restore database backups when using a remote SQL database server.
To back up the database:
1. Go to Dashboard > Status. 2. Beside Database, click Backup. 3. Set the following options:
Password Confirm password
Enter a password for backing up and restoring the database. Reenter the password to confirm it.
4. Click Back up. FortiClient EMS backs up the database.
To restore the database:
1. Go to Dashboard > Status. 2. Beside Database, click Restore. 3. Click Browse. 4. Locate the database backup file, and click Open. 5. In the Password field, enter the password used to back up the database. 6. Click Restore. When the database is restored, a message appears. The message instructs you to wait for the
restored database to reload. 7. Wait for the restored database to be reloaded.
FortiClient EMS 7.0.1 Administration Guide
70
Fortinet Technologies Inc.
Dashboard
License Information widget
The following information displays in the License Information widget:
Option Serial Number FortiCloud Account
Zero Trust Security
Next-Generation Endpoint Security
Chromebook
Description
Serial number for FortiClient EMS.
FortiCloud account that this EMS server is registered to. If EMS is not registered to a FortiCloud account, you can log into an existing FortiCloud account or create a new FortiCloud account from this widget.
ZTNA license status. You can use this license for managing Windows, macOS, Linux, iOS, Android, and Chromebook endpoints. When licensed, displays number of licenses used out of the total number of available licenses and the expiry date.
EPP license status. You can use this license for managing Windows, macOS, Linux, iOS, Android, and Chromebook endpoints. This license all features included in the ZTNA license as well as more advanced features. When licensed, displays number of licenses used out of the total number of available licenses and the expiry date.
Status of the Chromebook license for FortiClient EMS. You can use this license for managing Chromebook endpoints. When licensed, displays number of licenses used out of the total number of available licenses and the expiry date.
If you have just installed EMS, click Add beside FortiCloud Account to license by logging in to your FortiCloud account. See License status on page 47.
For details on the features included with each license type, see Windows, macOS, and Linux endpoint licenses on page 22.
Status charts and widgets
Status displays a number of pie charts. Each pie chart provides a summary of endpoint information. The sections in each chart are links. You can click any section of the pie charts or any row in the table to display more details.
Available options may differ depending on the features you have enabled or disabled in Feature Select. See Feature Select on page 257.
Option
Description
Endpoint Charts
FortiClient EMS 7.0.1 Administration Guide
71
Fortinet Technologies Inc.
Dashboard
Option
Description
Endpoint Activity
Shows a summary of endpoint activity information. Categories are: l EMS On-fabric l EMS Off-fabric
Endpoint Alerts Shows the number of endpoints with alerts, including pending software updates, out-of-date protection, and out-of-sync profiles.
Endpoint Connection
Shows the number of endpoints that are: l Online l Offline for less than one hour l Offline l Offline for 30 days or more
Managed Mac FortiClient Versions
This chart indicates the percentage of macOS endpoints with each version of FortiClient installed.
Sorting by version lists FortiClient versions from most recent to least recent. For example, FortiClient 6.2.0 is listed first, then FortiClient 6.0.0, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to the version with the smallest number of endpoints. For example, if there are 600 endpoints with FortiClient 6.0.0 installed and 40 endpoints with FortiClient 6.2.0 installed, FortiClient 6.0.0 is listed first.
Managed Windows FortiClient Versions
This chart indicates the percentage of Windows endpoints with each version of FortiClient installed. You can sort the data by version or count.
Sorting by version lists FortiClient versions from most recent to least recent. For example, FortiClient 6.2.0 is listed first, then FortiClient 6.0.0, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to the version with the smallest number of endpoints. For example, if there are 600 endpoints with FortiClient 6.0.0 installed and 40 endpoints with FortiClient 6.2.0 installed, FortiClient 6.0.0 is listed first.
Managed Linux FortiClient Versions
This chart indicates the percentage of Linux endpoints with each version of FortiClient installed. You can sort the data by version or count.
Endpoint Management
This chart indicates how many endpoints are disconnected and connected.
Mac Operating Systems
This chart indicates the number of endpoints running each version of the macOS operating system. You can sort the data by version or count.
Sorting by version lists macOS versions from most recent to least recent. For example, macOS 10.13 High Sierra is listed first, then macOS 10.12 Sierra, OS X 10.11 El Capitan, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to the version with the smallest number of endpoints. For example, if there are 600 endpoints with macOS 10.12 Sierra installed and 40 endpoints with macOS 10.13 High Sierra installed, macOS 10.12 Sierra is listed first.
Windows Operating Systems
This chart indicates the number of endpoints running each version of the Windows operating system. You can sort the data by version or count.
FortiClient EMS 7.0.1 Administration Guide
72
Fortinet Technologies Inc.
Dashboard
Option
Description
Sorting by version lists Windows versions from most recent to least recent. For example, Windows 10 is listed first, then Windows 8, Windows 7, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to the version with the smallest number of endpoints. For example, if there are 600 endpoints with Windows 7 installed and 40 endpoints with Windows 10 installed, Windows 7 is listed first.
Linux Operating Systems
This chart indicates the number of endpoints running each version of the Linux operating system. You can sort the data by version or count.
Sorting by version lists Linux versions from most recent to least recent. For example, Ubuntu 18.10 is listed first, then Ubuntu 17.10, Ubuntu 16.04, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to the version with the smallest number of endpoints. For example, if there are 600 endpoints with Ubuntu 16.04 installed and 40 endpoints with Ubuntu 18.10 installed, Ubuntu 16.04 is listed first.
iPhone Operating Systems
This chart indicates the number of endpoints running each version of the iOS operating system. You can sort the data by version or count.
Sorting by version lists iOS versions from most recent to least recent. For example, iOS 15 is listed first, then iOS 14, iOS 13, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to the version with the smallest number of endpoints. For example, if there are 600 endpoints with iOS 9 installed and 40 endpoints with iOS 10 installed, iOS 9 is listed first.
Android Operating Systems
This chart indicates the number of endpoints running each version of the Android operating system. You can sort the data by version or count.
Sorting by version lists Android versions from most recent to least recent. For example, Android 12 is listed first, then Android 11, Android 10, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to the version with the smallest number of endpoints. For example, if there are 600 endpoints with Android 10 installed and 40 endpoints with Android 11 installed, Android 10 is listed first.
FortiGuard Outbreak Alerts Service
This chart displays endpoints that are considered suspicious or compromised according to the outbreak alert rules that FortiClient EMS has received from FortiGuard. The chart displays the number of endpoints that are vulnerable to each outbreak. See FortiGuard Outbreak Alerts on page 220.
You can drill down by clicking the outbreak bar. From here, you can quarantine the endpoint if desired.
Top 3 Lists
Antivirus Detection
This chart indicates the top three endpoints with AV alerts, including the number of AV alerts for each endpoint.
Sandbox Detection
This chart indicates the top three endpoints with FortiSandbox alerts, including the number of FortiSandbox alerts for each endpoint.
Vulnerability Detection
This chart indicates the top three endpoints with vulnerability alerts, including the number of vulnerabilities detected for each endpoint.
Web Filter Detection
This chart indicates the top three endpoints with web filter alerts, including the number of web filter alerts for each endpoint.
FortiClient EMS 7.0.1 Administration Guide
73
Fortinet Technologies Inc.
Dashboard
Viewing the Vulnerability Scan dashboard
Go to Dashboard > Vulnerability Scan. Here you can view a variety of charts and widgets containing a summary of vulnerability scan information from endpoints.
The Vulnerability Scan dashboard displays a number of charts. Each chart provides a summary of endpoint information. The sections in each chart are links. You can click sections of the charts or any row in the table to display more details.
Chart
Description
Current Vulnerabilities Summary
Displays the following summaries of current vulnerabilities: l Total (total number of vulnerabilities) l Operating System (number of operating system vulnerabilities) l Browser (number of browser vulnerabilities) l Microsoft Office (number of Microsoft Office vulnerabilities) l Third Party App (number of third-party application vulnerabilities) l Service (number of service vulnerabilities) l User Config (number of user configuration vulnerabilities) l Other (number of other vulnerabilities that do not fit any of the above categories)
When you click a vulnerability tile, the colored circles update to display the number of vulnerabilities that correspond to each severity level in the selected category.
Endpoint Scan Status
Displays the following summaries about endpoints: l Vulnerable Endpoints l Un-Scanned Endpoints l Secured Endpoints l Scanning Endpoints
FortiClient EMS 7.0.1 Administration Guide
74
Fortinet Technologies Inc.
Dashboard
Chart
Top 10 Vulnerable Endpoints With High Risk Vulnerabilities Top 10 Vulnerabilities
Description
Displays the top ten vulnerable endpoints and the number of vulnerabilities detected on those endpoints, with associated severity levels.
Displays the top ten vulnerabilities and the number of hosts where the vulnerabilities have been detected. Click the vulnerability name to see information about the vulnerability on FortiGuard.
Viewing current vulnerabilities
To view current vulnerabilities:
1. Go to Dashboard > Vulnerability Scan. 2. Under Current Vulnerabilities Summary, click a vulnerability tile. 3. When you click a vulnerability tile, the colored circles update to display the number of vulnerabilities that correspond
to each severity level in the selected category. In this example, there are 22 total vulnerabilities, 20 of which are OS vulnerabilities. Click the Operating System tile.
The OS vulnerabilities are organized by severity: l 0/20 are low risk (green circle) l 4/20 are medium risk (yellow circle) l 16/20 are high risk (orange circle) l 0/20 are critical risk (red circle)
4. You can click any tile to display details for vulnerabilities of that type. In this example, click View 20 on the Operating System tile to display all OS vulnerabilities and details:
FortiClient EMS 7.0.1 Administration Guide
75
Fortinet Technologies Inc.
Dashboard
Patch All
Refresh Clear Filters Vulnerability Name FortiGuard ID CVE ID
Severity Affected Endpoints Patch Status
Click this button to patch all vulnerabilities currently displayed on the content pane. The vulnerabilities are patched with the next Telemetry communication between FortiClient EMS and the endpoint.
Click to refresh the list of vulnerabilities in the content pane.
Click to clear all filters applied to the list of vulnerabilities.
Name of the vulnerability.
Displays the FortiGuard ID. Click the link to see information about the vulnerability on FortiGuard.
Displays the vulnerability ID as determined by the Common Vulnerabilities and Exposures (CVE) system. If available, you can click the link to see more information about the vulnerability. Depending on the vulnerability, there may be multiple CVE IDs listed.
Displays the severity of the vulnerability.
Displays the number of endpoints that are affected by this vulnerability.
You can click the Patch button to patch the selected vulnerability with the next Telemetry communication between FortiClient EMS and the endpoint. If a patch is already scheduled for the vulnerability, this column displays Scheduled. If the vulnerability must be patched manually, this column displays Manual Patch. FortiClient may be unable to automatically patch the vulnerability due to one of the following reasons:
l Third-party application vulnerabilities: incorrect or missing installation paths
l OS vulnerabilities: Windows update service is disabled
FortiClient EMS 7.0.1 Administration Guide
76
Fortinet Technologies Inc.
Dashboard
In these cases, EMS may incorrectly display the status of these vulnerabilities that were selected to be automatically patched as Scheduled instead of Failed. You can filter the list of vulnerabilities by any column by clicking the filter icon beside the desired heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options: l All: Display all files that match the set filter. l Any: Display any file that matches the set filter. l Not: Display only files that do not match the set filter. 5. Return to Dashboard > Vulnerability Scan. You can also click a colored circle to view all vulnerabilities of the selected severity level. The following shows all medium severity third party application vulnerabilities:
Viewing the Endpoint Scan Status
To view the Endpoint Scan Status: 1. Go to Dashboard > Vulnerability Scan.
On the Endpoint Scan Status chart, endpoints are organized by type: l 11/21 are Secured (green section) l 1/21 is Vulnerable (red section) l 6/21 are Un-Scanned (yellow section) l 3/21 are Scanning (grey section)
2. Click the Vulnerable section to view all vulnerabilities detected on vulnerable endpoints:
FortiClient EMS 7.0.1 Administration Guide
77
Fortinet Technologies Inc.
Dashboard
Patch All
Refresh Clear Filters Hostname Username Vulnerability
Patch Status
Click this button to patch all vulnerabilities currently displayed on the content pane. The vulnerabilities are patched with the next Telemetry communication between FortiClient EMS and the endpoint.
Click to refresh the list of vulnerabilities in the content pane.
Click to clear all filters applied to the list of vulnerabilities.
Hostname of the endpoint where the vulnerability was detected.
User that is currently logged into the endpoint where the vulnerability was detected.
Displays the number of vulnerabilities detected on the endpoint at each severity level. In this example, the endpoint has 11 critical vulnerabilities, 20 high risk vulnerabilities, and 5 medium risk vulnerabilities that can be patched using FortiClient. The same endpoint also has 2 critical vulnerabilities that must be manually patched.
You can click the Patch button to patch the selected vulnerability with the next Telemetry communication between FortiClient EMS and the endpoint. If a patch is already scheduled for the vulnerability, this column displays Scheduled. If the vulnerability must be patched manually, this column displays Manual Patch. FortiClient may be unable to automatically patch the vulnerability due to one of the following reasons:
l Third-party application vulnerabilities: incorrect or missing installation paths
l OS vulnerabilities: Windows update service is disabled In these cases, EMS may incorrectly display the status of these vulnerabilities that were selected to be automatically patched as Scheduled instead of Failed.
You can filter the list of vulnerable endpoints by any column by clicking the filter icon beside the desired heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
l All: Display all files that match the set filter. l Any: Display any file that matches the set filter. l Not: Display only files that do not match the set filter. 3. Click a hostname. You can view all vulnerabilities detected on that endpoint. You can filter the list of vulnerabilities in the same way that you can filter the list of vulnerable endpoints in step 2.
FortiClient EMS 7.0.1 Administration Guide
78
Fortinet Technologies Inc.
Dashboard
4. Go back, then click one of the sections under the Vulnerability column to view all vulnerabilities detected on the selected endpoint at the selected severity. The example displays all critical vulnerabilities for the selected endpoint. You can filter the list of vulnerabilities in the same way that you can filter the list of vulnerable endpoints in step 2.
Vulnerability Category Severity Patch Status
Name of the vulnerability.
Category of the vulnerability.
Severity level of the vulnerability.
You can click the Patch button to patch the selected vulnerability with the next Telemetry communication between FortiClient EMS and the endpoint. If a patch is already scheduled for the vulnerability, this column displays Scheduled. If the vulnerability must be patched manually, this column displays Manual Patch.
FortiClient EMS 7.0.1 Administration Guide
79
Fortinet Technologies Inc.
Dashboard
Viewing the top 10 vulnerable endpoints with high risk vulnerabilities
To view the top 10 vulnerable endpoints with high risk vulnerabilities: 1. Go to Dashboard > Vulnerability Scan. The Top 10 Vulnerable Endpoints With High Risk Vulnerabilities chart
displays vulnerabilities per endpoint in a segmented bar graph and organized by severity.
WIN-1F3BOCJBRAM has the following: l 15 Critical Vulnerabilities (red bar) l 17 High Risk Vulnerabilities (orange bar) l 17 Medium Risk Vulnerabilities (yellow bar) l 6 Low Risk Vulnerabilities (green bar)
2. Do one of the following: a. Click the endpoint hostname. You can view a list of all vulnerabilities detected on that endpoint.
Vulnerability Category
Name of the vulnerability. Category of the vulnerability.
FortiClient EMS 7.0.1 Administration Guide
80
Fortinet Technologies Inc.
Dashboard
Severity Patch Status
Severity level of the vulnerability.
You can click the Patch button to patch the selected vulnerability with the next Telemetry communication between FortiClient EMS and the endpoint. If a patch is already scheduled for the vulnerability, this column displays Scheduled. If the vulnerability must be patched manually, this column displays Manual Patch. FortiClient may be unable to automatically patch the vulnerability due to one of the following reasons:
l Third-party application vulnerabilities: incorrect or missing installation paths
l OS vulnerabilities: Windows update service is disabled In these cases, EMS may incorrectly display the status of these vulnerabilities that were selected to be automatically patched as Scheduled instead of Failed.
You can filter the list of vulnerable endpoints by any column by clicking the filter icon beside the desired heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
l All: Display all files that match the set filter. l Any: Display any file that matches the set filter. l Not: Display only files that do not match the set filter. b. Click one of the sections of the vulnerability bar graph to view all vulnerabilities detected on the selected endpoint at the selected severity. The example displays all critical vulnerabilities for the selected endpoint. You can filter the list of vulnerabilities in the same way that you can filter the list of vulnerabilities in option a.
Viewing top ten vulnerabilities on endpoints
To view top ten vulnerabilities on endpoints: 1. Go to Dashboard > Vulnerability Scan. The Top 10 Vulnerabilities widget displays the type of vulnerability and how
many hosts the vulnerability has been detected on.
FortiClient EMS 7.0.1 Administration Guide
81
Fortinet Technologies Inc.
Dashboard
2. Do one of the following: a. Click the vulnerability name. You can view the vulnerability on FortiGuard.
b. Click the number of hosts that are affected by a vulnerability. You can view a list of endpoints where the vulnerability has been detected.
Refresh Clear Filters Hostname Username
Last Seen
Scan Time
Click to refresh the list of vulnerabilities in the content pane. Click to clear all filters applied to the list of vulnerabilities. Hostname of the endpoint where the vulnerability was detected. User that is currently logged into the endpoint where the vulnerability was detected. Time of the last Telemetry communication between FortiClient EMS and the endpoint. Time of the last Vulnerability Scan on the endpoint.
FortiClient EMS 7.0.1 Administration Guide
82
Fortinet Technologies Inc.
Dashboard
You can filter the list of vulnerable endpoints by any column by clicking the filter icon beside the desired heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
l All: Display all files that match the set filter. l Any: Display any file that matches the set filter. l Not: Display only files that do not match the set filter. Here, you can also click the hostname to view all detected vulnerabilities on that endpoint. You can filter the list of vulnerabilities in the same way that you can filter the list of endpoints above.
Vulnerability Category Severity Patch Status
Name of the vulnerability.
Category of the vulnerability.
Severity level of the vulnerability.
You can click the Patch button to patch the selected vulnerability with the next Telemetry communication between FortiClient EMS and the endpoint. If a patch is already scheduled for the vulnerability, this column displays Scheduled. If the vulnerability must be patched manually, this column displays Manual Patch. FortiClient may be unable to automatically patch the vulnerability due to one of the following reasons:
l Third-party application vulnerabilities: incorrect or missing installation paths
l OS vulnerabilities: Windows update service is disabled In these cases, EMS may incorrectly display the status of these vulnerabilities that were selected to be automatically patched as Scheduled instead of Failed.
FortiClient EMS 7.0.1 Administration Guide
83
Fortinet Technologies Inc.
Dashboard
Viewing Chromebook Status
Chromebook Status displays a number of charts. Each chart provides a summary of Chromebook information. The sections in each chart are links. You can click any chart section or table row to display details. Chromebook Status is only available if you enabled System Settings > EMS Settings > EMS for Chromebooks Settings.
Option
Description
User Charts
Active Users
Displays active and inactive users.
Managed Users
Displays managed and unmanaged users.
Webfilter Charts
Top 10 Violations by Category
Displays the top ten web filter violations by category in the past few days. You can configure the number of days. Go to System Settings > Logs.
Top 10 Violations by User
Displays the top web filter violations by user in the past few days. You can configure the number of days. Go to System Settings > Logs.
Most Searched Monitored Words Displays the top terms that users have searched that you have configured Web Filter to monitor. See Web Filter on page 151.
Most Searched Blocked Words
Displays the top terms that users have searched that you have configured Web Filter to block. See Web Filter on page 151.
Others
System Information
See System Information widget on page 69.
License Information
See License Information widget on page 71.
FortiClient EMS 7.0.1 Administration Guide
84
Fortinet Technologies Inc.
Invitations
You can configure invitation codes to email to end users. After installing FortiClient, end users can enter the invitation codes to connect FortiClient to EMS.
To add an invitation code:
1. Go to Invitations in the upper right corner or in Endpoints > Invitations. 2. Select the desired invitation code. Click Edit. 3. Configure the invitation:
a. From the EMS Listen Address, select the desired address. b. To send the code to a single recipient, select Individual. Otherwise, select Bulk.
Sending individual invitation codes is considered best practice, as it can limit any unexpected endpoints from connecting to FortiClient EMS.
c. Enable Send email notifications. You can only enable this option if you have configured SMTP settings. See Configuring SMTP Server settings on page 253.
d. In the Email recipients field, enter the email addresses of the desired end users. e. If desired, enable Send SMS notifications. f. Click the Create a new installer button to include an installer with the invitation. End users can use this installer
to install FortiClient on their endpoint. See Adding a FortiClient deployment package on page 120. g. If desired, enable Expiring. h. In the Expiry date field, set the expiry date. Click Save. End users receive an email or SMS notification as configured that includes the invitation code and installer. They can install FortiClient on their devices using the included installer, and enter the invitation code in the Register with Zero Trust Fabric field on the FortiClient Zero Trust Telemetry tab to connect to EMS if their FortiClient did not connect automatically to EMS after installation.
FortiClient EMS 7.0.1 Administration Guide
85
Fortinet Technologies Inc.
Endpoint management
FortiClient EMS needs to determine which devices to manage. For Windows, macOS, and Linux endpoints, device information can come from an AD server, Windows workgroup, or manual FortiClient connection. For Chromebooks, device information comes from the Google Admin console.
Windows, macOS, and Linux endpoints
Device information can come from an AD server, Windows workgroup, or manual FortiClient connection. You can create groups to organize endpoints.
Managing groups
You can create groups to organize endpoints. You can also rename and delete groups. The LDAP connection is read-only. These groups are local to EMS and are not seen in your Active Directory. To create groups: 1. Go to Endpoints. 2. Right-click a domain or workgroup and select Create group. The Create group dialog displays. 3. In the Required field, enter a name for the group, and click Confirm. To rename groups: 1. Go to Endpoints. 2. Right-click the group, and select Rename group. The Rename the group dialog displays. 3. In the Required field, enter the new name, and click Confirm. To delete groups: 1. Go to Endpoints. 2. Right-click the group, and select Delete group. A confirmation dialog displays. 3. Click Yes.
Adding endpoints
You can add endpoints to EMS in one of the following ways:
FortiClient EMS 7.0.1 Administration Guide
86
Fortinet Technologies Inc.
Endpoint management
Adding endpoints using an AD domain server
You can manually import endpoints from an AD server. You can import and synchronize information about computer accounts with an LDAP or LDAPS service. You can add endpoints by identifying endpoints that are part of an AD domain server. The LDAP connection is read-only.
A video on how to add a domain is available in the Fortinet Video Library.
You can add the entire domain or an OU from the domain.
EMS does not support importing subdomains if you have already imported the parent domain in to EMS.
To add endpoints using an AD domain server:
1. Go to Endpoints > Manage Domains > Add. The Domain pane displays. 2. Configure the following options:
IP address/Hostname Port Distinguished name
Bind type
Username Password Show Password
LDAPS connection Sync every
Enter the domain server IP address or hostname.
Enter the port number.
Enter the distinguished name (DN) (optional). You must use only capital letters when configuring the DN. You cannot import domains and OUs that have a DN with more than 256 characters.
Select the bind type: Simple, Anonymous, or Regular. When you select Regular, you must enter the Username and Password.
Available when Bind type is set to Regular. Enter the username.
Available when Bind type is set to Regular. Enter the user password.
Available when Bind type is set to Regular. Turn on and off to show or hide the password.
Enable a secure connection protocol when Bind Type is set to Regular.
Enter the sync schedule between FortiClient EMS and the domain in minutes. The default is ten minutes.
3. Click Test to test the domain settings connection.
4. If the test succeeds, click Save to save the new domain. If not, correct the information as required, then test the settings again.
FortiClient EMS 7.0.1 Administration Guide
87
Fortinet Technologies Inc.
Endpoint management
After importing endpoints from an AD server, you can move them to custom created groups. These groups are not seen in AD and EMS does not have the ability to modify the AD server in any way. SeeManaging groups on page 86.
Connecting manually from FortiClient
Endpoint users can manually connect FortiClient Telemetry to FortiClient EMS by specifying the IP address for FortiClient EMS in FortiClient. This process is sometimes called registering FortiClient to FortiClient EMS.
To manually connect to EMS from FortiClient: 1. In FortiClient on the endpoint, go to the Fabric Telemetry tab. 2. In EMS IP field, enter the EMS IP address, and click Connect. FortiClient connects to FortiClient EMS. For information about FortiClient, see the FortiClient Administration Guide.
The FortiClient Telemetry gateway port may be appended to the gateway list address on FortiClient and separated by a colon. When the port is not provided, FortiClient attempts to connect to the IP address given using the default port. The default connection port in FortiClient 6.0 and 6.2 is 8013. By default, FortiClient EMS listens for connection on port 8013.
Adding endpoints using an AD domain server is considered best practice. Connecting FortiClient to FortiClient EMS manually is only recommended for troubleshooting purposes.
Viewing endpoints
After you add endpoints to FortiClient EMS, you can view the list of endpoints in a domain or workgroup in the Endpoints pane. You can also view details about each endpoint and use filters to access endpoints with specific qualities.
Viewing the Endpoints pane
You can view information about endpoints on the Endpoints pane.
To view the Endpoints pane:
1. Go to Endpoints, and select All Endpoints, a domain, or workgroup. The list of endpoints, a quick status bar, and a toolbar display in the content pane.
Not Installed Not Registered
Number of endpoints that do not have FortiClient installed. Click to display the list of endpoints without FortiClient installed.
Number of endpoints that are not connected to FortiClient EMS. Click to display the list of disconnected endpoints.
FortiClient EMS 7.0.1 Administration Guide
88
Fortinet Technologies Inc.
Endpoint management
Out-Of-Sync Security Risk Quarantined Endpoints Show/Hide Heading Show/Hide Full Group Path Refresh Search All Fields Filters Device User
IP Configurations Connections
Alerts and Events
Number of endpoints with an out-of-sync profile. Click to display the list of endpoints with out-of-sync profiles.
Number of endpoints that are security risks. Click to display the list of endpoints that are security risks.
Number of endpoints that EMS has quarantined. Click to display the list of quarantined endpoints.
Click the checkbox to select all endpoints displayed in the content pane.
Click to hide or display the following column headings: Device, User, IP, Configurations, Connections, and Alerts and Events.
Click to hide or display the full path for the group that the endpoint belongs to.
Click to refresh the list of endpoints.
Enter a value and press Enter to search for the value in the list of endpoints.
Click to display and hide filters you can use to filter the list of endpoints.
Visible when headings are displayed. Displays an icon to represent the OS on the endpoint, the hostname, and the endpoint group.
Visible when headings are displayed. Displays the name and icon of the user logged into the endpoint. Also displays the status of the endpoint:
l Online: Endpoint has been seen within less than three keep alive timeouts.
l Away: Endpoint has been offline for less than eight hours. l Offline: Endpoint has been offline for more than eight hours. l Never Seen: Endpoint has never been registered to EMS.
Visible when headings are displayed. Displays the endpoint's IP address.
Visible when headings are displayed. Displays the name of the policy assigned to the endpoint and its synchronization status.
Visible when headings are displayed. Displays the connection status between FortiClient and FortiClient EMS. If the endpoint is connected to a FortiGate, displays the FortiGate hostname.
Visible when headings are displayed. Displays FortiClient alerts and events for the endpoint.
2. Click an endpoint to display its details in the content pane. The following dropdown lists display in the toolbar for the selected endpoint:
Scan Patch
Click to start a Vulnerability or AV scan on the selected endpoint.
Click to patch all critical and high vulnerabilities on the selected endpoint. Choose one of the following options:
l Selected Vulnerabilities on Selected Clients l Selected Vulnerabilities on All Affected Clients l All Critical and High Vulnerabilities
FortiClient EMS 7.0.1 Administration Guide
89
Fortinet Technologies Inc.
Endpoint management
Move to Action
Move the endpoint to a different group.
Click to perform one of the following actions on the selected endpoint: l Request FortiClient Logs l Request Diagnostic Results l Update Signatures l Download Available FortiClient Logs l Download Available Diagnostic Results l Deregister l Quarantine l Un-quarantine l Exclude from Management l Revoke Client Certificate. This action is only available if the ZTNA or EPP license is applied and for endpoints running FortiClient 7.0.0 and later versions. See Windows, macOS, and Linux endpoint licenses on page 22. Revoke the certificate that FortiClient is using to securely encrypt and tunnel TCP traffic through HTTPS to the FortiGate. You may want to revoke a certificate if it becomes compromised and can no longer be trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient with a new certificate signing request. See FortiClient in the Security Fabric on page 14. l Clear Events l Mark as Uninstalled l Set Importance l Set Custom Tags. This option is only available if you have already created a custom tag. l Delete Device
The following tabs are available in the content pane toolbar when you select an endpoint, depending on which FortiClient features are installed on the endpoint and enabled via the assigned profile:
Summary
<user name>
Device OS IP MAC
Displays the name of the user logged into the selected endpoint. Also displays the user's avatar, email address, and phone number if these are provided to FortiClient on the endpoint. If the user's LinkedIn, Google, Salesforce, or other cloud app account is linked in FortiClient, the username from the cloud application displays. Also displays the group that the endpoint belongs to in EMS.
Displays the selected endpoint's hostname. You can enter an alias if desired.
Displays the selected endpoint's operating system and version number.
Displays the selected endpoint's IP address.
Displays the selected endpoint's MAC address.
FortiClient EMS 7.0.1 Administration Guide
90
Fortinet Technologies Inc.
Endpoint management
Last Seen
Displays the last date and time that FortiClient sent a keep-alive message to EMS. This information is useful if FortiClient is offline because it indicates when the last keep-alive message occurred.
Location
Displays whether the selected endpoint is on- or off-fabric. You can also view any on-fabric detection rules that the endpoint is applicable for. See Onfabric Detection Rules on page 131.
Network Status
This section only appears for endpoints running FortiClient 6.4.1 and later versions.
Displays the following information for the networks that the endpoint is connected to:
l MAC address l IP address l Gateway IP address l Gateway MAC address l SSID for Wi-Fi connections
Hardware Details
Displays the hardware model, vendor, CPU, RAM, and serial number information for the endpoint device, if available.
Zero Trust Tags Displays which tags have been applied to the endpoint based on the Zero Trust tagging rules. See Zero Trust Tags on page 199.
Connection
Displays the connection status between the selected endpoint and FortiClient EMS.
Configuration
Displays the following information for the selected endpoint: l Policy: Endpoint policy assigned to the selected endpoint l Profile: Profile assigned to the selected endpoint l Off-fabric Profile: Off-fabric profile assigned to the selected endpoint l Installer: FortiClient installer used for the selected endpoint. l FortiClient Version: FortiClient version installed on the selected endpoint. l FortiClient Serial Number: Serial number for the selected endpoint's FortiClient license.
Classification Tags
Displays classification tags that are currently assigned to the endpoint. You can also assign a classification tag to the endpoint. Classification tags include the default importance level tags (low, medium, high, or critical), and custom tags. An endpoint can only have one default importance tag assigned, but can have multiple custom tags assigned. You can also unassign a tag from the endpoint, and create, assign, or delete a custom tag. To create a new custom tag, click the Add button, enter the desired tag, the click the + button. When you create a tag, it is available for assignment to all endpoints in the current site.
You can assign a classification tag to multiple endpoints by selecting the endpoints, then selecting Action > Set Importance or Set Custom Tags.
See Sending endpoint classification tags to FortiAnalyzer on page 97.
Status
Displays one of the following statuses:
FortiClient EMS 7.0.1 Administration Guide
91
Fortinet Technologies Inc.
Endpoint management
Features Antivirus Events
Date Count Message Actions Cloud Scan Events Date Count Message Actions AntiExploit Events Date Count Message Actions USB Device Events Date Count Message Actions Sandbox Events Date Message Rating Checksum Download
l Managed: Endpoint is managed by EMS. l Quarantined: If quarantined, displays access code. The user can enter
this access code in the affected endpoint's FortiClient to remove the endpoint from quarantine. l Excluded: Endpoint is excluded from management by EMS. Displays which features are enabled for FortiClient.
Displays the AV event's date and time. Displays the number of occurrences for this event. Displays the AV event's message. Mark the event as read or delete it.
Displays the cloud-based malware detection event's date and time. Displays the number of occurrences for this event. Displays the cloud-based malware detection event's message. Mark the event as read or delete it.
Displays the AntiExploit event's date and time. Displays the number of occurrences for this event. Displays the AntiExploit event's message. Mark the event as read or delete it.
Displays the USB device event's date and time. Displays the number of occurrences for this event. Displays the USB device event's message. Mark the event as read or delete it.
Displays the sandbox event's date and time. Displays the sandbox event's message. Displays the file's risk rating as retrieved from FortiSandbox. Displays the checksum for the file. Download a PDF version of the detailed report.
FortiClient EMS 7.0.1 Administration Guide
92
Fortinet Technologies Inc.
Endpoint management
Magnifying glass Firewall Events Date Count Message Actions Web Filter Events Date Count Message Actions Vulnerability Events Vulnerability
Category Application Severity Patch Type FortiGuard
System Events Date Count Message Actions
Click to view a more detailed report. See Viewing Sandbox event details on page 96.
Displays the firewall event's date and time. Displays the number of occurrences for this event. Displays the firewall event's message. Mark the event as read or delete it.
Displays the web filter event's date and time. Displays the number of occurrences for this event. Displays the web filter event's message. Mark the event as read or delete it.
Displays the vulnerability's name. For example, Security update available for Adobe Reader. Displays the vulnerability's category. For example, Third Party App. Displays the name of the application with the vulnerability. Displays the vulnerability's severity. Displays the patch type for this vulnerability: Auto or Manual. Displays the FortiGuard ID number. If you click the FortiGuard ID number, it redirects you to FortiGuard where further information is provided if available.
Displays the system event's date and time. Displays the number of occurrences for this event. Displays the system event's message. Mark the event as read.
Using the quick status bar
You can use the quick status bar to quickly display filtered lists of endpoints on the Endpoints content pane.
To use the quick status bar: 1. Go to Endpoints. 2. Click All Endpoints, a domain, or workgroup.
The list of endpoints and quick status bar display.
FortiClient EMS 7.0.1 Administration Guide
93
Fortinet Technologies Inc.
Endpoint management
3. Click one of the following buttons in the quick status bar: l Not Installed l Not Registered l Out-Of-Sync l Security Risk l Quarantined
The list of affected endpoints displays. 4. Click an endpoint to display its details. 5. In the Events column, click the AV <number>, SB <number>, FW <number>, VUL<number>, WEB <number> and
SYS<number> buttons to display the associated tab of details for the selected endpoint. 6. Click the Total button to clear the filters. The unfiltered list of endpoints displays.
Viewing endpoint details
You can view each endpoint's details on the Endpoints content pane. For a description of the options on the Endpoints content pane, see Viewing the Endpoints pane on page 88.
To view endpoint details:
1. Go to Endpoints, and select All Domains, a domain, or workgroup. The list of endpoints for the selected domain or workgroup displays.
2. Click an endpoint to display details about it in the content pane. Details about the endpoint display in the content pane.
Filtering the list of endpoints
You can filter the list of endpoints displayed on the Endpoints content pane.
To filter the list of endpoints:
1. Go to Endpoints.
2. Click All Domains, a domain, or workgroup. The list of endpoints displays.
3. Click the Filters menu, and set filters. The filter options display. For text values, you can use a comma (,) to separate values and an exclamation mark (!) to exclude a value. For buttons, hover the mouse over each button to view its tooltip.
Device
Name User
Lists the filter options for devices. Enter the name(s) to include in the filter. Enter the name of the user(s) to include in the filter.
FortiClient EMS 7.0.1 Administration Guide
94
Fortinet Technologies Inc.
Endpoint management
Group IP OS Tag
FortiClient Version
Deployment Package Name Status
Policy
More States
Name Status
Profile EMS
Name Status
Events
Features Bookmarks
Search Reset Bookmark
Enter the name of the group(s) to include in the filter. Enter the IP address to include in the filter. Enter the name of the operating system(s) to include in the filter. Enter the tag(s) to include in the filter. This includes Zero Trust tagging and classification tags. See Zero Trust Tags on page 199 and Viewing the Endpoints pane on page 88. Lists the filter options for FortiClient version numbers. Enter the FortiClient version number to include in the filter. Lists the filter options for deployment. Enter the name(s) of the deployment package to include in the filter. Click one or more deployment status buttons to include in the filter. Selected status buttons are green. Hover the mouse over each button to view its tooltip. Clear the status button to exclude the status from the filter. Excluded status buttons are gray. Click to display additional statuses to include in the filter.
Enter the name(s) of the policy to include in the filter. Click the policy status to include in the filter. Selected status buttons are green. Choose between Synced and Out-Of-Sync. Clear the status button to exclude the status from the filter. Excluded status buttons are gray.
Enter the name(s) of the profile to include in the filter.
Click the status for FortiClient Telemetry connection to EMS to include in the filter. Selected status buttons are green. Clear the status button to exclude the status from the filter. Excluded status buttons are gray. Select the events to include in the filter. The selected checkboxes beside the events are included in the filter. Clear the checkbox beside the event to exclude the event from the filter. Enter the AV, Firewall, and/or vulnerability signature and/or engine to filter for. Displays the list of saved filter settings. Displays only after you have saved a bookmark. Click the Bookmark button to name and save filter settings. Click a bookmark to use the saved settings. Click the x beside a bookmark to delete it. Click the Search button to apply the filter setting. Click the Reset button to clear the filter settings. Click the Bookmark button to save the filter settings as a bookmark.
FortiClient EMS 7.0.1 Administration Guide
95
Fortinet Technologies Inc.
Endpoint management
4. Click Search. The filtered list of endpoints displays. 5. Click Reset to clear the filter settings.
Using bookmarks to filter the list of endpoints
You can save filter settings as bookmarks, then select the bookmarks to use them.
To create bookmarks to filter endpoints:
1. Go to Endpoints. 2. Click All Endpoints, a domain, or workgroup. The list of endpoints displays. 3. Click the Filters menu, and set filters. 4. Click the Bookmark button. 5. In the New Bookmark field, enter a name for the filter settings, and press Enter.The bookmark displays under
Bookmarks.
To use bookmarks to filter the list of endpoints:
1. Go to Endpoints. 2. Click All Endpoints, a domain, or workgroup. The list of endpoints displays. 3. Click the Filters menu. 4. In the Bookmarks list, click a bookmark. The bookmark settings are used to filter the list of endpoints.
Viewing Sandbox event details
You can view a detailed report about a Sandbox event. EMS retrieves the report from FortiSandbox.
To view Sandbox event details:
1. Go to Endpoints, and select All Domains, a domain, or workgroup. The list of endpoints for the selected domain or workgroup displays.
2. Click an endpoint to display details about it in the content pane. Details about the endpoint display in the content pane.
3. On the Sandbox Events tab, click the magnifying glass icon beside the desired Sandbox event. EMS displays a detailed report about the Sandbox event.
FortiClient EMS 7.0.1 Administration Guide
96
Fortinet Technologies Inc.
Endpoint management
4. Click Process Tree. For some events, you can see a graphical representation of the processes that the malware created on FortiSandbox.
Sending endpoint classification tags to FortiAnalyzer
You can use tags for grouping and classifying endpoints, which can help with assessing incident impact and prioritizing incidents by SOC analysts or SOAR playbooks. You can assign a classification tag to an endpoint. Classification tags include the following:
l Default importance level tags (low, medium, high, or critical) to specify an endpoint's importance in the organization. You can tag critical endpoints accordingly and monitor them for security incidents.
FortiClient EMS 7.0.1 Administration Guide
97
Fortinet Technologies Inc.
Endpoint management
l Custom tags. You can create a maximum of eight custom tags. You can assign multiple custom tags to an endpoint or group of endpoints.
FortiAnalyzer Fabric View shows tags for each endpoint. FortiAnalyzer FortiSoC playbook pulls endpoint information from EMS using an EMS connector. The following describes the process for configuring a classification tag and viewing the data in FortiAnalyzer: 1. Configure and apply classification tags to endpoints in EMS. 2. Configure FortiAnalyzer to receive the tags:
a. Configure the EMS-FortiAnalyzer Fabric connection. b. Run the FortiSoC playbook to retrieve endpoint information from EMS.
To configure and apply classification tags to endpoints in EMS:
By default, EMS tags all newly registered endpoints with the Low default importance tag. 1. In EMS, go to Endpoints. 2. To apply tags to a single endpoint, go to the desired endpoint. Under Classification Tags, to create a new custom
tag, click the Add button, enter the desired tag, the click the + button. You can also assign a new importance tag to the endpoint.
3. To apply tags to multiple endpoints, select all desired endpoints, then select Action > Set Importance or Set Custom Tags.
To configure the EMS-FortiAnalyzer Fabric connection:
1. In FortiAnalyzer, go to Fabric View. 2. Click the Fabric Connectors tab, then click Create New.
FortiClient EMS 7.0.1 Administration Guide
98
Fortinet Technologies Inc.
Endpoint management
3. Click the FortiClient EMS tile. The Create New Fabric Connector dialog opens. 4. In the Configuration tab, configure the connector settings, enter the EMS IP address and administrator credentials.
5. On the Actions tab, leave the default settings. 6. Click OK.
To run the FortiSoC playbook to retrieve endpoint information from EMS:
1. In FortiAnalyzer, in the Fabric ADOM, go to FortiSoC > Automation > Playbook. 2. Click Create New, then New Playbook created from scratch. 3. Add an on-demand playbook with two tasks:
* FabricView--FortiSoC--Playbook -- EMS_GET_ENDPOINTS (no parameters) -- LOCALHOST_UPDATE_ASSET_AND_IDENTITY (use parameter ems_endpoints = previous_task_
id.ems_endpoints) 4. Click Save. 5. Click Run. Accept the Manually Run Playbook prompt. 6. Go to Automation > Playbook Monitor. You can view the running playbook status. 7. Once the corresponding playbook job finishes running, go to Fabric View > Assets. The endpoint and its tags
display.
Managing endpoints
You can manage endpoints from the Endpoints pane.
FortiClient EMS 7.0.1 Administration Guide
99
Fortinet Technologies Inc.
Endpoint management
Running AV scans on endpoints
You can run a full or quick AV scan on endpoints. Scanning starts on the endpoints with the next FortiClient Telemetry communication. For the difference between full and quick AV scans, see AntiVirus Protection on page 140.
To run AV scans on endpoints: 1. Go to Endpoints. 2. Right-click a domain or workgroup, and select Start full antivirus scan or Start quick antivirus scan.
To run AV scans on an endpoint: 1. Go to Endpoints. 2. Select All Endpoints, a domain, or workgroup. 3. Click an endpoint, and from the Scan menu, select Quick AV Scan or Full AV Scan.
Running vulnerability scans on endpoints
You can run a vulnerability scan on endpoints.
To run vulnerability scans on endpoints: 1. Go to Endpoints. 2. Right-click a domain or workgroup, and select Start vulnerability scan. Vulnerability scanning starts on the
endpoints with the next FortiClient Telemetry communication.
To run vulnerability scans on an endpoint: 1. Go to Endpoints. 2. Select All Endpoints, a domain, or workgroup. 3. Click an endpoint, and from the Scan menu, select Vulnerability Scan. Vulnerability scanning starts on the endpoint
with the next FortiClient Telemetry communication.
Patching vulnerabilities on endpoints
You can request FortiClient patch detected critical and high vulnerabilities on endpoints. FortiClient can automatically patch many software. However, the endpoint user must manually patch some detected software vulnerabilities. If a vulnerability requires the endpoint user to download and install software to patch a vulnerability, FortiClient displays the information.
To patch vulnerabilities on a domain or group of endpoints: 1. Go to Endpoints. 2. Right-click a domain or workgroup, and select Patch critical/high vulnerabilities. FortiClient initiates automatic
vulnerability patching with the next FortiClient Telemetry communication.
FortiClient EMS 7.0.1 Administration Guide
100
Fortinet Technologies Inc.
Endpoint management
To patch vulnerabilities on an endpoint:
1. Go to Endpoints. 2. Select All Endpoints, a domain, or workgroup. 3. Click an endpoint, and from the Patch menu, select one of the following options:
l Selected Vulnerabilities on Selected Clients l Selected Vulnerabilities on All Affected Clients l All Critical and High Vulnerabilities FortiClient initiates automatic vulnerability patching with the next FortiClient Telemetry communication.
Uploading FortiClient logs
You can upload a FortiClient log file from one or several endpoints to FortiClient EMS. The log file is uploaded to the hard drive on the computer on which you are running EMS. The uploaded log file is not visible in the FortiClient EMS GUI. 1. Go to Endpoints. 2. Select All Endpoints, a domain, or workgroup. 3. Click one or multiple endpoints, and from the Action menu, select Upload FortiClient logs. The <Endpoint
serial number>_<Endpoint hostname>_log file is uploaded to the following location on your computer: <drive>\Program Files (x86)\Fortinet\FortiClientEMS\logs
Running the FortiClient diagnostic tool
You can use EMS to run the FortiClient diagnostic tool on one or multiple endpoints and export the results to the hard drive on the computer on which you are running FortiClient EMS. The exported information is not visible in the FortiClient EMS GUI. 1. Go to Endpoints. 2. Select All Endpoints, a domain, or workgroup. 3. Click one or multiple endpoints, and from the Action menu, select Request Diagnostic Results.
The <Endpoint serial number>_<Endpoint hostname>_Diagnostic_Result.cab file is uploaded to the following location on your computer: <drive>:\Program Files (x86)\Fortinet\FortiClientEMS\logs.
Updating signatures
You can use EMS to request FortiClient update signatures on the endpoints. 1. Go to Endpoints. 2. Select All Endpoints, a domain, or workgroup. The list of endpoints displays in the content pane. 3. Click an endpoint, and from the Action menu, select Update Signatures. FortiClient receives the request to update
signatures and downloads the signatures from the Internet.
FortiClient EMS 7.0.1 Administration Guide
101
Fortinet Technologies Inc.
Endpoint management
Downloading available FortiClient logs
To download available FortiClient logs:
1. Go to Endpoints. 2. Select All Endpoints, a domain, or workgroup. The list of endpoints displays in the content pane. 3. Click an endpoint, and from the Action menu, select Download Available FortiClient Logs. If you recently requested
FortiClient logs, you must wait at least five minutes before you can download them. 4. A confirmation dialog appears. Click Download. 5. Browse to the desired directory to download the logs to. Click Save. The logs are saved to your selected directory as
a .zip file.
Downloading available diagnostic results
To download available diagnostic results:
1. Go to Endpoints. 2. Select All Endpoints, a domain, or workgroup. The list of endpoints displays in the content pane. 3. Click an endpoint, and from the Action menu, select Download Available Diagnostic Results. If you recently
requested diagnostic results, you must wait at least twenty minutes before you can download them. 4. A confirmation dialog appears. Click Download. 5. Browse to the desired directory to download the logs to. Click Save. The logs are saved to your selected directory as
a .zip file.
Disconnecting and connecting endpoints
You can manually disconnect endpoints using EMS.
To disconnect endpoints:
1. Go to Endpoints. 2. Click All Endpoints, a domain, or workgroup. 3. Click an endpoint, and from the Action menu, select Deregister. EMS disconnects the endpoint with the next
FortiClient Telemetry communication. After the endpoint is disconnected from EMS, you can reconnect the endpoint to EMS manually.
Quarantining an endpoint
You can quarantine an endpoint using EMS. Quarantined endpoints cannot access the network. You must enable Application Firewall for this feature to function. See Feature Select on page 257.
To quarantine an endpoint:
1. Go to Endpoints. 2. Click All Endpoints, a domain, or workgroup. A list of endpoints displays.
FortiClient EMS 7.0.1 Administration Guide
102
Fortinet Technologies Inc.
Endpoint management
3. Click an endpoint, and from the Action menu, select Quarantine. The endpoint status changes to Quarantined, and EMS quarantines the endpoint with the next FortiClient Telemetry communication. You can remove an endpoint from quarantine by right-clicking the endpoint and selecting Unquarantine. EMS removes the endpoint from quarantine with the next FortiClient Telemetry communication and restores network access. You can also provide the endpoint user with a one-time access code. The user can enter the code to access FortiClient on a quarantined endpoint, then remove the endpoint from quarantine in FortiClient. The code is available under Quarantine Access Code after selecting a quarantined endpoint.
Quarantining an endpoint from FortiOS using EMS
The Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator of Compromise (IoC) is detected. This requires the following network components:
l FortiGate l FortiAnalyzer l FortiClient EMS l FortiClient You must connect FortiClient to both the EMS and FortiGate. The FortiGate and FortiClient must both be sending logs to the FortiAnalyzer. You must configure the EMS IP address on the FortiGate, as well as administrator login credentials.
This configuration functions as follows: 1. FortiClient sends logs to the FortiAnalyzer. 2. FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate. 3. FortiGate determines if the FortiClient is among its connected endpoints and if it has the login credentials for the
EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine the endpoint. 4. EMS searches for the endpoint and sends a quarantine message to it. 5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint notifies the FortiGate and EMS of the status change.
FortiClient (Linux) does not support this feature.
Prerequisites
The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate.
FortiClient EMS 7.0.1 Administration Guide
103
Fortinet Technologies Inc.
Endpoint management
FortiClient
FortiClient must be installed on the endpoint and connected to EMS as part of a Security Fabric.
EMS
1. You must create a profile for the endpoint. See Creating a profile to configure FortiClient on page 136. 2. You must create and configure an endpoint policy that is configured with the desired profile and Telemetry gateway
list for the desired endpoint group. See Adding an endpoint policy on page 124. 3. Enable Remote HTTPS access. See Configuring EMS settings on page 244.
FortiGate
Before automation can be triggered, you must configure the following: 1. Configure an automation trigger. 2. Configure an automation object. 3. Configure an automation stitch. 4. Configure an EMS firewall address object. This is only required if using a FortiOS version earlier than 6.2.0. 5. Configure EMS endpoint control.
To create an automation trigger, enter the following commands in the CLI:
config system automation-trigger edit "trigger01" set trigger-type event-based set event-type ioc set ioc-level high next
end
To create an automation action, enter the following commands in the CLI:
config system automation-action edit "action01" set action-type quarantine-forticlient set minimum-interval 0 next
end
To create an automation stitch, enter the following commands in the CLI:
config system automation-stitch edit "stitch01" set status enable set trigger "trigger01" set action "action01" next
end
To create an EMS firewall address object, enter the following commands in the CLI:
This step is only necessary when using a version of FortiOS prior to 6.2.0.
FortiClient EMS 7.0.1 Administration Guide
104
Fortinet Technologies Inc.
Endpoint management
config firewall address edit "EMS01" set type ipmask set subnet <EMS_IP_address> 255.255.255.255 next
end
To configure EMS endpoint control:
There are separate instructions when using FortiOS 6.2.0 or a later version, and a version of FortiOS earlier than 6.2.0.
If using FortiOS 6.2.0 or a later version, do the following: 1. Go to Security Fabric > Settings. 2. Enable FortiClient Endpoint Management System (EMS). 3. In the Name field, enter the desired EMS name. 4. In the IP/Domain Name field, enter the EMS IP address or FQDN. 5. In the Serial Number field, enter the EMS serial number. You can find this in the System Information widget on the
EMS dashboard. 6. In the Admin User field, enter the EMS admin username. 7. In the Password field, enter the admin user's password. 8. Click Apply. If using a FortiOS version earlier than 6.2.0, enter the following commands in the CLI. In the following commands, <EMS_SERIAL_NUMBER> is the EMS serial number, <EMS_ADMIN> is the EMS administrator name, and <PASSWORD> is the EMS administrator's password: config endpoint-control forticlient-ems
edit "e01" set address "EMS01" set serial-number <EMS_SERIAL_NUMBER> set rest-api-auth userpass set https-port 443 set admin-username <EMS_ADMIN> set admin-password <PASSWORD> set admin-type Windows
next end
Executing automation
Once prerequisites are met, you can trigger the automation process. The following procedure triggers the quarantine action on the endpoint at <endpoint_ip_address>: diag endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <endpoint_ip_address>
After this action, EMS and FortiOS both display that the endpoint is quarantined.
Excluding endpoints from management
You can exclude endpoints from management.
FortiClient EMS 7.0.1 Administration Guide
105
Fortinet Technologies Inc.
Endpoint management
To exclude endpoints from management: 1. Right-click a domain or workgroup. 2. Select Exclude from management.
To exclude an endpoint from management: 1. Go to Endpoints. 2. Click All Endpoints, a domain, or workgroup. A list of endpoints displays. 3. Click an endpoint, and from the Action menu, select Exclude from Management.
Deleting endpoints
You can delete disconnected endpoints from EMS. This option is only available for non-domain devices. 1. Go to Endpoints. 2. Click All Endpoints or a workgroup. A list of endpoints displays. 3. If the endpoint has a status of Registered, disconnect the endpoint. 4. Click an endpoint, and from the Action menu, select Delete Device. 5. In the dialog, click Yes. The endpoint is deleted from FortiClient EMS.
Group assignment rules
You can use group assignment rules to automatically place endpoints into custom groups based on their installer ID, IP address, or OS. If a newly connected endpoint does not match any group assignment rule and belongs to an imported AD domain, the endpoint is moved into the OU to which it belongs in the AD domain tree. If no AD domain has been imported, or the endpoint also does not belong to the imported AD domain, it is placed in the Other Endpoints group. EMS automatically places endpoints that do not apply for any group assignment rule into the Other Endpoints group.
Group assignment rule types
You can use group assignment rules to automatically place endpoints into custom groups based on their installer ID, IP address, or OS.
Installer ID group assignment rules
Creating a FortiClient 6.0+ deployment package includes an option to specify an installer ID. For example, consider you want all endpoints located in your company's headquarters to be placed in the same endpoint group. You can configure a FortiClient 6.0.1 deployment package with an "HQ" installer ID, then deploy this deployment package to the desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places them in the desired group. In this situation, the process is as follows: 1. In FortiClient EMS, create an installer ID group assignment rule that requires endpoints with the installer ID "HQ" to
be placed into the HQ group. The installer ID and group name do not need to match. See Adding a group
FortiClient EMS 7.0.1 Administration Guide
106
Fortinet Technologies Inc.
Endpoint management
assignment rule on page 108. 2. Create a FortiClient 6.0+ deployment package. Specify the "HQ" installer ID when creating or uploading the
installer. See Adding a FortiClient deployment package on page 120. 3. Deploy the deployment package to the desired endpoints or send the download link to the desired users. 4. The endpoints install FortiClient. When FortiClient connects to FortiClient EMS, EMS places the endpoint in the HQ
group. If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.
IP address group assignment rules
You can create a group assignment rule to automatically place all endpoints within a specified subnet or IP address range into the same custom group. In this situation, the process is as follows: 1. In FortiClient EMS, create an IP address group assignment rule that requires endpoints within a certain subnet or IP
address range to be placed into the desired group. See Adding a group assignment rule on page 108. 2. With the next FortiClient Telemetry communication, endpoints within the specified subnet or IP address range are
placed in the specified group.
OS group assignment rules
You can create a group assignment rule to automatically place all endpoints that have a specific OS installed into the same custom group. In this situation, the process is as follows: 1. In FortiClient EMS, create an OS group assignment rule that requires endpoints with a certain OS installed to be
placed into the desired group. See Adding a group assignment rule on page 108. 2. With the next FortiClient Telemetry communication, endpoints with the specified OS installed are placed in the
specified group.
Managing group assignment rule priority levels
An endpoint may be eligible for multiple group assignment rules. When an endpoint is eligible for multiple endpoint group assignment rules, two factors determine which rule EMS applies to the endpoint: 1. EMS applies group assignment rules to endpoints only if the rules are enabled on the Endpoints > Group
Assignment Rules page. 2. If an endpoint is eligible for multiple enabled rules, the EMS applies the rule with the first priority level to the
endpoint.
To change rule priority levels:
1. Go to Endpoints > Group Assignment Rules. 2. Click and hold the rule, then drag to the desired position. In the example, consider an endpoint where FortiClient was deployed using the "HQ" installer ID and has an IP address that belongs to the 192.168.0.0/24 subnet. The endpoint applies for two rules. In this case, the endpoint is placed in the HQ group, since the HQ rule has a higher priority level than the 192.168.0.0/24 subnet rule.
FortiClient EMS 7.0.1 Administration Guide
107
Fortinet Technologies Inc.
Endpoint management
However, if you disable the HQ rule, EMS places the endpoint in the West Coast/Seattle group, as per the 192.168.0.0/24 subnet rule.
You can reenable the HQ rule, then change the rule priority levels sot hat the 192.168.0.0/24 rule has priority level 1. In this case, EMS places the endpoint in the West Coast/Seattle group.
Adding a group assignment rule
To add an installer ID group assignment rule:
An installer ID group assignment rule automatically places endpoints with the specified installer ID into the specified endpoint group.
1. Go to Endpoints > Group Assignment Rules. 2. Click Add. 3. Under Type, select Installer ID. 4. In the Installer ID field, enter the desired installer ID. 5. In the Group field, do one of the following:
a. If you want to place the endpoints into an existing group, select the desired group from the dropdown list. b. If you want to place the endpoints into a new group, click Create a new group and enter the desired group
name. FortiClient EMS creates the new group. To create a new nested group, enter the desired group hierarchy. For example, to create a Seattle group nested under a West Coast group, enter West Coast/Seattle. FortiClient EMS then dynamically creates any group that does not exist. For example, if both the West Coast and Seattle groups do not exist, FortiClient EMS creates both groups with the desired hierarchy. If the West Coast group exists, FortiClient EMS creates a new Seattle group nested under it. 6. Enable or disable the rule by toggling Enable Rule on or off. 7. Click Save.
FortiClient EMS 7.0.1 Administration Guide
108
Fortinet Technologies Inc.
Endpoint management
To add an IP address group assignment rule:
An IP address group assignment rule requires all endpoints with an IP address in the specified subnet or IP address range to be placed into the specified endpoint group.
1. Go to Endpoints > Group Assignment Rules. 2. Click Add. 3. Under Type, select IP Address. 4. In the Subnet/IP Range field, enter the desired subnet or IP address range. You must enter an IPv4 range, such as
192.168.1.1-192.168.1.5, or an IPv4 subnet with subnet mask, such as 192.168.0.0/28. You cannot enter an IPv6 range or subnet. EMS automatically places endpoints whose IP addresses belong to the specified subnet or IP address range into the specified group. 5. In the Group field, do one of the following: a. If you want to place the endpoints into an existing group, select the desired group from the dropdown list. b. If you want to place the endpoints into a new group, click Create a new group and enter the desired group
name. FortiClient EMS creates the new group. To create a new nested group, enter the desired group hierarchy. For example, to create a Seattle group nested under a West Coast group, enter West Coast/Seattle. FortiClient EMS then dynamically creates any group that does not exist. For example, if both the West Coast and Seattle groups do not exist, FortiClient EMS creates both groups with the desired hierarchy. If the West Coast group exists, FortiClient EMS creates a new Seattle group nested under it. 6. Enable or disable the rule by toggling Enable Rule on or off. 7. Click Save.
To add an OS group assignment rule:
An OS group assignment rule requires all endpoints that have the specified OS installed to be placed into the specified endpoint group.
1. Go to Endpoints > Group Assignment Rules. 2. Click Add. 3. Under Type, select OS. 4. In the OS field, enter the OS. EMS automatically places endpoints that have the specified OS installed into the
specified group. You can enter only the OS name or specify a version number. For example, you can enter "Windows" to place endpoints with any version of Windows installed into the specified endpoint group. You can also specify "Windows Server 2008" to only place endpoints that have Windows Server 2008 installed into the specified endpoint group. 5. In the Group field, do one of the following: a. If you want to place the endpoints into an existing group, select the desired group from the dropdown list. b. If you want to place the endpoints into a new group, click Create a new group and enter the desired group
name. FortiClient EMS creates the new group. To create a new nested group, enter the desired group hierarchy. For example, to create a Seattle group nested under a West Coast group, enter West Coast/Seattle. FortiClient EMS then dynamically creates any group that does not exist. For example, if both the West Coast and Seattle groups do not exist, FortiClient EMS creates both groups with the desired hierarchy. If the West Coast group exists, FortiClient EMS creates a new Seattle group nested under it. 6. Enable or disable the rule by toggling Enable Rule on or off. 7. Click Save.
FortiClient EMS 7.0.1 Administration Guide
109
Fortinet Technologies Inc.
Endpoint management
Enabling/disabling a group assignment rule
To enable/disable a group assignment rule: 1. Go to Endpoints > Group Assignment Rules. 2. Select or deselect the Enabled checkbox for the desired group assignment rule.
Deleting a group assignment rule
To delete a group assignment rule: 1. Go to Endpoints > Group Assignment Rules. 2. Click the desired group assignment rule. 3. Click Delete. 4. In the confirmation dialog, click Yes.
Google Domains
FortiClient EMS needs to determine which Chromebooks to manage. Device information comes from the Google Admin console. Google Domains is only available if you enabled System Settings > EMS Settings > EMS for Chromebooks Settings. This section only applies if you are using FortiClient EMS to manage Google Chromebooks.
Adding a Google domain
To add a Google domain: 1. Go to Google Domains > Manage Domains, and click the Add button. The Google Domain pane displays.
2. In the Admin Email field, enter your Google domain admin email. 3. In the Organization Unit Path field, enter the domain organization unit path.
/ stands for the root of the domain.
4. Click Save. EMS imports the Google domain information and users.
FortiClient EMS 7.0.1 Administration Guide
110
Fortinet Technologies Inc.
Endpoint management
Viewing domains
After you add domains to FortiClient EMS, you can view the list of domains in Google Domains. You can also view the list of Google users in each domain and details about each Google user in the User Details, Client Statistics, and Blocked Sites panes.
Viewing the Google Users pane
To view the Google Users pane: You can view Google user information in FortiClient EMS. 1. Go to Google Domains > Domains and click a domain. The list of Google users displays.
The following options are available in the toolbar:
Clear Filters Refresh
Clear the currently used filter(s). Refresh the page.
The following columns of information display for Google users:
Name Email
Chromebook user's name. Chromebook user's email address.
FortiClient EMS 7.0.1 Administration Guide
111
Fortinet Technologies Inc.
Endpoint management
Last Login Last Policy Retrieval Domain Organization Path
Date and time the user last logged into the domain. Date and time that the Google Chromebook last retrieved the endpoint profile. Name of the domain to which the user belongs. Organization path in the domain.
Viewing user details
You can view details about each user in a Google domain.
To view user details:
1. Go to Google Domains > Domains. The list of domains displays. 2. Click a domain. The list of Google users displays. 3. Click a Google user and scroll to the bottom of the content pane. The User Details, Client Statistics, and Blocked
Sites panes display.
User Details
Field Name Email Last Login Last Policy Retrieval Organization Path Effective Policy
Information Username. User's email address. Date and time the user last logged into the domain. Date and time that the Google Chromebook last retrieved the endpoint profile. Organization path of the user in the domain. Name of the Chromebook policy assigned to the user in the domain.
Client Statistics
Charts Blocked Sites Distribution (past <number> days)
Top 10 Site Categories by Distribution (Past <number> Days)
Information
Displays the distribution of blocked sites in the past number of days. You can configure the number of days for which to display information. Go to System Settings > Logs.
Displays the distribution of top ten site categories in the past number of days. You can configure the number of days for which to display information. Go to System Settings > Logs.
FortiClient EMS 7.0.1 Administration Guide
112
Fortinet Technologies Inc.
Endpoint management
Blocked Sites (Past <number> Days)
Fields Time Threat Client Version OS URL Port User Initiated
Information Time that the user visited the blocked site. Threat type that FortiClient detected. Chromebook user's current version. Type of OS that the Chromebook user used. Blocked site's URL. Port number currently listening. Whether the user initiated visitation to the blocked site.
Editing a domain
To edit a domain: 1. Go to Google Domains > Domains and select a domain. 2. Click the Edit button. 3. Edit the options and click Save Changes.
Deleting a domain
To delete a domain: 1. Go to Google Domains > Domains, and select a domain. 2. Click the Delete button. A confirmation dialog displays. 3. Click Yes.
FortiClient EMS 7.0.1 Administration Guide
113
Fortinet Technologies Inc.
Deployment & Installers
You can use FortiClient EMS to deploy FortiClient on endpoints. Deploying FortiClient from FortiClient EMS requires the following steps: 1. Prepare the AD server. See Preparing the AD server for deployment on page 114. 2. Prepare Windows endpoints for FortiClient. See Preparing Windows endpoints for FortiClient deployment on page
116. 3. Add the AD server to FortiClient EMS. See Adding endpoints on page 86. 4. Add a profile and configure FortiClient features in the profile. See Creating a profile to configure FortiClient on page
136. 5. Create a deployment package with the profile in step 4 configured. See Adding a FortiClient deployment package
on page 120. 6. Create a deployment configuration. See Creating a deployment configuration on page 116. After you deploy FortiClient on endpoints and endpoints connect to FortiClient EMS, you can update endpoints by editing the associated profiles. You can also use FortiClient EMS to uninstall and upgrade FortiClient on endpoints.
You cannot use workgroups to deploy an initial installation of FortiClient to endpoints. However, after FortiClient installs on endpoints and endpoints connect to FortiClient EMS, you can use workgroups to uninstall and update FortiClient on endpoints.
You cannot use FortiClient EMS to deploy an initial installation of FortiClient (macOS) to endpoints. However, after FortiClient (macOS) is installed on endpoints and endpoints connect to FortiClient EMS, you can use FortiClient EMS to uninstall and update FortiClient (macOS) on endpoints.
Manage Deployment
Preparing the AD server for deployment
Before you can successfully deploy a FortiClient installation, ensure you install and prepare the AD server as follows: 1. Configuring a group policy on the AD server on page 115 2. Configuring required Windows services on page 115 3. Creating deployment rules for Windows firewall on page 115 4. Configuring Windows firewall domain profile settings on page 115
FortiClient EMS 7.0.1 Administration Guide
114
Fortinet Technologies Inc.
Deployment & Installers
Configuring a group policy on the AD server
To configure a group policy on the AD server:
1. On the AD server, open Group Policy Management. 2. Right-click the Default Domain Policy setting. The Group Policy Management Editor opens. A new policy is applied
to the entire AD domain. Alternatively, you can create a new Group Policy Object, and link it to one or more OUs in the AD server that contains the endpoint computers on which FortiClient will be deployed.
Configuring required Windows services
To configure required Windows services:
1. In the Group Policy Management Editor, in the left panel, go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
2. In the right panel, select the following: a. Task Scheduler: Automatic b. Windows Installer: Manual c. Remote Registry: Automatic
Creating deployment rules for Windows firewall
To create deployment rules for Windows firewall:
1. In the Group Policy Management Editor, in the left panel, go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules.
2. Right-click Inbound Rules and select New Rule. 3. Select Predefined from the dropdown list and select File and Printer Sharing. Click Next. 4. Ensure that the File and Printer Sharing (SMB-In) checkbox is selected and click Next. 5. Select Allow the connection and click Finish. 6. Repeat steps 1 to 2. 7. Select Predefined from the dropdown list and select Remote Scheduled Tasks Management and click Next. 8. Ensure that the Remote Scheduled Tasks Management (RPC) box is checked and click Next. 9. Select Allow the connection and click Finish.
Configuring Windows firewall domain profile settings
To configure Windows firewall domain profile settings:
1. In the Group Policy Management Editor, in the left panel, go to Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
2. Select Allow inbound file and printer sharing exception: a. Right-click and select Edit. b. Enable the radio button. c. Provide the FortiClient EMS server's IP address in the text box. d. Allow unsolicited incoming messages from these IP addresses. e. Click OK.
FortiClient EMS 7.0.1 Administration Guide
115
Fortinet Technologies Inc.
Deployment & Installers
3. Select Allow inbound remote administration exception. Repeat steps listed in step 2 above to create an exception.
4. Select Allow ICMP Exceptions: a. Right-click and select Edit. b. Enable the radio button. c. Select the Allow inbound echo request checkbox. d. Click OK.
To deploy the group policy manually, execute gpupdate /force on the AD server to update the group profile on all endpoints. Execute gpresult.exe /H gpresult.html on any AD client to view the group policy deployed on the endpoints.
Preparing Windows endpoints for FortiClient deployment
You must enable and configure the following services on each Windows endpoint before deploying FortiClient: l Task Scheduler: Automatic l Windows Installer: Manual l Remote Registry: Automatic
You must configure Windows Firewall to allow the following inbound connections: l File and Printer Sharing (SMB-In) l Remote Scheduled Tasks Management (RPC)
AD group deployments require an AD administrator account. For non-AD deployments, you can share the deployment package URL with users, who can then download and install FortiClient manually. You can locate the deployment package URL in Deployment & Installers > FortiClient Installer.
When adding endpoints using an AD domain server, FortiClient EMS automatically resolves endpoint IP addresses during initial deployment of FortiClient. FortiClient EMS can deploy FortiClient (Windows) to AD endpoints that do not have FortiClient installed, as well as upgrade existing FortiClient installations if the endpoints are already connected to FortiClient EMS.
Creating a deployment configuration
To create a deployment configuration:
1. Go to Deployment > Manage Deployment. 2. Click Add.
FortiClient EMS 7.0.1 Administration Guide
116
Fortinet Technologies Inc.
Deployment & Installers
3. Configure the fields as desired:
Field
Description
Name
Required. Enter the desired name.
Endpoint Groups
Optional. Select the desired endpoint group. The list includes device groups for all imported domains and workgroups.
Action
Select Install or Uninstall.
Deployment Package
Select the desired deployment package from the dropdown list.
Start at a Scheduled Time
Specify what time to start installing FortiClient on endpoints.
Unattended Installation
When enabled, the end user cannot modify the installation schedule. If needed, the device reboots without warning logged-in users.
Reboot When Needed
Reboot the endpoint to install FortiClient when needed.
Reboot When No Users Are Logged In
Allow the endpoint to reboot without prompt if no endpoint user is logged into FortiClient.
Notify Users and Let Them Decide When To Reboot When Users Are Logged In
Notify the end user if a reboot of the endpoint is needed and allow the user to decide what time to reboot the endpoint. Disable to reboot the endpoint without notifying the user.
Username
Enter the username to perform deployment on AD. You must enter the admin credentials for the AD. The credentials allow FortiClient EMS to install FortiClient on endpoints using AD. If the credentials are wrong, the installation fails, and an error displays in FortiClient EMS.
Password
Enter the password to perform deployment on AD.
Enable the Deployment
Enable or disable.
4. Click Save.
Managing deployment configuration priority levels
An endpoint may be eligible for multiple deployment configurations. When an endpoint is eligible for multiple endpoint deployment configurations, two factors determine which configuration EMS applies to the endpoint: 1. EMS applies deployment configurations to endpoints only if the configurations are enabled on the Deployment >
Manage Deployment page. 2. If an endpoint is eligible for multiple enabled configurations, EMS applies the configuration with the first priority level
to the endpoint.
To change configuration priority levels:
1. Go to Deployment > Manage Deployment. 2. Click Change Priority. 3. Click and hold the configuration, then drag to the desired position.
FortiClient EMS 7.0.1 Administration Guide
117
Fortinet Technologies Inc.
Deployment & Installers In the example, consider an endpoint that belongs to the Legacy group. The endpoint applies for two configurations. In this case, EMS applies the HQ 6.2.6 deployment configuration to the endpoint, since the HQ 6.2.6 configuration has a higher priority level than the Legacy configuration.
However, if you disable the HQ 6.2.6 configuration, EMS applies the Legacy deployment configuration to the endpoint in the Legacy group.
You can reenable the HQ 6.2.6 rule, then change the configuration priority levels so that the Legacy configuration has priority level 1. In this case, EMS applies the Legacy configuration to the endpoint.
Enabling/disabling a deployment configuration
To enable/disable a deployment configuration: 1. Go to Deployment > Manage Deployment. 2. Select or deselect the Enabled checkbox for the desired deployment configuration.
FortiClient EMS 7.0.1 Administration Guide
118
Fortinet Technologies Inc.
Deployment & Installers
Deleting a deployment configuration
To delete a deployment configuration:
1. Go to Deployment > Manage Deployment. 2. Click the desired configuration. 3. Click Delete. 4. In the confirmation dialog, click Yes.
Deploying initial installations of FortiClient (macOS)
You cannot use FortiClient EMS to deploy initial installations of FortiClient (macOS). You can deploy an initial installation of FortiClient (macOS) by doing one of the following:
l Create a custom FortiClient (macOS) deployment package on FortiClient EMS with the FortiClient EMS IP address embedded. Send the deployment package download link to users so they can install FortiClient manually on the endpoint. Once installed, FortiClient (macOS) automatically connects to FortiClient EMS and supports future deployments from FortiClient EMS directly.
l Use a third party application to perform initial deployment of FortiClient (macOS) to endpoints. After FortiClient (macOS) is installed on endpoints and has connected FortiClient Telemetry to FortiClient EMS, you can use FortiClient EMS to replace, upgrade, and uninstall FortiClient (macOS).
Deploying FortiClient upgrades from FortiClient EMS
You can deploy a FortiClient software update from FortiClient EMS. A prompt appears on the FortiClient endpoint when a deployment package requests deployment. The prompt requests the user to do one of the following: 1. Upgrade Now: If you select this option, FortiClient performs the upgrade and automatically restarts your computer. 2. Upgrade Later: If you select this option, you can indicate the time to start the upgrade. The default is 8:00 PM. Your
computer automatically restarts after the upgrade has finished. 3. No Option: If you do not select an option, the upgrade occurs by default at 8:00 PM. After FortiClient EMS uninstalls
the previous version, it asks if the user wants to reboot. The prompt requests the user to do one of the following: a. Reboot: Select this option to have the reboot occur immediately. b. Reboot later: Select this option to reboot the computer later. You cannot select a specific reboot time. Use this
option at your discretion.
Deploying different installer IDs to endpoints using the same deployment package
As described in Installer ID group assignment rules on page 106, you can include an installer ID in a FortiClient deployment package. After FortiClient installation, the endpoint connects to EMS and EMS groups the endpoint according to the installer ID group assignment rule. You can configure one installer ID for each deployment package. In an environment with a large number of endpoints, you may have dozens of installer IDs that you want to use to group endpoints automatically in EMS after installation. Since you can configure each deployment package with only one installer ID, it may be inefficient to create a deployment package for each installer ID. Instead, you can create a deployment package without an installer ID in EMS, then install FortiClient on the endpoint using the CLI, providing the installer ID as one of the CLI options. You can use the same deployment package on
FortiClient EMS 7.0.1 Administration Guide
119
Fortinet Technologies Inc.
Deployment & Installers
multiple endpoints, providing different installer IDs in the CLI depending on which group you want EMS to place the endpoint in. When these endpoints connect to EMS, EMS groups them according to the installer ID provided in the CLI.
This process consists of the following:
1. Create a deployment package in EMS. Do not configure an installer ID. See Adding a FortiClient deployment package on page 120.
2. Create installer ID group assignment rules to automatically move endpoints into the desired groups. See To add an installer ID group assignment rule: on page 108.
3. Install FortiClient on endpoints using the following CLI commands:
Installer .msi .exe
CLI command msiexec /i forticlient.msi GROUP_TAG=<installer_ID> FortiClientSetup.exe /v"GROUP_TAG=<installer_ID>"
For example, consider that you want to deploy the same deployment package but different installer IDs for the HR, Marketing, and Office Management teams at your organization. In this scenario, you would use EMS to create an deployment package without an installer ID and an installer ID group assignment rule for each endpoint group. Then, you can install FortiClient on the HR, Marketing, and Office Management endpoints using the same deployment package and the following CLI commands, respectively:
FortiClientSetup.exe /v"GROUP_TAG=<HR>" FortiClientSetup.exe /v"GROUP_TAG=<Marketing>" FortiClientSetup.exe /v"GROUP_TAG=<OM>"
After the endpoints connect to EMS, EMS automatically places them into groups based on their different installer IDs (HR, Marketing, and OM).
FortiClient Installer
You can create deployment packages to deploy FortiClient to endpoints. Deployment packages include the FortiClient installer, which determines the FortiClient release and patch to install on the endpoint. Deployment packages can also include a Telemetry gateway list for connection to a FortiGate.
Adding a FortiClient deployment package
After you add a FortiClient deployment package to FortiClient EMS, you cannot edit it. You can delete the deployment package from FortiClient EMS, and edit the deployment package outside of FortiClient EMS. You can then add the edited deployment package to FortiClient EMS.
To add a deployment package: 1. Go to Deployment & Installers > FortiClient Installer. 2. Click Add.
FortiClient EMS 7.0.1 Administration Guide
120
Fortinet Technologies Inc.
Deployment & Installers
3. On the Version tab, set the following options:
Installer Type
Release Patch Keep updated to the latest patch
Use an official or custom FortiClient installer. When using a custom FortiClient installer, you can select from a list of previously uploaded installers, or upload a new custom installer. You can also remove previously created installers. To upload a new custom FortiClient installer, enter the desired name, then upload Windows (64-bit and 32-bit) and/or macOS custom installers. You can download FortiClient installers to use with FortiClient EMS from Fortinet Customer Service & Support. This requires a support account with a valid support contract. You can also download installers from FortiClient.com. Download the Windows or macOS installation file.
Select the FortiClient release version to install.
Select the specific FortiClient patch version to install.
Enable EMS to repackage EMS-created FortiClient deployment package to the latest patch release.
4. Click Next. On the General tab, set the following options:
Name Notes
Enter the FortiClient deployment package name. (Optional) Enter notes about the FortiClient deployment package.
5. Click Next. On the Features tab, set the following options:
Available options may differ depending on the features you have enabled or disabled in Feature Select. See Feature Select on page 257.
Zero Trust Telemetry Secure Access Architecture Components
Vulnerability Scan
Enabled by default and cannot be disabled. Installs FortiClient with Telemetry enabled.
Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package. If you enable this feature for a deployment package and include a preconfigured VPN tunnel in the included endpoint profile, users who use this deployment package to install FortiClient can connect to this preconfigured VPN tunnel for three days after their initial FortiClient installation. This is useful for remote users, as it allows them to connect to the corporate network to activate their FortiClient license. If the user does not activate their FortiClient license within the three days, all FortiClient features, including VPN, stop working on their device. See VPN on page 164 for details on configuring a VPN tunnel.
Enabled by default and cannot be disabled. Installs FortiClient with Vulnerability Scan enabled.
FortiClient EMS 7.0.1 Administration Guide
121
Fortinet Technologies Inc.
Deployment & Installers
Advanced Persistent Threat (APT) Components
Additional Security Features
Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.
Enable any of the following features: l AntiVirus l Web Filtering l Application Firewall l Single Sign-On mobility agent l Cloud Based Malware Outbreak Detection. This feature is available for FortiClient 6.2.0 and later versions.
Disable to exclude features from the FortiClient deployment package.
If you enable a feature in the deployment package that is disabled in Feature Select on page 257, the feature is installed on the endpoint, but is disabled and does not appear in the FortiClient GUI. For example, when Web Filter is disabled in Feature Select, if you enable Web Filtering in a deployment package, the deployment package installs Web Filter on the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.
6. Click Next. On the Advanced tab, set the following options:
Enable desktop shortcut Enable start menu shortcut Enable Installer ID
Enable Endpoint Profile
Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.
Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.
Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules. See Group assignment rules on page 106. If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule. In an environment with a large number of endpoints, since you can configure each deployment package with only one installer ID, it may be inefficient to create a deployment package for each installer ID. See Deploying different installer IDs to endpoints using the same deployment package on page 119.
Select an endpoint profile to include in the installer. EMS applies the profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS, or if users require VPN connection to connect to EMS.
7. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which will manage FortiClient once it is installed on the endpoint.
8. Click Finish. The FortiClient deployment package is added to FortiClient EMS and displays on the Deployment Installers > FortiClient Installer pane. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg files depending on the configuration. The following shows an example of a deployment package that includes .exe, .msi, and .dmg files. The end user can download these files to install FortiClient on their machine with the desired configuration.
FortiClient EMS 7.0.1 Administration Guide
122
Fortinet Technologies Inc.
Deployment & Installers
If the Sign software packages option is enabled in System Settings > EMS Settings, Windows deployment packages display as being from the publisher specified in the certificate file. See Configuring EMS settings on page 244.
Viewing deployment packages
After you add FortiClient deployment packages to FortiClient EMS, you can view them on the Deployment & Installers > FortiClient Installer pane. The Deployment Packages pane displays the following information about each deployment package:
l Name of the FortiClient deployment package l Operating system (Windows and/or macOS) l Version of FortiClient software for each OS l Whether Auto Update is enabled or disabled l Location of the FortiClient deployment package FortiClient EMS. Endpoint users can access this location to
download and install FortiClient on endpoints. Selecting a deployment package displays the following additional information:
l Enabled FortiClient features l Configured endpoint profile l Connection to FortiClient EMS l Auto registration enabled/disabled l Desktop shortcut enabled/disabled l Start menu shortcut enabled/disabled l Configured installer ID l Notes included when creating the deployment package You can also create or delete a deployment package and refresh the deployment package list.
Deleting a FortiClient deployment package
To delete a FortiClient deployment package:
1. Go to Deployment & Installers > FortiClient Installer. 2. Click the desired deployment package, then click Delete. A confirmation dialog displays. 3. Click Yes. FortiClient EMS deletes the FortiClient deployment package.
FortiClient EMS 7.0.1 Administration Guide
123
Fortinet Technologies Inc.
Endpoint Policy & Components
You can create endpoint policies to assign endpoint profiles and on-fabric detection rules to groups of Windows, macOS, and Linux endpoints. The Endpoint Policy & Components > Manage Policies page provides a comprehensive summary of which endpoint policies are applied to which endpoint groups.
Manage Policies
Adding an endpoint policy
To add an endpoint policy:
1. Go to Endpoint Policy & Components > Manage Policies. 2. Click Add. 3. Complete the following fields:
Endpoint Policy Name Endpoint Groups Users Profile Profile (Off-Fabric)
On-Fabric Detection Rules
Comments Enable the Policy
Enter the desired name for the endpoint policy.
Select the device and/or user group to apply the policy to. You can select a group from all imported domains and workgroups.
Search for and select desired domain users to apply the policy to.
Include an endpoint profile in the policy. From the dropdown list, select the desired endpoint profile.
Include an endpoint profile in the policy to apply to the endpoint when it is offfabric according to the on-fabric detection rules configured in this policy. For example, you may want to apply a more restrictive profile to the endpoint when it is determined to be off-fabric. From the dropdown list, select the desired endpoint profile. If including an off-fabric profile in a policy, also including on-fabric detection rules in the policy is recommended. Otherwise, EMS may not apply on-fabric and off-fabric profiles as desired.
Select the on-fabric detection rules to include in the policy. You can select multiple rules. You must have already created on-fabric detection rules to include them in an endpoint policy. See On-fabric Detection Rules on page 131.
Enter any comments desired for the endpoint policy.
Toggle to enable or disable the endpoint policy. You can enable or disable the policy at a later time from Endpoint Policy & Components Manage Policies.
FortiClient EMS 7.0.1 Administration Guide
124
Fortinet Technologies Inc.
Endpoint Policy & Components 4. Click Save. You can view the newly created policy on the Endpoint Policy & Components > Manage Policies page.
EMS pushes these settings to the endpoint with the next Telemetry communication.
Editing an endpoint policy
1. Go to Endpoint Policy & Components Manage Policies. 2. Select the endpoint policy. 3. Click Edit. 4. Edit as desired. 5. Click Save.
Deleting an endpoint policy
1. Go to Endpoint Policy & Components Manage Policies. 2. Click the desired endpoint policy. 3. Click Delete. 4. In the confirmation dialog, click Yes.
Enabling/disabling an endpoint policy
1. Go to Endpoint Policy & Components Manage Policies. 2. Select or deselect the Enabled checkbox for the desired endpoint policy.
Managing endpoint policy priority levels
An endpoint may be eligible for multiple endpoint policies. When an endpoint is eligible for multiple endpoint policies, the following factors determine which endpoint policy EMS applies to the endpoint: 1. EMS only applies endpoint policies to endpoints if they are enabled on the Endpoint Policy & Components Manage
Policies page. 2. If an endpoint is eligible for multiple enabled endpoint policies, EMS determines which policy to apply using the
following order: a. If there is a policy directly assigned to the user (configured in the Users field for the endpoint policy), EMS
assigns that policy to the endpoint. b. If there are policies assigned to the group container and/or user group, EMS assigns the policy with the highest
priority level to the endpoint.
FortiClient EMS 7.0.1 Administration Guide
125
Fortinet Technologies Inc.
Endpoint Policy & Components
c. If there are inherited policies for group container and/or user group (policies assigned to a parent container or group), EMS assigns the policy with the highest priority level to the endpoint.
To change endpoint policy priority levels: 1. Go to Endpoint Policy & Components Manage Policies. 2. Click Change Priority. 3. Click and hold the policy name, then drag to the desired position.
4. Click Save Priority. In the examples, there are three endpoint policies:
Name Seattle_general SF_general Seattle_HR
Endpoint groups All Groups/Seattle All Groups/SF All Groups/Seattle/HR
Priority level 1 2 3
In this example, all three policies are enabled. The All Groups/Seattle/HR subgroup is eligible for both the Seattle_ general and Seattle_HR policies. In this scenario, EMS applies the first eligible endpoint policy, Seattle_general, to the All Groups/Seattle/HR subgroup.
In this example, the Seattle_general endpoint policy has been disabled. The All Groups/Seattle/HR group is still eligible for both policies. Since the Seattle_general policy is disabled, EMS applies Seattle_HR to the All Groups/Seattle/HR group.
Consider that you then make the following changes:
FortiClient EMS 7.0.1 Administration Guide
126
Fortinet Technologies Inc.
Endpoint Policy & Components
l Enable Seattle_general l Move policies so that they have the following priorities:
l SF_general: 1 l Seattle_HR: 2 l Seattle_general: 3 In this example, the All Groups/Seattle/HR group is eligible for two policies: Seattle_HR and Seattle_general. Since Seattle_HR comes before Seattle_general in the priority list, EMS applies Seattle_HR to All Groups/Seattle/HR. Even though SF_general is set to priority 1, EMS does not apply it to All Groups/Seattle/HR, since All Groups/Seattle/HR is not eligible for that policy.
Editing endpoint policy view
You can select columns to display in Endpoint Policy & Components Manage Policies. To edit endpoint policy view: 1. Go to Endpoint Policy & Components Manage Policies. 2. Click Edit Columns. 3. Enable or disable the columns as desired. 4. Click Save.
FortiClient management based on Active Directory user/user groups
You can assign FortiClient policies based on endpoint devices in organizational units. To assign device groups, user groups, and users to a policy: 1. Go to Endpoint Policy. Create a new policy or select an existing one. 2. In the Endpoint Groups field, click Edit. In the Add Endpoint Groups dialog, select the desired device and/or user
groups. Click Save.
FortiClient EMS 7.0.1 Administration Guide
127
Fortinet Technologies Inc.
Endpoint Policy & Components
3. In the Users field, select the desired users. 4. Click Save.
When FortiClient connects to EMS, the following occurs:
1. If a policy is assigned to the FortiClient user, EMS assigns that policy to the endpoint. 2. If there are policies for the FortiClient group container and/or user groups, EMS assigns the policy with the highest
global priority. 3. If there are inherited policies for group containers and/or user groups, EMS assigns the inherited policy with the
highest global priority.
In Endpoint Policy & Components Manage Policies, you can click Edit Columns to select which columns to display.
The Manage Policies page displays a progress line that indicates each policy's FortiClient synchronization status. The Endpoint Count column shows the number of FortiClient endpoints with the policy assigned and the number of endpoints that have not been seen for the past 30 days.
Click the endpoint count to see the endpoint list.
FortiClient EMS 7.0.1 Administration Guide
128
Fortinet Technologies Inc.
Endpoint Policy & Components
To deploy FortiClient to endpoints with user-based management: 1. (Optional) Create a custom installer. 2. Go to System Settings > Feature Select. Select the features to globally show and hide. In 6.4.0, you no longer select
available features for each deployment package. 3. Create a deployment package. 4. Create a deployment configuration. For details on this deployment process, see the FortiClient EMS Administration Guide. In Deployment > Management Deployment, the Deployment Package column displays a progress line indicating each deployment package's deployment state.
CA Certificates
If FortiOS is connected to EMS using the EMS API, deep inspection is enabled, and the Fabric connection between FortiOS and FortiClient EMS has already been configured, EMS automatically imports the FortiOS CA certificate. You then only need to apply the certificate in the desired endpoint profile. See System Settings on page 186. In this scenario, you do not need to manually upload or import CA certificates to EMS.
If you manually delete the imported certificate from EMS, EMS does not automatically reimport the certificate from FortiOS, even when EMS and FortiOS remain connected via the Fabric connector. EMS also does not automatically delete an already imported certificate if the Fabric connection between FortiOS and EMS is removed.
If FortiOS is not sending the CA certificate to EMS, you can manually upload or import CA certificates as the following describes.
After uploading or importing a certificate, you must configure it in a profile using the Install CA Certificate on Client option to provision it to endpoints. See System Settings on page 186.
FortiClient EMS 7.0.1 Administration Guide
129
Fortinet Technologies Inc.
Endpoint Policy & Components
To upload a CA certificate:
You can locally upload a CA certificate. 1. Go to Endpoint Policy & Components > CA Certificates. 2. Select Upload. 3. In the Upload Local Certificate window, click Browse and locate the certificate. 4. Click Upload.
To import a CA certificate:
1. Go to Endpoint Policy & Components > CA Certificates. 2. Select Import. 3. In the Import Certificates from FortiGate window, enter the following information:
IP address/Hostname
VDOM Username Password
Enter the server IP/hostname in the following format: <ip address> : <port>. Enter the VDOM name. Enter the username. Enter the password.
4. Click Import to import the certificate.
FortiClient EMS 7.0.1 Administration Guide
130
Fortinet Technologies Inc.
Endpoint Policy & Components
On-fabric Detection Rules
You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or offfabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy on page 124.
When a user switches accounts between a local non-domain account and a domain account on the same machine, FortiClient EMS may not apply the correct policy to the endpoint.
On-fabric detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions. Endpoints running FortiClient 6.2.1 and earlier versions determine on-/off-fabric status as Determining on-fabric/off-fabric status on page 133 describes.
To add an on-fabric detection rule set:
1. Go to Endpoint Policy & Components > On-fabric Detection Rules. 2. Click Add. 3. In the Name field, enter the desired name. 4. Enable or disable the rule set by toggling Enabled on or off. 5. Click Add Rule. 6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection
type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to satisfy the entire rule set:
Detection type DHCP Server
DNS Server
Description
On the IP/MAC Address tab, configure the IP and/or MAC address for the desired DHCP server. On the DHCP Code tab, configure the DHCP code for the desired DHCP server. You can configure just the IP/MAC Address tab, just the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the MAC Address field is optional. The DHCP code is synonymous with the old option 224, which FortiClient would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It used to be the FortiGate serial number. Now, it can be any string configured in the DHCP server as option 224. You may still use FortiGate serial number as the DHCP code if desired. EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.
Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.
FortiClient EMS 7.0.1 Administration Guide
131
Fortinet Technologies Inc.
Endpoint Policy & Components
Detection type EMS Connection Local IP/Subnet
Default Gateway
Ping Server Public IP Connection Media VPN Tunnel 7. Click Add Rule. 8. Click Save.
Description
The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.
In the IP Range field, enter a range of IP addresses. In the Default Gateway MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button. This is the only detection type that applies to endpoints running FortiClient 6.4.0 and earlier versions. Other detection types do not apply to these endpoints.
In the IP Address field, enter the default gateway IP address. In the MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.
In the IP Address field, enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.
In the IP Address field, enter the desired IP address. EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. You can configure multiple addresses using the + button.
From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected. EMS considers the endpoint as satisfying the rule if its network settings match all configured fields.
In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure tunnels using the + button.
To edit an on-fabric detection rule set:
1. Go to Endpoint Policy & Components > On-fabric Detection Rules. 2. Select the rule set. 3. Click Edit. 4. Edit as desired. 5. Click Save.
FortiClient EMS 7.0.1 Administration Guide
132
Fortinet Technologies Inc.
Endpoint Policy & Components
To delete an on-fabric detection rule set:
1. Go to Endpoint Policy & Components > On-fabric Detection Rules. 2. Click the desired rule set. 3. Click Delete. 4. In the confirmation dialog, click Yes.
To delete an on-fabric detection rule from a rule set:
1. Go to Endpoint Policy & Components > On-fabric Detection Rules. 2. Click the desired rule set. 3. Under Rules, select the desired rule. 4. Click Delete Rule. 5. Click Save.
To enable/disable an on-fabric detection rule:
1. Go to Endpoint Policy & Components > On-fabric Detection Rules. 2. Select or deselect the Enabled checkbox for the desired rule set.
Determining on-fabric/off-fabric status
This section only applies to endpoints running FortiClient 6.2.1 and earlier versions.
There are two settings in EMS that affect FortiClient on-fabric/off-fabric status:
l DHCP on-fabric/off-fabric l On-fabric detection rules configured for the endpoint's assigned policy
The table shows how the DHCP on-fabric/off-fabric setting, on-fabric detection rules, and Option 224 serial number affect the endpoint's on-fabric/off-fabric status. DHCP on-fabric/off-fabric only applies when the endpoint is connected to EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and on-fabric with that FortiGate.
DHCP onfabric/off-fabric Disabled Enabled Enabled
N/A
On-fabric detection rules Not configured
Not configured
Not configured
Option 224 serial number N/A
Not configured
Configured
Enabled, with subnet N/A configured.
Resulting endpoint status
Endpoint is on-fabric when registered to EMS. Endpoint is off-fabric when registered to EMS. On-fabric Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-fabric with that FortiGate. On-fabric
FortiClient EMS 7.0.1 Administration Guide
133
Fortinet Technologies Inc.
Endpoint Policy & Components
DHCP onfabric/off-fabric
N/A
On-fabric detection rules
Option 224 serial number
Endpoint IP address is in the configured subnet.
Enabled, with subnet N/A configured. Endpoint IP address is not in the configured subnet.
Resulting endpoint status
The endpoint is inside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.
Off-fabric The endpoint is outside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.
An endpoint has an offline off-fabric status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-fabric networks.
An endpoint has an offline on-fabric status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-fabric networks, or if no on-fabric rules are configured within the assigned policy.
FortiClient EMS 7.0.1 Administration Guide
134
Fortinet Technologies Inc.
Chromebook Policy
You can create Chromebook policies to assign endpoint profiles to domains of Chromebook endpoints. The Chromebook Policy > Manage Chromebook Policies page provides a comprehensive summary of which policies are applied to which groups within the Google domain. This option is only available if you enable the EMS for Chromebooks Settings option in System Settings > EMS Settings. Chromebook policies function identically to Windows, macOS, and Linux endpoint policies except that you apply them to Chromebook endpoints and can only include a Chromebook profile. For details on configuring a Chromebook policy, refer to the equivalent sections in Endpoint Policy & Components on page 124.
FortiClient EMS 7.0.1 Administration Guide
135
Fortinet Technologies Inc.
Endpoint Profiles
You can use the default endpoint profile or create endpoint profiles for many configurations and situations. You can also import FortiOS and FortiManager Web Filter profiles to EMS.
Editing a default profile
You can edit the default profile to add or remove settings. You can revert to default settings by clicking Revert to Default.
To edit a default profile: 1. Do one of the following:
a. To edit the default profile for Windows, macOS, and Linux endpoints, go to Endpoint Profiles > Local Profiles, and click the Default profile.
b. To edit the default profile for Chromebooks, go to Endpoint Profiles > Local Chromebook Profiles, and click the Default - Chromebooks profile.
2. Configure the settings on the tabs. 3. Click Save to save the profile.
Creating a profile to configure FortiClient
This section describes how to create a profile that excludes any installation or uninstallation of FortiClient software on endpoints. You can use this profile type to configure FortiClient software on endpoints.
To create a profile to configure FortiClient: 1. Go to Endpoint Profiles > Manage Profiles, and click the Add button. To create a Chromebook profile, click Add
Chrome. 2. In the Profile Name field, enter the profile name. 3. Configure the settings on the remaining tabs. 4. Click Save to save the profile.
Adding a new Chromebook profile
When you install FortiClient EMS, a default profile is created. EMS applies this profile to any Google domains you add to FortiClient EMS.
FortiClient EMS 7.0.1 Administration Guide
136
Fortinet Technologies Inc.
Endpoint Profiles
Adding Yandex search engine to the blocklist in the profile is recommended.
To add a new profile: 1. Go to Endpoint Profiles > Manage Profiles, and click the Add Chrome button. 2. In the Profile Name field, enter the profile name. 3. On the Web Filter tab, enable Web Filter, and set the web filtering options. 4. On the System Settings tab, set the logging options. 5. Click Save.
Viewing profiles
When you create endpoint profiles, they are listed under Endpoint Profiles in the left pane. You can view endpoint profiles and their settings. To view profiles: 1. Go to Endpoint Profiles > Manage Profiles. The content pane displays the list of profiles. 2. Click a profile name, then click Edit. The settings display in the content pane.
Managing profiles
You can manage profiles from the Endpoint Profiles pane.
Editing a profile
When you edit a profile that is assigned to endpoints or domains as part of an endpoint policy, FortiClient EMS automatically pushes the changes to the endpoints or Chromebooks with the next Telemetry communication after you save the profile. To edit a profile: 1. Go to Endpoint Profiles, and select a profile. 2. Click Edit. The profile settings display in the content pane. 3. Edit the settings. 4. Click Save.
FortiClient EMS 7.0.1 Administration Guide
137
Fortinet Technologies Inc.
Endpoint Profiles
Cloning a profile
To clone a profile:
1. Go to Endpoint Profiles > Manage Profiles. 2. Select a profile, and click the Clone button. The cloned profile displays in the content pane. 3. In the Profile Name field, enter a name for the profile. 4. Configure the settings on the tabs. 5. Click Save.
Syncing profile changes
For profiles imported from FortiGate or FortiManager, you can manually sync profiles so that they are updated with the latest changes from the FortiGate or FortiManager that you imported them from. 1. Go to Endpoint Profiles > Import from FortiGate / FortiManager. 2. Select the desired profile. 3. Click Sync Now.
Editing sync schedules
For profiles imported from FortiGate or FortiManager, you can edit the sync schedule. 1. Go to Endpoint Profiles > Manage Profiles. 2. Select the desired profile. 3. Click Edit Sync Schedule. 4. In the Synchronization Settings window, configure the following options:
a. One Time Pull: If selected, FortiClient EMS does not automatically sync profile changes from the FortiGate or FortiManager. You can manually sync profile changes after importing the profile. See Syncing profile changes on page 138.
b. Group Schedule: Select to configure a group synchronization schedule for all selected profiles. Select the next date and time to automatically update the profiles, and the profile update interval in days, hours, or seconds.
c. Individual Schedule: Select to configure an individual synchronization schedule for each selected profile. Select the next date and time to automatically update each profile, and the profile update interval in days, hours, or seconds.
Deleting profiles
You cannot delete the default profiles. 1. Go to Endpoint Profiles > Manage Profiles. 2. Click desired profile, then click the Delete button. A popup displays. 3. Click Yes. EMS deletes the profile.
FortiClient EMS 7.0.1 Administration Guide
138
Fortinet Technologies Inc.
Endpoint Profiles
Profile Name
Option Profile Name Basic Advanced
Description Enter the profile name.
Select to display basic configuration options. Select to configure the profile using XML on the XML Configuration tab. Displays advanced options for configuration. This option is only available for Windows, macOS, and Linux profiles.
FortiClient EMS 7.0.1 Administration Guide
139
Fortinet Technologies Inc.
Endpoint Profiles
Malware Protection
The Malware Protection tab contains options for configuring AV, anti-ransomware, anti-exploit, cloud-based malware detection, removable media access, exclusions list, and other options. Some options only display if you enable Advanced view.
Only features that FortiClient EMS is licensed for are available for configuration. For example, if you have only applied the ZTNA license, you can only enable and configure the Removable Media Access section. See Windows, macOS, and Linux endpoint licenses on page 22 for details on which features each license type includes.
Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
AntiVirus Protection
Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.
Options
Description
General
These settings apply to all AV protection.
Block Known Communication Channels Used Enable Command and Control (C&C) detection using IP reputation
by Attackers
database signatures. Check network traffic against known C&C IP
address plus port number combinations.
Block Access to Malicious Websites
Block all access to malicious websites. You must select FortiProxy (Disable Only When Troubleshooting) on the System Settings tab before you can enable this option.
If you are syncing the profile's Web Filter settings from a Web Filter profile imported from FortiOS or FortiManager, you cannot configure actions for the security risk site categories in EMS. EMS synchronizes these settings from the FortiOS or FortiManager Web Filter profile. See Web Filter on page 151.
Security Risk
Configure an action for the security risk site category by selecting one of the following:
l Block l Warn l Allow l Monitor You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The security risk category contains the following subcategories: l Dynamic DNS l Malicious Websites l Newly Observed Domain l Newly Registered Domain
FortiClient EMS 7.0.1 Administration Guide
140
Fortinet Technologies Inc.
Endpoint Profiles
Options
Description
l Phishing l Spam URLs
Use the Exclusion List Defined in the Web Filter Profile
If you enable this option, EMS uses the exclusion list on the Web Filter tab. If you disable this option, you must define exclusions under Exclusions.
Delete Malware Files After
Enter the number of days after which to delete malware files from the client.
Real-Time Protection
Enable real-time protection (RTP).
Action On Virus Discovery
l Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard.
l Deny Access to Infected Files l Ignore Infected Files
Alert When Viruses Are Detected
Displays the Virus Alert dialog when RTP detects a virus while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.
Identify Malware and Exploits Using Signatures Received from FortiSandbox
Uses signatures from FortiSandbox to identify malware and exploits. This option is available only if the Sandbox Detection tab is enabled. Enter the number of minutes after which to update signatures.
Scan Compressed Files
Scan archive files, including zip, rar, and tar files, for threats. RTP exclusions list default file extensions.
Max Size
Only scan files under the specified size. To allow scanning compressed files of any size, enter 0.
Scan Files Accessed by User Process
Configure when RTP should scan files that a user-initiated process accesses. Select one of the following:
l Scan Files When Processes Read or Write Them l Scan Files When Processes Read Them l Scan Files When Processes Write Them
Scan Network Files
Scan network files for threats when a user-initiated process accesses them.
System Process Scanning
Enable system process scanning. Select one of the following: l Scan Files When System Processes Read or Write Them l Scan Files When System Processes Read Them l Scan Files When System Processes Write Them l Do Not Scan Files When System Processes Read or Write Them
Enable Windows Antimalware Scan Interface
Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is only available for Windows 10 endpoints. AMSI scans memory for the following malicious behavior:
l User Account Control (elevation of EXE, COM, MSI, or ActiveX installation)
FortiClient EMS 7.0.1 Administration Guide
141
Fortinet Technologies Inc.
Endpoint Profiles
Options
Description
l PowerShell (scripts, interactive use, and dynamic code evaluation)
l Windows Script Host (wscript.exe and script.exe) l JavaScript and VBScript l Office VBA macros
Enable Machine Learning Analysis
Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less MLbased advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats.
From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:
l Log detection and warn the User: detect the sample, display a warning message, and log the activity.
l Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
On Demand Scanning
Action On Virus Discovery
Select one of the following from the dropdown list: l Warn the User If a Process Attempts to Access Infected Files l Quarantine Infected Files. You can use FortiClient to view the quarantined file, virus name, and logs, as well as submit the file to FortiGuard. l Ignore Infected Files
Integrate FortiClient into Windows Explorer's Adds a Scan with FortiClient AntiVirus option to the Windows
Context Menu
Explorer right-click menu.
Hide AV Scan from Windows Explorer's Context Menu
Hide AV scan option from Windows Explorer's context menu.
Hide AV Analyse from Windows Explorer's Context Menu
Hide option to submit file for AV analysis from Windows Explorer's context menu.
Pause Scanning When Running on Battery Power
Pause scanning when the computer is running on battery power.
Allow Admin Users to Terminate Scheduled and On-Demand Scans from FortiClient Console
Control whether the local administrator can stop a scheduled or ondemand AV scan initiated by the EMS administrator. A user who is not a local administrator cannot stop a scheduled or on-demand AV scan regardless of this setting.
FortiClient EMS 7.0.1 Administration Guide
142
Fortinet Technologies Inc.
Endpoint Profiles
Options Automatically Submit Suspicious Files to FortiGuard for Analysis. Scan Compressed Files
Max Size Max Scan Speed on Computers With
Enable Machine Learning Analysis
Scheduled Scan Schedule Type Scan On
Start At Scan Type
Description
Automatically submit suspicious files to FortiGuard for analysis. You do not receive feedback for files submitted for analysis. The FortiGuard team can create signatures for any files that are submitted for analysis and determined to be malicious.
Scan archive files, including zip, rar, and tar files, for threats.
Only scan files under the specified size (in MB). To allow scanning compressed files of any size, enter 0.
Select the minimum amount of memory that must be installed on a computer to maximize scan speed. AV maximizes scan speed by loading signatures on computers with a minimum amount of memory:
l 4 GB l 6 GB l 8 GB l 12 GB l 16 GB
Enable or disable machine learning (ML). This feature uses the new FortiClient AV engine, which incorporates smarter signature-less MLbased advanced threat detection. The antimalware solution includes ML models static and dynamic analysis of threats. From the Action On Virus Discovery With Machine Learning Analysis dropdown list, select one of the following:
l Log detection and warn the User: detect the sample, display a warning message, and log the activity.
l Quarantine Infected Files: quarantine infected files. You can view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
Enable scheduled scans.
Select Daily, Weekly, or Monthly.
If Weekly is selected, select the day of the week to perform the scan. If Monthly is selected, select the day of the month to perform the scan. If you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day of the month for months with fewer than 31 days.
Configure the start time for the scheduled scan.
Select one of the following: l Quick: Runs the rootkit detection engine to detect and remove rootkits. The quick scan only scans executable files, DLLs, and drivers that are currently running for threats. l Full: Runs the rootkit detection engine to detect and remove rootkits, then performs a full system scan of all files, executable files, DLLs, and drivers.
FortiClient EMS 7.0.1 Administration Guide
143
Fortinet Technologies Inc.
Endpoint Profiles
Options
Scan Priority Scan Removable Media Scan Network Drives Enable Scheduled Scans Even When a Third-Party AV Product Is Present
Description
l Custom: Runs the rootkit detection engine to detect and remove rootkits. In the Scan Folder field, enter the full path of the folder on your local hard disk drive to scan.
Set to Low, Normal, or High. This refers to the amount of processing power that the scan uses and its impact on other processes.
Scan connected removable media, such as USB drives, for threats, if present.
Scan attached or mounted network drives for threats.
Enable scheduled scans even when a third party AV product is present.
Anti-Ransomware
Enable anti-ransomware to protect specific files, folders, or file types on your endpoints from unauthorized changes.
Options Protected Folders Protected File Types Action
Action Timeout Bypass Valid Signer
Description
Select the desired folders from the list, or click Add Folder to add a custom directory. FortiClient anti-ransomware protects all content in the selected folders against unauthorized changes. To remove a folder, select it then click the Remove Folder button.
Enter the desired file types to protect from suspicious activity, separating each file type with a comma. Do not include the leading dot when entering a file type. For example, to include text files, you would enter txt, as opposed to .txt.
When anti-ransomware detects suspicious activity, it displays a popup asking the user if they want to terminate the process:
l If the user selects Yes, FortiClient terminates the suspicious process. l If the user selects No, FortiClient allows the process to continue. l If the user does not select an option, FortiClient waits for the configured action timeout,
then does one of the following, as configured: l Block access and warn user if suspicious activity is detected: FortiClient terminates the suspicious process. l Warn user and resume after the timeout: FortiClient allows the process to continue.
Enter the desired timeout value.
Enable FortiClient to exclude a process from the selected anti-ransomware action if it has a valid signer.
Anti-Exploit
Enable anti-exploit engine to detect suspicious processes (payload) running from legitimate applications. You must enable Real-Time Protection for the Anti-Exploit feature to function.
FortiClient EMS 7.0.1 Administration Guide
144
Fortinet Technologies Inc.
Endpoint Profiles
Cloud-Based Malware Detection
Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:
1. A high risk file is downloaded or executed on the endpoint. 2. FortiClient generates a SHA1 checksum for the file. 3. FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library. 4. If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By
default, FortiClient quarantines the file.
This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types is the same as the list of file types submitted to Sandbox by default.
Options Server Wait for Cloudscan Results before Allowing File Access Deny Access to File When There is No Cloudscan Result File Submission Options All Files Executed from Removable Media
All Files Executed from Mapped Network Drives All Web Downloads All Email Downloads Exclude Files from Trusted Sources
Remediation Actions Action
Description
Have the endpoint user wait for cloud scanning results before being allowed access to files. Set the timeout in seconds. Deny access to downloaded files if there is no cloud scan result. This may happen if FortiClient EMS cannot reach FortiGuard.
Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis. Submit all files executed from mapped network drives.
Submit all web downloads. Submit all email downloads. Exclude files signed by trusted sources from cloud-based malware protection submission.
Choose Quarantine or Alert & Notify for malicious files. The user can access the file depending on Wait for Cloudscan Results before Allowing File Access and Deny Access to File When There Is No Cloudscan Result configuration. Whether FortiClient quarantines the file depends on if FortiGuard reports the file as malicious.
Removable Media Access
Control access to removable media devices, such as USB drives. You can configure rules to allow or block specific removable devices.
FortiClient EMS 7.0.1 Administration Guide
145
Fortinet Technologies Inc.
Endpoint Profiles
For the class, manufacturer, vendor ID, product ID, and revision, you can find the desired values for the device in one of the following ways:
l Microsoft Windows Device Manager: select the device and view its properties. l USBDeview
Options
Description
Show bubble notifications
Display a bubble notification when FortiClient takes action with a removable media device.
Action
Configure the action to take with removable media devices connected to the endpoint that match this rule. Available options are:
l Allow: Allow access to removable media devices connected to the endpoint that match this rule.
l Block: Block access to removable media devices connected to the endpoint that match this rule.
l Monitor: Log removable media device connections to the endpoint that match this rule.
Description
Enter the desired rule description.
Type
Select Simple or Regular Expression for the rule type.
When Simple is selected, FortiClient performs case-insensitive matching against classes, manufacturers, vendor IDs, product IDs, and revisions.
When Regular Expression is selected, FortiClient uses Perl Compatible Regular Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs, product IDs, and revisions.
Class
Enter the device class.
Manufacturer
Enter the device manufacturer.
Vendor ID
Enter the device vendor ID.
Product ID
Enter the device product ID.
Revision
Enter the device revision number.
Remove this rule
Remove this rule from the profile.
Add a new rule
Add a new removable media access rule.
Move this rule up/down
Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient applies the highest rule to the device.
Default removable media access
Configure the action to take with removable media devices that do not match any configured rules. Available options are:
l Allow: Allow access to removable media devices connected to the endpoint that do not match any configured rules.
l Block: Block access to removable media devices connected to the endpoint that do not match any configured rules.
l Monitor: Log removable media device connections to the endpoint that do not match any configured rules.
FortiClient EMS 7.0.1 Administration Guide
146
Fortinet Technologies Inc.
Endpoint Profiles
Exclusions
Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and folders to exclude from scanning. EMS supports the following wildcards and variables:
l Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs l Using wildcards to exclude all files with a specified extension, such as *.jrs l Path variable %allusersprofile% l Path variable %appdata% l Path variable %localappdata% l Path variable %systemroot% l Path variable %systemdrive% l Path variable %userprofile% l Path variable %windir% Combinations of wildcards and variables are not supported. Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.
Exclusion lists are case-sensitive.
When excluding a network share, you may enter the path using drive letters (Z:\folder\) or the UNC path (\\172.17.60.193\fileserver\folder).
Options
Description
Paths to Excluded Folders
Enter fully qualified excluded folder paths in the provided text box to exclude these folders from RTP and on-demand scanning.
Paths to Excluded Files Enter fully qualified excluded files in the provided text box to exclude these files from RTP and on-demand scanning.
File Extensions Excluded RTP skips scanning files with the specified extensions. from Real-Time Protection
File Extensions Excluded On-demand AV protection skips scanning files with the specified extensions. from On Demand Scanning
FortiClient EMS 7.0.1 Administration Guide
147
Fortinet Technologies Inc.
Endpoint Profiles
Other
Options
Description
Scan for Rootkits
Scan for files implementing advanced OS hooks used by malware to protect themselves from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable administrator-level access to a computer or computer network. Typically a rootkit is installed on a computer after first obtaining user-level access by exploiting a known vulnerability or cracking a password.
Scan for Adware
Scan for adware. Adware is a form of software that downloads or displays unwanted ads when a user is online.
Scan for Riskware
Scan for riskware. Riskware refers to legitimate programs which, when installed and executed, presents a possible but not definite risk to the computer.
Enable Advanced Heuristics
Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics to detect complex malware.
Scan Removable Media Scan removable media (CDs, DVDs, Blu-ray disks, USB keys, etc.) on insertion. on Insertion
Scan Email
Scan emails for threats with SMTP and POP3 protocols.
Scan MIME Files (Inbox Files)
Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types. MIME is an Internet standard that extends the format of the email to support the following:
l Text in character sets other than ASCII l Non text attachments (audio, video, images, applications) l Message bodies with multiple parts
Enable FortiGuard Analytics
Automatically sends suspicious files to FortiGuard for analysis.
Notify Logged in Users if Notify logged in users if their AV signatures expired. Their AV Signatures Expired
FortiClient EMS 7.0.1 Administration Guide
148
Fortinet Technologies Inc.
Endpoint Profiles
Sandbox Detection
Enable Sandbox Detection. Some options only display if you enable Advanced view.
Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud feature. For example, if you have only applied the ZTNA license, the FortiClient Cloud Sandbox options are unavailable. See Windows, macOS, and Linux endpoint licenses on page 22 for details on which features each license type includes.
This feature does not rely on FortiClient real-time protection and can be used alongside other real-time antimalware applications such as Windows Defender. Files that these applications have quarantined cannot be sent to FortiSandbox.
Configure the following options:
Options Sandbox Detection Server FortiSandbox
IP address/Hostname
Account ID Username
Password
Description
Enable Sandbox Detection. Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
Select Appliance to configure connection to an on-premise FortiSandbox appliance or Cloud to configure connection to FortiClient Cloud Sandbox. FortiClient Cloud Sandbox offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiClient Cloud Sandbox does not offer the full range of features that a FortiSandbox appliance offers. See FortiClient Cloud Sandbox documentation.
For a FortiSandbox appliance, enter the FortiSandbox's IP address, FQDN, or hostname. Although the IP address/Hostname field is onlly available when Appliance is selected, you can also configure this option for FortiClient Cloud Sandbox. Enter the FortiClient Cloud Sandbox FQDN and account ID in the Account ID field. Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available when Appliance is selected.
Optional. Enter the FortiClient Cloud Sandbox account ID. You should only use this option when configuring a FortiClient Cloud Sandbox using the FQDN.
Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details on page 96.
Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details on page 96.
FortiClient EMS 7.0.1 Administration Guide
149
Fortinet Technologies Inc.
Endpoint Profiles
Options
Description
Region
FortiClient Cloud Sandbox region. See Configuring FortiGuard Services settings on page 249.
Time Offset
FortiClient Cloud Sandbox time offset. See Configuring FortiGuard Services settings on page 249.
License Status
Displays the Sandbox Cloud license status. Using FortiClient Cloud Sandbox requires an additional license. See FortiClient EMS on page 21.
Inspection Mode
Select one of the following:
l None: FortiClient does not send any files to FortiSandbox for inspection.
l High-Risk Files: FortiClient inspects all supported high-risk files and sends to FortiSandbox as appropriate. The following are considered high-risk file types: exe, bat, vbs, js, htm, htm, gz, rar, tar, lzh, upx, zip, cab, bz2, 7z, pdf, xz, swf, rtf, dll, doc, xls, ppt, docx, xlsx, pptx, thmx, apk, exe, lnk, kgb, z, ace, jar, msi, mime, mac, dmg, mac, iso, elf, arj
l All Supported Extensions: FortiClient inspects all supported file extensions and sends to FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.
Excluded File Extensions
Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions.
Wait for FortiSandbox Results before Allowing File Access
Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds.
Deny Access to File When There Is No Sandbox Result
Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline.
File Submission Options
All Files Executed from Removable Media
Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.
All Files Executed from Mapped Network Drives
Submit all files executed from mapped network drives.
All Web Downloads Submit all web downloads.
All Email Downloads Submit all email downloads.
Remediation Actions
Action
Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level setting.
FortiClient EMS 7.0.1 Administration Guide
150
Fortinet Technologies Inc.
Endpoint Profiles
Options FortiSandbox Detection Verdict Level
Exceptions Exclude Files from Trusted Sources
Exclude Specified Folders/Files Inclusions Include Specified Folders/Files Other Hide Sandbox Scan from Windows Explorer's Context Menu Notification Type
Description Select the desired detection verdict level. For FortiClient to apply the action selected in the Action field to an infected file, FortiSandbox must detect the file as this level or higher. For example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which FortiSandbox returns a verdict below this level (Low Risk or Clean).
Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources trusted by FortiSandbox:
l Microsoft l Fortinet l Mozilla l Windows l Google l Skype l Apple l Yahoo! l Intel Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.
Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.
Hide Sandbox scan option from Windows Explorer's right-click context menu.
Select the desired notification type to display to end users when FortiClient Cloud Sandbox detects an infected file.
In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard.
Web Filter
For Windows, macOS, and Linux profiles, you must enable FortiProxy (Disable Only When Troubleshooting) on the System Settings tab to use the Web Filter options.
FortiClient EMS 7.0.1 Administration Guide
151
Fortinet Technologies Inc.
Endpoint Profiles
FortiClient can block webpages outside of web filtering. This includes: l Malware Protection. See Malware Protection on page 140.
l Block Access to Malicious Websites
l Block Known Communication Channels Used by Attackers l Application Firewall: If the webpage matches a given signature where the action is set to
block. See Application Firewall on page 163. Webpage blocks generate an entry in the local FortiClient logs. If a website block cause is unclear, review the logs.
Configuration Web Filter Sync web filter profile from FortiGate / FortiManager in the fabric.
General Enable WebFiltering on FortiClient
Log All URLs Log User Initiated Traffic Action On HTTPS Site Blocking
Description
Enable web filtering. Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
From the dropdown list, select the desired FortiOS or FortiManager Web Filter profile. When this option is enabled, you cannot modify the profile's Web Filter settings in EMS. Instead, EMS synchronizes Web Filter settings for this profile from the configured FortiGate or FortiManager depending on the synchronization schedule configured in Importing a Web Filter profile from FortiOS or FortiManager on page 158. You can still modify the profile's settings for other features, such as VPN or AV, from EMS. This option is only available if you have previously imported a Web Filter profile from FortiOS or FortiManager. See Importing a Web Filter profile from FortiOS or FortiManager on page 158.
Select Always On to enable client web filtering when on-fabric. Select Only When Endpoint is Off-Fabric to enable Web Filter on endpoints only when the endpoint is considered off-Fabric. See Onfabric Detection Rules on page 131. This setting affects the Block Access to Malicious Websites setting in Malware Protection on page 140.
Log all URLs. When this setting is disabled, FortiClient EMS only logs URLs as specified by per-category or per-URL settings.
Log only user-initiated traffic.
l Display In-Browser Message l Fail Connection & Show Bubble Notification l Fail Connection
FortiClient EMS 7.0.1 Administration Guide
152
Fortinet Technologies Inc.
Endpoint Profiles
Configuration Enable Web Browser Plugin for HTTPS Web Filtering
Sync Mode Check User Initiated Traffic Only Enable Safe Search
Site Categories
Adult/Mature Content
Description
Enable a web browser plugin for HTTPS web filtering. This improves detection and enforcement of Web Filter rules on HTTPS sites. After this option is enabled, the user must open the browser to approve installing the new plugin. EMS only installs the web browser plugin for the Google Chrome, Mozilla Firefox, and Microsoft Edge browsers on Windows platforms.
When this option is enabled, the web browser waits for a response from an HTTPS request before sending another HTTPS request.
Use the web browser plugin for only user-initiated traffic. This allows for faster processing. When this option is disabled, the plugin checks all URL requests.
For Windows endpoints and Chromebooks, when enabling Safe Search, you can configure the Restriction Level to Strict or Moderate. This setting affects the content that endpoint users can access via YouTube and search engine, including Google and Bing. For Chromebooks, to set YouTube access to Unrestricted, you can disable Safe Search and configure Google Search and YouTube access with the Google Admin Console instead of FortiClient EMS. For macOS endpoints, enabling Safe Search sets the endpoint's Google search to Restricted mode and YouTube access to Strict Restricted access.
Enable site categories from FortiGuard. When you disable site categories, the exclusion list protects FortiClient. See the FortiGuard website for descriptions of the available categories and subcategories. For all categories, you can configure an action for the entire site category by selecting one of the following:
l Block l Warn l Allow l Monitor You can also click the + button beside the site category to view all subcategories and configure individual actions (Block, Warn, Allow, Monitor) for each subcategory. The following lists each site category's subcategories.
l Abortion l Advocacy Organizations l Alcohol l Alternative Beliefs l Dating l Gambling l Lingerie and Swimsuit l Marijuana
FortiClient EMS 7.0.1 Administration Guide
153
Fortinet Technologies Inc.
Endpoint Profiles Configuration
Bandwidth Consuming General Interest-Business
Description
l Nudity and Risque l Other Adult Materials l Pornography l Sex Education l Sports Hunting and War Games l Tobacco l Weapons (Sales)
l File Sharing and Storage l Freeware and Software Downloads l Internet Radio and TV l Internet Telephony l Peer-to-peer File Sharing l Streaming Media and Download
l Armed Forces l Business l Charitable Organizations l Finance and Banking l General Organizations l Government and Legal Organizations l Information Technology l Information and Computer Security l Online Meeting l Remote Access l Search Engines and Portals l Secure Websites l Web Analytics l Web Hosting l Web-based Applications
FortiClient EMS 7.0.1 Administration Guide
154
Fortinet Technologies Inc.
Endpoint Profiles
Configuration General Interest-Personal
Description
l Advertising l Arts and Culture l Auction l Brokerage and Trading l Child Education l Content Servers l Digital Postcards l Domain Parking l Dynamic Content l Education l Entertainment l Folklore l Games l Global Religion l Health and Wellness l Instant Messaging l Job Search l Meaningless Content l Medicine l News and Media l Newsgroups and Message Boards l Personal Privacy l Personal Vehicles l Personal Websites and Blogs l Political Organizations l Real Estate l Reference l Restaurant and Dining l Shopping l Social Networking l Society and Lifestyles l Sports l Travel l Web Chat l Web-based Email
FortiClient EMS 7.0.1 Administration Guide
155
Fortinet Technologies Inc.
Endpoint Profiles Configuration Potentially Liable
Security Risk Unrated Rate IP Addresses
Use HTTPS Rating Server
Description
l Child Abuse l Discrimination l Drug Abuse l Explicit Violence l Extremist Groups l Hacking l Illegal or Unethical l Plagiarism l Proxy Avoidance
l Dynamic DNS l Malicious Websites l Newly Observed Domain l Newly Registered Domain l Phishing l Spam URLs
Have FortiClient request the rating of the site by URL and IP address separately, providing additional security against attempts to bypass the FortiGuard Web Filter. If the rating determined by the domain name and the rating determined by the IP address differ, a weighting assigned to the different categories determines the action that FortiClient enforces. The higher weighted category takes precedence in determining the action. This has the side effect that sometimes the Action is determined by the classification based on the domain name and other times it is determined by the classification that is based on the IP address. FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes cause FortiClient to allow access to sites that should be blocked, or to block sites that should be allowed. An example of how this works is if a URL's rating based on the domain name indicates that it belongs in the category Lingerie and Swimsuit, which is allowed but the category assigned to the IP address was Pornography which has an action of Block, because the Pornography category has a higher weight, the effective action is Block.
By default, Web Filter sends URL rating requests to the FortiGuard rating server via UDP protocol. You can instead enable Web Filter to send the requests via TCP protocol.
FortiClient EMS 7.0.1 Administration Guide
156
Fortinet Technologies Inc.
Endpoint Profiles
Configuration Allow websites when rating error occurs
FortiGuard Server Location
Server Keyword Scanning on Search Engine Banned Word Search Custom Banned Words
Description
Configure the action to take with all websites when FortiGuard is temporarily unavailable. This may occur when an endpoint is forced to access a network via a captive portal. FortiClient takes the configured action until contact is reestablished with FortiGuard. Available options are:
l Block: Deny access to any websites. This may prevent endpoints from accessing captive portals.
l Warn: Display in-browser warning to user, with an option to proceed to the website
l Allow: Allow full, unfiltered access to all websites l Monitor: Log the site access
Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server. FortiClient connects to FortiGuard to query for URL ratings. The URLs connected to for each server location are as follows:
l FortiGuard: l Global: fgd1.fortigate.com l U.S.: usfgd1.fortigate.com
l FortiGuard Anycast: l Global: fctguard.fortinet.net l U.S.: fctusguard.fortinet.net l Europe: fcteuguard.fortinet.net
Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.
Use rating categories from FortiGuard to allow, block, or monitor searches for certain terms. This feature is only available for Chromebooks.
Enable to configure actions (block or monitor) to take when the user searches for terms that belong to the following categories:
l Violence/Terrorism l Extremist l Pornography l Cyber Bullying l Self Harm
Configure actions for individual terms. Enable Custom Banned Words, type the desired term in the Add Word field, then click Add Word. Configure the action for the term (Block, Monitor, or Allow), then toggle the Status to On. You can remove a term from the Custom Banned Word list by selecting the checkbox beside the term, then clicking the Remove Word button.
FortiClient EMS 7.0.1 Administration Guide
157
Fortinet Technologies Inc.
Endpoint Profiles
Configuration
Exclusion List Action URL Referrer/Host
Type
Move this rule up/Move this rule down
Description
The custom term may belong to a category under Banned Word Search. If the action configured for the category under Banned Word Search and the action configured for the term under Custom Banned Words differ, EMS applies the action configured under Custom Banned Words.
Select one of the following actions: l Allow l Block l Monitor
Enter specific URLs to allow, block, or monitor. You can provide the full URL or only the domain name.
Enter a specific referrer or host to allow, block, or monitor. You can provide the full URL or only the domain name. If the end user visits the URL through the referrer provided, EMS considers the rule a match and applies the specified action. If the end user visits the URL directly or through a different referrer, EMS does not consider the rule a match and does not apply the specified action.
Select one of the following types: l Simple l Wildcard l Regular Expression
You can use wildcard characters and Perl Compatible Regular Expressions (PCRE). This field only applies to the value in the URL field and does not apply to the value in the Referrer/Host field.
Move the exclusion rule up/down in the list. If multiple exclusion rules are applicable, EMS applies the first applicable exclusion rule.
Importing a Web Filter profile from FortiOS or FortiManager
You can import a Web Filter profile from FortiOS or FortiManager into FortiClient EMS, then synchronize the Web Filter profile settings to an endpoint profile in FortiClient EMS. This feature is only available if Web Filter is enabled in Feature Select. See Feature Select on page 257.
To import a Web Filter profile:
1. Configure FortiOS or FortiManager to allow EMS profile importation: a. If using FortiOS, go to Network > Interfaces, select the desired port, and under Administrative Access, enable the HTTPS checkbox.
FortiClient EMS 7.0.1 Administration Guide
158
Fortinet Technologies Inc.
Endpoint Profiles
b. If using FortiManager, do the following: i. Go to System Settings > Network and enable the HTTPS checkbox under Administrative Access. ii. You must set Remote Procedure Call to read. Run the get system admin user admin command. Ensure that rpc-permit is set to read-write.
iii. If rpc-permit is not set to read, run the following commands: config system admin user edit "admin" set rpc-permit read end
2. Go to Endpoint Profiles > Import from FortiGate / FortiManager. Click Import from FortiGate / FortiManager.
3. Under Type, select FortiGate or FortiManager. 4. Complete the following options, and click Next.
IP address/Hostname
VDOM Username Password
Enter the IP address and port of the FortiGate or FortiManager from which you are importing the profile, in the format: <ip address>:<port>. Enter a VDOM name from the FortiGate or FortiManager if applicable. Enter a username for the FortiGate or FortiManager. Enter the password for the user account entered above.
The list of Web Filter profiles configured on the FortiGate or FortiManager displays.
You can click the </> icon beside each profile to preview the settings in XML format.
FortiClient EMS 7.0.1 Administration Guide
159
Fortinet Technologies Inc.
Endpoint Profiles
5. Select the profiles to import into FortiClient EMS and click Next. 6. Under Synchronization Mode, select one of the following options.
a. One Time Pull: FortiClient EMS does not automatically sync profile changes from the FortiGate or FortiManager. You can manually sync profile changes after importing the profile. See Syncing profile changes on page 138.
b. Group Schedule: Configure a group synchronization schedule for all selected profiles. Select the next date and time to automatically update the profiles, and the profile update interval in days, hours, or minutes.
c. Individual Schedule: Configure an individual synchronization schedule for each selected profile. Select the next date and time to automatically update each profile, and the profile update interval in days, hours, or minutes.
7. Click Import. EMS imports the selected profiles and displays them in Endpoint Profiles > Import from FortiGate/FortiManager in a group named after the FortiGate or FortiManager that you imported them from. You can now configure an EMS endpoint profile to synchronize Web Filter settings from the imported FortiGate or FortiManager Web Filter profile. See Web Filter on page 151.
Enabling and disabling Safe Search
The search engine provides a Safe Search feature that blocks inappropriate or explicit images from search results. The Safe Search feature helps avoid most adult content. FortiClient EMS supports Safe Search for most common search engines, such as Google, Yahoo, and Bing.
The profile in FortiClient EMS controls the Safe Search feature.
Following are examples of search results with the Safe Search feature disabled and enabled. Notice the difference between the number of results. Here are the search results when the Safe Search feature is disabled, which has about 285000000 results:
FortiClient EMS 7.0.1 Administration Guide
160
Fortinet Technologies Inc.
Endpoint Profiles
Here are the search results when the Safe Search feature is enabled, which has about 256000000 results.
To enable or disable Safe Search:
1. In FortiClient EMS, in the Endpoint Profiles > Manage Profiles area, click the Default - Chromebooks profile or another profile.
2. On the Web Filter tab, enable or disable Enable Safe Search.
Support banned word check in URL
You can configure keyword scanning on search engines for Chromebook endpoints. EMS has a content safeguard service-provided file with a list of words in various languages for different categories. The Keyword Scanning on Search Engine feature supports monitoring and blocking searches for banned words that users perform in popular search engines. You can use this feature to protect students from inappropriate and malicious content.
To enable keyword scanning on search engines:
1. In EMS, go to Endpoint Profiles. Select the desired Chromebook profile, or create a new one. 2. Enable Keyword Scanning on Search Engine.
FortiClient EMS 7.0.1 Administration Guide
161
Fortinet Technologies Inc.
Endpoint Profiles 3. Configure the following features: Banned Word Search
Custom Banned Words
Enable to configure actions (block or monitor) to take when the user searches for terms that belong to the following categories:
l Violence/Terrorism l Extremist l Pornography l Cyber Bullying l Self Harm
Configure actions for individual terms. Enable Custom Banned Words, type the desired term in the Add Word field, then click Add Word. Configure the action for the term (Block, Monitor, or Allow), then toggle the Status to On.
You can remove a term from the Custom Banned Word list by selecting the checkbox beside the term, then clicking the Remove Word button.
The custom term may belong to a category under Banned Word Search. If the action configured for the category under Banned Word Search and the action configured for the term under Custom Banned Words differ, EMS applies the action configured under Custom Banned Words.
You can view user statistics on the Blocked Search Words and Monitored Search Words widgets in Dashboard > Chromebook Status.
FortiClient EMS 7.0.1 Administration Guide
162
Fortinet Technologies Inc.
Endpoint Profiles
When the user searches for a banned word, they see the following. In the example, the user searched for "bomb", which belongs to the Extremist category.
Application Firewall
FortiClient does not include SSL deep inspection. As FortiClient cannot apply signatures marked as "Deep Inspection", do not use these signatures in a profile.
Configuration Application Firewall
Description Enable application control.
FortiClient EMS 7.0.1 Administration Guide
163
Fortinet Technologies Inc.
Endpoint Profiles
Configuration
Description
Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
General
Notification Bubbles on User's Desktop When Enable notification bubbles when applications are blocked. Applications Are Blocked
Detect & Block Exploits
Inspect network traffic for intrusions attempting to exploit known vulnerabilities.
Categories
Enable FortiClient firewall to allow, block, or monitor applications based on their signature. Block, allow or monitor the following categories:
l Botnet l Business l Cloud.IT l Collaboration l Email l Game l General.Interest l Industrial l Mobile l Network.Service l P2P l Proxy l Remote.Access l Social.Media l Storage.Backup l Update l Video/Audio l VoIP l Web.Client l All Other Unknown Applications
Application Overrides
Enable FortiClient firewall to allow, block, or monitor applications based on their signature.
Delete
Delete an application.
Add Signatures
Add a signature to an application.
VPN
This topic contains descriptions of general VPN settings.
FortiClient EMS 7.0.1 Administration Guide
164
Fortinet Technologies Inc.
Endpoint Profiles
Configuration VPN
General Allow Personal VPN Disable Connect/Disconnect
Show VPN before Logon
Use Windows Credentials
Minimize FortiClient Console on Connect
Show Connection Progress
Suppress VPN Notifications
Use Vendor ID Enable Secure Remote Access
Current Connection
Auto Connect
Auto Connect Only When Off-Fabric
Always Up Max Tries
Description
Enable or disable VPN. Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
Allow users to create, modify, and use personal VPN configurations.
Disable the Connect/Disconnect button when using Auto Connect with VPN.
Allow users to select a VPN connection before logging into the system.
If allowing users to select a VPN connection before logging into the system, enable this option to allow them to use their current Windows username and password.
Minimize FortiClient after successfully establishing a VPN connection.
Display information on FortiClient dashboard while establishing connections.
Block FortiClient from displaying any VPN connection or error notifications.
Use vendor ID. Enter the vendor ID in the Vendor ID field.
FortiClient denies or allows the endpoint to connect to a VPN tunnel based on the tunnel's Host Tag configuration. See the Host Tag field description in SSL VPN on page 165 and IPsec VPN on page 169.
Select the current VPN tunnel.
Select a VPN tunnel for endpoints to automatically connect to when the end user logs into the endpoint. The end user must have established VPN connection manually at least once from FortiClient GUI.
Autoconnect to the selected VPN tunnel only when EMS considers the endpoint off-fabric. See On-fabric Detection Rules on page 131.
Maximum number of attempts to retry a VPN connection lost due to network issues. If set to 0, it retries indefinitely.
SSL VPN
This topic contains descriptions of SSL VPN settings.
FortiClient EMS 7.0.1 Administration Guide
165
Fortinet Technologies Inc.
Endpoint Profiles
Configuration
Description
SSL VPN
Enable SSL VPN.
DNS Cache Service Control
FortiClient disables Windows DNS cache when an SSL VPN tunnel is established. The DNS cache is restored after the SSL VPN tunnel is disconnected. If it is observed that FSSO clients do not function correctly when an SSL VPN tunnel is up, use Prefer SSL VPN DNS to control the DNS cache.
Prefer SSL VPN DNS
When disabled, EMS does not add the custom DNS server from SSL VPN to the physical interface. When enabled, EMS prepends the custom DNS server from SSL VPN to the physical interface.
Do Not Accept Invalid Server Certificate FortiClient does not complete the requested VPN connection when an invalid SSL VPN server certificate is used.
Enable Invalid Server Certificate Warning
FortiClient displays a warning to the user when an invalid SSL VPN certificate is used.
When you click the Add Tunnel button in the VPN Tunnels section, you can create an SSL VPN tunnel using manual configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available for manual SSL VPN tunnel creation:
Basic Settings Name
Type Remote Gateway
Port Require Certificate Prompt for Username Split Tunnel Application Based
Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.
Select SSL VPN.
Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking the + button. If one gateway is not available, the tunnel connects to the next configured gateway.
Enter the access port. The default port is 443.
Require a certificate.
Prompt for the username when accessing VPN.
Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from or include in the VPN tunnel. You can exclude high bandwidthconsuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:
l Microsoft Office 365 l Microsoft Teams l Skype l GoToMeeting l Zoom l WebEx l YouTube
FortiClient EMS 7.0.1 Administration Guide
166
Fortinet Technologies Inc.
Endpoint Profiles
Type Local Applications
Cloud Applications Domain
Advanced Settings Enable Single User Mode Show Passcode Enable Invalid Server Certificate Warning Save Username
Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.
Select Include or Exclude to configure whether to include or exclude certain application traffic from the VPN tunnel.
You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon. For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:
l Application Name: teams.exe;firefox.exe l Full Path:
C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Pr ogram Files\Mozilla Firefox\firefox.exe l Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\ To find a running application's full path, on the Details tab in Task Manager, add the Image path name column. Select the application checkbox, then click Remove to remove it from the list.
You can exclude or include cloud applications. Click Add. In the list, select the desired applications, then click Add. Select the application checkbox, then click Remove to remove it from the list.
You can exclude or include domains. After you exclude a domain, any associated traffic will not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries. For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel. Select the application checkbox, then click Remove to remove it from the list.
Enable single user mode.
Display Passcode instead of Password in the VPN tab in FortiClient.
Display a warning to the user that the certificate is invalid before attempting VPN connection.
Save your username.
FortiClient EMS 7.0.1 Administration Guide
167
Fortinet Technologies Inc.
Endpoint Profiles
Allow Non-Administrators to Allow non-administrator users to use local machine certificates. Use Machine Certificates
Enforce Acceptance of Disclaimer Message
Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.
Failover SSL VPN Connection
If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel.
Enable SAML Login
Enable SAML SSO login for this VPN tunnel. See SAML SSO on page 238.
Redundant Sort Method
How FortiClient determines the order in which to try connection to the SSL VPN servers when more than one is defined. FortiClient calculates the order before each SSL VPN connection attempt.
When Server is selected, FortiClient tries the order explicitly defined in the server settings.
When Ping Speed is selected, FortiClient determines the order by the ping response speed.
When TCP Round Trip Time is selected, FortiClient determines the order by the TCP round trip time.
Host Tag
Select Allow or Prohibit, then select the desired Zero Trust tag from the Select a Tag dropdown list. Tags only display in the list if they are already configured. See Zero Trust Tags on page 199.
You can use this feature to prohibit endpoints from connecting to the VPN tunnel when they do not meet certain criteria. For example, if you want to prohibit endpoints without up-to-date antivirus signatures from connecting to the VPN tunnel, you would do the following: 1. Configure a Zero Trust tagging rule that tags all endpoints without up-to-date
AV signatures. See Adding a Zero Trust tagging rule set on page 199. 2. For the VPN tunnel settings, select Prohibit, then select the configured tag from
the Select a Tag dropdown list. Endpoints without up-to-date AV signatures are prohibited from connecting to the VPN tunnel.
Customize Host Check Fail Warning
Enable and configure a custom message to display to the user when EMS prohibits the endpoint from connecting to the VPN tunnel due to its applied Zero Trust tag.
For the example configuration described in the Host Tag field description, you could configure a custom message to direct the user to update their AV signature, so that they can connect to the VPN tunnel afterward.
Show "Remember Password" Option
Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate.
Show "Always Up" Option
Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate.
Show "Auto Connect" Option
Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon.
FortiClient EMS 7.0.1 Administration Guide
168
Fortinet Technologies Inc.
Endpoint Profiles
On Connect Script
On Disconnect Script
Enable the on connect script. Enter your script. Enable the disconnect script. Enter your script.
IPsec VPN
This topic contains descriptions of IPsec VPN settings.
Configuration IPsec VPN Beep If Connection Fails Use Windows Store Certificates
Current User Windows Store Certificates Local Computer Windows Store Certificates Use Smart Card Certificates Show Auth Certificates Only Block IPv6 Enable UDP Checksum Disable Default Route Check for Certificate Private Key
Enhanced Key Usage Mandatory
Description Enable IPsec VPN. PC beeps if connection to the IPsec VPN tunnel fails. Enable using Windows store certificates. Certificates from the user store display.
Certificates from the computer store display.
Shows certificates on smartcards. Only shows certificates with authentication in certificate features. Blocks IPv6 when connected to an IPv4 tunnel. Add checksum to UDP packets. Disable default route to gateway. Does not show certificates if the private key is not directly accessible, such as for smartcards. Lists only certificates with private keys that allow enhanced key usage.
When you click the Add Tunnel button in the VPN Tunnels section, you can create an IPsec VPN tunnel using manual configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available for manual IPsec VPN tunnel creation:
Basic Settings Name
Type
Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.
Select IPsec VPN.
FortiClient EMS 7.0.1 Administration Guide
169
Fortinet Technologies Inc.
Endpoint Profiles
Remote Gateway Authentication Method Pre-Shared Key Prompt for Username Split Tunnel Application Based
Type Local Applications
Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking the + button. If one gateway is not available, the tunnel connects to the next configured gateway.
Select the authentication method for the VPN.
Enter the preshared key required. Available if you selected Pre-Shared Key for Authentication Method.
Prompt for the username when accessing VPN.
Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from or include in the VPN tunnel. You can exclude high bandwidthconsuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:
l Microsoft Office 365 l Microsoft Teams l Skype l GoToMeeting l Zoom l WebEx l YouTube Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.
Select Include or Exclude to configure whether to include or exclude certain application traffic from the VPN tunnel.
You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon. For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:
l Application Name: teams.exe;firefox.exe l Full Path:
C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Pr ogram Files\Mozilla Firefox\firefox.exe l Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\ To find a running application's full path, on the Details tab in Task Manager, add the Image path name column. Select the application checkbox, then click Remove to remove it from the list.
FortiClient EMS 7.0.1 Administration Guide
170
Fortinet Technologies Inc.
Endpoint Profiles
Cloud Applications Domain
VPN Settings IKE Mode Options Specify DNS Server (IPv4) Assign IP Address (IPv4) Split Table Phase 1
Encryption Authentication DH Groups
Key Life
Local ID Enable Implied SPDO Dead Peer Detection
You can exclude or include cloud applications. Click Add. In the list, select the desired applications, then click Add. Select the application checkbox, then click Remove to remove it from the list.
You can exclude or include domains. After you exclude a domain, any associated traffic will not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries. For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel. Select the application checkbox, then click Remove to remove it from the list.
Select Version 1 or Version 2.
Select Main or Aggressive.
Select Mode Config, Manual Set, or DHCP over IPsec.
Specify the DNS server for the VPN tunnel. Available if you selected Manual Set.
Enter the IP address to assign for the VPN tunnel. Available if you selected Manual Set.
Enter the IP address and subnet mask for the VPN tunnel. Available if you selected Manual Set or DHCP over IPsec.
Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required. You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.
Select the encryption standard.
Select the authentication method.
Select one or more Diffie-Hellman (DH) groups from groups 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, and 21. At least one of the selected groups on the remote peer or client must match one of the selections on the FortiGate. Failure to match one or more DH groups results in failed negotiations.
Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
Enter the local ID.
Enable implied SPDO. Enter the timeout in seconds.
Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
FortiClient EMS 7.0.1 Administration Guide
171
Fortinet Technologies Inc.
Endpoint Profiles
NAT Traversal
Enable Local LAN Enable IKE Fragmentation Allow non-administrators to use machine certificates Phase 2
Encryption Authentication DH Group
Key Life
Enable Replay Detection
Enable Perfect Forward Secrecy (PFS) Advanced Settings Enable One-Time Password Enable XAuth
XAuth Timeout Prompt for Certificate Enable Single User Mode Show Passcode Save Username Enforce Acceptance of Disclaimer Message
Select the checkbox if a NAT device exists between the client and the local FortiGate. The client and the local FortiGate must have the same NAT traversal setting (both selected or both cleared) to connect reliably. Enable local LAN. Enable IKE fragmentation. Allow non-administrator users to use local machine certificates to connect IPsec VPN.
Select the encryption and authentication algorithms that to propose to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer. Select the encryption standard. Select the authentication method. Select one DH group (1, 2, 5, 14, 15, 16, 17, 18, 19, 20, or 21). This must match the DH group that the remote peer or dialup client uses. Set a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service. Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them. Enable PFS. PFS forces a new DH exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
Enable one-time password. When IKEv1 is selected, enable IKE Extended Authentication (xAuth). When IKEv2 is selected, enable Extensible Authentication Protocol (EAP). Only available if Enable XAuth is enabled. Configure the timeout in seconds. Default value is two minutes if not configured. Enter a value between 120 and 300 seconds. Prompt the user for the certificate. Enable single user mode. Display Passcode instead of Password in the VPN tab in FortiClient. Save your username. Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.
FortiClient EMS 7.0.1 Administration Guide
172
Fortinet Technologies Inc.
Endpoint Profiles
Failover SSL VPN Connection
If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel.
Enable SAML Login
Enable SAML SSO login for this VPN tunnel. See SAML SSO on page 238.
Redundant Sort Method
How FortiClient determines the order in which to try connection to the SSL VPN servers when more than one is defined. FortiClient calculates the order before each SSL VPN connection attempt.
When Server is selected, FortiClient tries the order explicitly defined in the server settings.
When Ping Speed is selected, FortiClient determines the order by the ping response speed.
When TCP Round Trip Time is selected, FortiClient determines the order by the TCP round trip time.
Host Tag
Select Allow or Prohibit, then select the desired Zero Trust tag from the Select a Tag dropdown list. Tags only display in the list if they are already configured. See Zero Trust Tags on page 199.
You can use this feature to prohibit endpoints from connecting to the VPN tunnel when they do not meet certain criteria. For example, if you want to prohibit endpoints without up-to-date antivirus signatures from connecting to the VPN tunnel, you would do the following: 1. Configure a Zero Trust tagging rule that tags all endpoints without up-to-date
AV signatures. See Adding a Zero Trust tagging rule set on page 199. 2. For the VPN tunnel settings, select Prohibit, then select the configured tag from
the Select a Tag dropdown list. Endpoints without up-to-date AV signatures are prohibited from connecting to the VPN tunnel.
Customize Host Check Fail Warning
Enable and configure a custom message to display to the user when EMS prohibits the endpoint from connecting to the VPN tunnel due to its applied Zero Trust tag.
For the example configuration described in the Host Tag field description, you could configure a custom message to direct the user to update their AV signature, so that they can connect to the VPN tunnel afterward.
Show "Remember Password" Option
Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate.
Show "Always Up" Option
Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate.
Show "Auto Connect" Option
Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon.
On Connect Script
Enable the on connect script. Enter your script.
On Disconnect Script
Enable the disconnect script. Enter your script.
FortiClient EMS 7.0.1 Administration Guide
173
Fortinet Technologies Inc.
Endpoint Profiles
Configuring a profile with application-based split tunnel
FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications. For example, you can exclude applications like the following from the VPN tunnel:
l Microsoft Office 365 l Microsoft Teams l Skype l GoToMeeting l Zoom l WebEx l YouTube
You must configure these settings in the endpoint profile in EMS. The following instructions assume that you have already configured a remote SSL or IPsec VPN server in FortiOS. See the FortiOS documentation.
This feature does not support explicitly including traffic in the VPN tunnel.
To configure application-based split tunnel using the GUI:
1. In EMS, go to Endpoint Profiles, and select the desired profile. 2. On the VPN tab, select an existing tunnel or create a new tunnel. 3. Under Split Tunnel > Application Based, configure the following fields:
Configuration Application Based
Type
Description
Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:
l Microsoft Office 365 l Microsoft Teams l Skype l GoToMeeting l Zoom l WebEx l YouTube Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.
Select Exclude to configure whether to exclude certain application traffic from the VPN tunnel.
FortiClient EMS 7.0.1 Administration Guide
174
Fortinet Technologies Inc.
Endpoint Profiles
Configuration
Local Applications
Cloud Applications
Domain
Description
You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.
For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:
l Application Name: teams.exe;firefox.exe l Full Path:
%localappdata%\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe l Directory: %localappdata%\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\ To find a running application's full path, on the Details tab in Task Manager, add the Image path name column. Select the application checkbox, then click Remove to remove it from the list.
You can exclude cloud applications. Click Add. In the list, select the desired applications, then click Add.
Select the application checkbox, then click Remove to remove it from the list.
You can exclude domains. After you exclude a domain, any associated traffic will not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries.
For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel.
Select the application checkbox, then click Remove to remove it from the list.
This example shows excluding the Microsoft Teams using the application name, full path, and directory. It also excludes Teams and other web conferencing cloud applications, such as Zoom and Cisco WebEx:
FortiClient EMS 7.0.1 Administration Guide
175
Fortinet Technologies Inc.
Endpoint Profiles
FortiClient EMS 7.0.1 Administration Guide
176
Fortinet Technologies Inc.
Endpoint Profiles
4. Assign the profile to the desired endpoints. When VPN is up on those endpoints, the application traffic specified in the profile will be excluded from the VPN tunnel as configured.
Configuring a profile to allow or block endpoint from VPN tunnel connection based on the applied Zero Trust tag
You can configure a profile to allow or block an endpoint from connecting to a VPN tunnel based on its applied Zero Trust tag. This feature is only available for Windows endpoints. This example describes configuring an endpoint profile to prohibit Windows endpoints with critical vulnerabilities from connecting to VPN.
To configure an endpoint profile to prohibit endpoints with critical vulnerabilities from connecting to VPN:
1. Create a Zero Trust tagging rule set that tags endpoints with critical vulnerabilities with the "Vulnerable Devices" tag: a. Go to Zero Trust Tags > Zero Trust Tagging Rules. b. Click Add. c. In the Tag Endpoint As field, create a new "Vulnerable Devices" tag. d. Toggle Enabled to on. e. Click Add Rule. f. For Windows devices, from the Rule Type dropdown list, select Vulnerable Devices. g. From the Severity Level dropdown list, select Critical. h. Click Save.
FortiClient EMS 7.0.1 Administration Guide
177
Fortinet Technologies Inc.
Endpoint Profiles i. Click Save again.
2. Configure the options on the endpoint profile: a. Go to Endpoint Profiles > Manage Profiles. b. Edit the desired profile, or create a new one. c. On the VPN tab, enable Enable Secure Remote Access. d. Select an existing VPN tunnel, or create a new one by clicking Add Tunnel. e. In Advanced Settings, for Host Tag, select Prohibit. f. From the Select a Tag dropdown list, select Vulnerable Devices. g. Enable Customize Host Check Fail Warning. h. Enter a message to display to users when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device. i. Configure other fields as desired.
FortiClient EMS 7.0.1 Administration Guide
178
Fortinet Technologies Inc.
Endpoint Profiles j. Save the configuration.
After the next communication between EMS and FortiClient, endpoints with this profile applied are unable to connect to this VPN tunnel if they have critical vulnerabilities. The following shows the notification that the end user sees when their connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device. After the end user fixes the vulnerabilities, FortiClient allows them to establish the VPN connection.
FortiClient EMS 7.0.1 Administration Guide
179
Fortinet Technologies Inc.
Endpoint Profiles
Configuring a backup VPN connection
You can configure FortiClient to connect to a preconfigured SSL VPN tunnel instead when connection to a configured IPsec VPN tunnel fails. This feature is convenient for connecting to VPN when the IPsec VPN tunnel is blocked or if a public router or gateway is not preforming IPsec VPN NAT correctly.
This guide assumes that the EMS administrator has already configured an SSL VPN tunnel and IPsec VPN tunnel on the desired endpoint profile.
To configure a backup VPN connection:
1. Go to Endpoint Profiles > Manage Profiles. 2. Edit the desired profile, then do one of the following:
a. Configure this feature from the GUI. Do the following: i. Edit the desired IPsec VPN tunnel. ii. In Advanced Settings, from the Failover SSL VPN Connection dropdown list, select the desired SSL VPN connection.
iii. Click Save. b. Configure this feature using XML. On the XML Configuration tab, configure the following for the desired IPsec
VPN tunnel. The following configures the secure_sslvpn tunnel as the backup tunnel: <forticlient_configuration>
<vpn> <ipsecvpn> <connections> <connection> <ike_settings> <failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection> <ike_settings> <connection> <connections> <ipsecvpn>
<vpn> <forticlient_configuration> This is a balanced but incomplete XML configuration fragment. It includes all closing tags but omits some important elements to complete the IPsec VPN configuration. 3. After FortiClient receives the next update from EMS, on the Remote Access tab, from the VPN Name dropdown list, select the IPsec VPN tunnel. 4. Select View the selected connection.
FortiClient EMS 7.0.1 Administration Guide
180
Fortinet Technologies Inc.
Endpoint Profiles 5. Verify that the Failover SSL VPN field specifies the SSL VPN tunnel configured in step 2.
6. Attempt connection to the IPsec VPN tunnel when you know that it will fail. FortiClient automatically connects to the configured SSL VPN tunnel instead.
FortiClient EMS 7.0.1 Administration Guide
181
Fortinet Technologies Inc.
Endpoint Profiles
Using a browser as an external user-agent for SAML authentication in an SSL VPN connection
When establishing an SSL VPN tunnel connection, FortiClient can present a SAML authentication request to the end user in a web browser. FortiClient (Windows) and (macOS) 7.0.1 and EMS 7.0.1 support this feature. FortiClient (Linux) 7.0.1 does not support this feature. This feature is not supported when SSL VPN realms are configured. When SSL VPN realms are configured and the user provides their SAML authentication credentials in an external browser, FortiClient fails to establish the SSL VPN connection.
To configure FortiAuthenticator as the identity provider (IdP):
1. In FortiAuthenticator, go to Authentication > SAML IdP > Service Providers. 2. Configure a new service provider (SP) for SAML.
3. Go to Authentication > User Management > Local Users. 4. Create a new user.
To configure FortiGate as a SAML SP:
1. In the FortiOS CLI, create a SAML user. Ensure that the SP and IdP details match the details provided by FortiAuthenticator: config user saml edit "su10" set cert "Fortinet_Factory" set entity-id "http://192.168.230.56:4433/remote/saml/metadata/" set single-sign-on-url "https://192.168.230.56:4433/remote/saml/login/"
FortiClient EMS 7.0.1 Administration Guide
182
Fortinet Technologies Inc.
Endpoint Profiles
set single-logout-url "https://192.168.230.56:4433/remote/saml/logout/" set idp-entity-id "http://172.17.61.118:443/saml-idp/s6rlo1pxemulz84k/metadata/" set idp-single-sign-on-url "https://172.17.61.118:443/saml-
idp/s6rlo1pxemulz84k/login/" set idp-single-logout-url "https://172.17.61.118:443/saml-
idp/s6rlo1pxemulz84k/logout/" set idp-cert "REMOTE_Cert_1" set user-name "username" set group-name "group" set digest-method sha1 next end 2. Ensure that the SAML redirect port is set to 8020. SAML external browser authentication uses port 8020 by default. If another service or application is occupying this port, FortiClient displays a message showing that the SAML redirect port is unavailable.: config vpn ssl setting show full-configuration | grep 8020 set saml-redirect-port 8020 next end 3. Create a user group by going to User & Authentication > User Groups > Create New. Provide the required details and add the user that you created in step 1 to this group. 4. Go to VPN > SSL-VPN Settings. Under Authentication/Portal Mapping, create a mapping with the user group that you created in step 3. From the Portal dropdown list, select full-access. Click OK. 5. Go to Policy & Objects > Firewall Policy. Select the SSL VPN firewall policy. Ensure that the Source field includes the SAML user group.
To configure external browser for authentication in EMS:
1. In EMS, go to Endpoint Profiles > Manage Profiles, and edit the desired profile. 2. On the VPN tab, click Add Tunnel. Provide the correct gateway information. In Advanced Settings, enable Enable
SAML Login. Configure other fields as desired. Save the tunnel. 3. On the XML Configuration tab, under the <sso_enabled> element for the tunnel, add <use_external_
browser>1</use_external_browser>.
FortiClient EMS 7.0.1 Administration Guide
183
Fortinet Technologies Inc.
Endpoint Profiles
4. Click Test XML, then save the configuration.
To test the connection in FortiClient:
1. After FortiClient receives the latest configuration update from EMS, go to the Remote Access tab. 2. View the tunnel to verify that the Use external browser as user-agent for saml user authentication field is enabled. 3. Connect to the tunnel by clicking SAML Login. Verify that FortiClient opens your default browser to prompt for
authentication. Provide your credentials and click Login to establish the connection.
Vulnerability Scan
If you enable both Automatic Maintenance and Scheduled Scan, FortiClient EMS only uses the Automatic Maintenance settings.
Configuration Vulnerability Scan
Scanning Scan on Registration Scan on Vulnerability Signature Update
Description Enable or disable Vulnerability Scan. Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
Scan endpoints upon connecting to a FortiGate. Scan endpoints upon updating a vulnerability signature.
FortiClient EMS 7.0.1 Administration Guide
184
Fortinet Technologies Inc.
Endpoint Profiles
Configuration Scan for OS Updates Enable Proxy Automatic Maintenance
Period Deadline
Scheduled Scan Schedule Type Scan On
Start At Automatic Patching Patch Level
Exclusions Exempt Application Vulnerabilities Requiring Manual Update from Vulnerability Compliance Check
Description
Scan for OS updates.
Enable using proxy settings configured in when downloading updates for vulnerability patches.
Configure settings for automatic maintenance. This configures Vulnerability Scan to run as part of Windows automatic maintenance. Adding FortiClient Vulnerability Scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that will have minimal impact to the user, PC performance, and energy efficiency. See Automatic maintenance.
Specify how often Vulnerability Scan needs to be started during automatic maintenance. Enter the desired number of days.
Specify when Windows must start Vulnerability Scan during emergency automatic maintenance, if Vulnerability Scan did not complete during regular automatic maintenance. Enter the desired number of days. This value must be greater than the Period value.
Configure settings for scheduled scanning.
Select Daily, Weekly, Monthly.
Configure the day the scan will run. This only applies if the schedule type is configured to Weekly or Monthly. Select a day of the week (Sunday through Monday) or a day of the month (1st through the 31st).
Configure the time the scan will start.
Patches are installed automatically when vulnerabilities are detected. Select one of the following:
l Critical: Patch critical vulnerabilities only l High: Patch high severity and above vulnerabilities l Medium: Patch medium severity and above vulnerabilities l Low: Patch low severity and above vulnerabilities l All: Patch all vulnerabilities. Automatic patching may require the endpoint to reboot.
All applications that require the endpoint user to manually patch vulnerabilities are excluded from vulnerability compliance check. This option does not exclude applications from vulnerability scanning.
FortiClient EMS 7.0.1 Administration Guide
185
Fortinet Technologies Inc.
Endpoint Profiles
Configuration Exclude Selected Applications from Vulnerability Compliance Check
Disable Automatic Patching for These Applications
Description
In the <number> Applications list, click the applications to exclude from vulnerability compliance check, and they are automatically moved to the <number> Excluded Applications list. In the <number> Excluded Applications list, click the applications to remove from the exclusion list. Applications on the exclusion list are exempt from needing to install software patches within the time frame specified in FortiGate compliance rules to maintain compliant status and network access. Applications on the list are not excluded from vulnerability scanning.
Disable automatic patching for the applications excluded from vulnerability compliance check.
System Settings
The majority of these configuration options are only available for Windows, macOS, and Linux profiles. The table indicates which options are available for Chromebook profiles, such as Upload Logs to FortiAnalyzer/FortiManager.
Some options are only available when Advanced view is enabled.
Configuration UI
Require Password to Disconnect from EMS Password
Do Not Allow User to Back Up Configuration Allow User to Shutdown When Registered to EMS Hide User Information
Hide System Tray Icon Show Host Tag on FortiClient GUI
Description Specify how the FortiClient user interface appears when installed on endpoints. Turn on password lock for FortiClient. Enter a password. The endpoint user must enter this password to disconnect FortiClient from FortiClient EMS. Disallow users from backing up the FortiClient configuration. Allows user to shut down FortiClient while registered to EMS.
Hide the User Details panel where the user can provide user details (avatar, name, phone number, email address), and link to a social media (LinkedIn, Google, Salesforce) account. Hide the FortiClient system tray icon. Show the applied host tag on the FortiClient GUI. See Zero Trust Tags on page 199.
FortiClient EMS 7.0.1 Administration Guide
186
Fortinet Technologies Inc.
Endpoint Profiles Configuration Language
Log Level
Description
Configure the language that FortiClient uses. By default, FortiClient uses the system operating language. Select one of the following:
l os-default (System operating language, selected by default) l zh-tw (Taiwanese Mandarin) l cs-cz (Czech) l de-de (German) l en-us (United States English) l fr-fr (French) l hu-hu (Hungarian) l ru-ru (Russian) l ja-jp (Japanese) l ko-kr (Korean) l pt-br (Brazilian Portuguese) l sk-sk (Slovak) l es-es (Spanish) l zh-cn (Chinese (Simplified)) l et-ee (Estonian) l lv-lv (Latvian) l lt-lt (Lithuanian) l fi-fi (Finnish) l sv-se (Swedish) l da-dk (Danish) l pl-pl (Portuguese (Portugal)) l nb-no (Norwegian) l fr-ca (Canadian French)
Specify FortiClient log settings.
This option is available for Chromebook profiles. Generates logs equal to and more critical than the selected level. Select one of the following:
l Emergency: The system becomes unstable. l Alert: Immediate action is required. l Critical: Functionality is affected. l Error: An error condition exists and may affect functionality. l Warning: Functionality could be affected. l Notice: Information about normal events. l Info: General information about system operations. l Debug: Debug FortiClient. Detailed debug logs for the selected
features are generated on the endpoint. You can request the creation and download of the diagnostic tool output, which includes these logs.
FortiClient EMS 7.0.1 Administration Guide
187
Fortinet Technologies Inc.
Endpoint Profiles
Configuration
Description
Features
Select features to generate logs for: l AntiVirus l Application Firewall l Telemetry l FSSOMA l Proxy l IPsec VPN l AntiExploit l SSL VPN l Update l Vulnerability l Web Filter l Sandbox
Client-Based Logging When On-Fabric
Include local log messages when FortiClient is on-fabric. FortiClient hides the Export log and Clear log options from the GUI when the endpoint is off-fabric. FortiClient still sends logs to FortiAnalyzer, if one is configured. If the FortiAnalyzer is unreachable because endpoint is off-fabric, FortiClient retains the logs until it can reach FortiAnalyzer and forward the logs. See On-fabric Detection Rules on page 131.
Upload Logs to FortiAnalyzer/FortiManager
This option and all nested options are available for Chromebook profiles. Configure endpoints to sends logs to the FortiAnalyzer or FortiManager at the specified address or hostname.
Upload UTM Logs
Upload unified threat management logs to FortiAnalyzer or FortiManager. This option only applies to FortiClient 6.4.2 and earlier versions.
Upload Vulnerability Upload vulnerability logs to FortiAnalyzer or FortiManager. This
Logs
option only applies to FortiClient 6.4.2 and earlier versions.
Upload Event Logs
Upload event logs to FortiAnalyzer or FortiManager. This option only applies to FortiClient 6.4.2 and earlier versions.
Upload System Event
Upload system events to FortiAnalyzer or FortiManager. This option only applies to FortiClient 6.4.3 and later versions. This includes logs for endpoint control, update, and FortiClient events.
Upload Security Event
Upload security events to FortiAnalyzer or FortiManager. This option only applies to FortiClient 6.4.3 and later versions. This includes logs for Malware Protection, Web Filter, Vulnerability Scan, and Application Firewall events.
Send Software Inventory
EMS sends FortiClient software inventory to FortiAnalyzer or FortiManager.
FortiClient EMS 7.0.1 Administration Guide
188
Fortinet Technologies Inc.
Endpoint Profiles
Configuration
Send OS Events
Event telemetry interval IP Address/Hostname
SSL Enabled Upload Schedule Log Generation Timeout Log Retention Proxy Use Proxy for Updates Connect to FDN Directly If Proxy Is Offline Use Proxy for Virus Submission Type
IP Address/Hostname Port
Username
Password
Description This feature requires the EPP license. See FortiClient EMS on page 21. EMS sends endpoint host events to FortiAnalyzer or FortiManager. EMS supports this feature for Windows and macOS endpoints. For macOS endpoints, OS event logs are stored at /var/log/system.log. Enter the telemetry interval in seconds.
Enter the FortiAnalyzer IP address or hostname/FQDN. With Chromebook profiles, use the format https://FAZ-IP:port/logging. If using a port other than the default, use <address>:<port>. Enable SSL. Configure the upload schedule in minutes. Configure the log generation timeout in seconds.
Configure the duration of time to retain logs in days.
Access FortiGuard using the configured proxy. Connect to FDN directly if proxy is offline.
Use the configured proxy to submit viruses to FortiGuard. Configure the type. Options include:
l http l socks4 l socks5 Enter the proxy server's IP address/hostname.
Enter the proxy server's port number. The port range is from 1 to 65535. If the proxy requires authentication, enter the username. Enter the encrypted or non-encrypted username. If the proxy requires authentication, enter the password. Enter the encrypted or non-encrypted username. Enable Show Password to show the password in plain text.
FortiClient EMS 7.0.1 Administration Guide
189
Fortinet Technologies Inc.
Endpoint Profiles
Configuration
Description
Update
Specify whether to use FortiManager to update FortiClient on endpoints.
Use FortiManager for Client Signature Update Enable FortiClient EMS to obtain AV signatures from the FortiManager at the specified IP address or hostname.
IP Address/Hostname
Enter the FortiManager IP address/hostname.
Port
Enter the port number.
Failover Port
Enter the failover port.
Timeout
Enter the timeout interval.
Failover to FDN When FortiManager Is Not Available
Fail over to FDN when FortiManager is not available.
FortiGuard Server Location
Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server. FortiClient connects to FortiGuard to query for AV and vulnerability scan engine and signature updates. The URLs connected to for each server location are as follows:
l FortiGuard: l Global: forticlient.fortinet.net l U.S.: usforticlient.fortinet.net
l FortiGuard Anycast: l Global: fctupdate.fortinet.net l U.S.: fctusupdate.fortinet.net l Europe: fcteuupdate.fortinet.net
Server
Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.
FortiProxy
Enable FortiProxy (disable only when troubleshooting). You must enable FortiProxy to use Web Filter and some AV options.
HTTPS Proxy
Enable HTTPS proxy. If disabled, FortiProxy no longer inspects HTTPS traffic.
HTTP Timeout
Enter the HTTP connection timeout interval in seconds. FortiProxy determines if the remote server is available based on this timeout value. Lower this timeout value if your client requires a faster fail response.
FortiClient EMS 7.0.1 Administration Guide
190
Fortinet Technologies Inc.
Endpoint Profiles
Configuration
Description
POP3 Client Comforting
Enable POP3 client comforting. Client comforting helps to prevent POP3 clients from complaining that the server has not responded in time.
POP3 Server Comforting
Enable POP3 server comforting. Server comforting helps to prevent POP3 servers from complaining that the client has not responded in time. You may use this in a situation where FortiClient is installed on a mail server.
SMTP Client Comforting
Enable SMTP client comforting. SMTP comforting helps to prevent SMTP clients from complaining that the server has not responded in time.
Self Test
FortiProxy can detect if other software is disrupting internal traffic between FortiProxy's internal modules. It does this by sending packets periodically to 1.1.1.1, which are intercepted by FortiClient and dropped (they never leave the computer). If the packets are not detected, then it is deemed highly likely that third party software is intercepting the packets, signaling that FortiProxy cannot perform regular traffic filtering.
Enable self tests. FortiProxy periodically checks its own connectivity to determine if it is able to proxy other applications' traffic.
Notify
Display a bubble notification when self-testing detects that a third party program has blocked HTTP/HTTPS filtering and SMTP/POP3 AV scanning.
Last Port
Enter the last port number used. This is the highest port number you want to allow FortiProxy to listen on. Use to prevent FortiProxy from binding to another port that another service normally uses.
The available port range is 65535 to 10000.
Endpoint Control
Show Bubble Notifications
Show bubble notifications when FortiClient installs new policies on endpoints.
Log off When User Logs Out of Windows
Log off FortiClient when the endpoint user logs out of Windows. Turn off to remain logged in.
Disable Disconnect
Forbid users from disconnecting FortiClient from FortiClient EMS.
On-Fabric Subnets
Turn on to enable on-fabric subnets. FortiClient determines on-/offfabric status using Determining on-fabric/off-fabric status on page 133.
This option only applies for endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.2 and later versions, see On-fabric Detection Rules on page 131.
IP Addresses/Subnet Enter IP addresses/subnet mask to connect to on-fabric subnets. Masks
FortiClient EMS 7.0.1 Administration Guide
191
Fortinet Technologies Inc.
Endpoint Profiles Configuration Gateway MAC Address MAC Addresses Send Software Inventory
User Identity Settings Allow Users to Specify Identity Using
Notify Users to Submit User Identity Information Zero Trust Network Access (ZTNA) Settings Use ZTNA
Other
Description
Enable gateway MAC address.
Enter MAC addresses.
Send installed application information to FortiClient EMS. If the Upload Logs to FortiAnalyzer/FortiManager option is enabled, the endpoint also sends the software inventory information to FortiAnalyzer. See Software Inventory on page 221. This feature requires the EPP license. See FortiClient EMS on page 21.
Enable users to specify their identity in FortiClient using the following methods:
l Manually entering their details in FortiClient l Logging in to their account for the following social media
services: l LinkedIn l Google l Salesforce
By default, EMS obtains user details from the endpoint OS. If the user provides their details using one of the methods above, EMS obtains the user-specified details instead. If this option is disabled, EMS obtains and displays user details from the endpoint OS.
Displays a notification on the endpoint for the user to specify their identity. If the user closes the notification without specifying their identity, the notification displays every ten minutes until the user submits their identity information.
Enable ZTNA. When ZTNA is enabled, FortiClient can create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. For TCP forwarding to non-web-based applications, the endpoint user can define ZTNA connection rules in the FortiClient console.
FortiClient EMS 7.0.1 Administration Guide
192
Fortinet Technologies Inc.
Endpoint Profiles
Configuration Install CA Certificate on Client
FortiClient Single Sign-On Mobility Agent
IP Address/Hostname Port Pre-Shared Key iOS Distribute Configuration Profile Privacy Send Usage Statistics to Fortinet
Description Turn on to select and install a CA certificate on the FortiClient endpoint. You can add certificates by going to Endpoint Policy & Components > CA Certificates. Enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator. Enter the FortiAuthenticator IP address or hostname.
Enter the port number. Enter the preshared key. The preshared key should match the key configured on your FortiAuthenticator.
Enable and browse for your .mobileconfig file to distribute the configuration profile.
Submit virus information to FDS. Fortinet uses this information to improve product quality and user experience.
Configuring identity compliance for endpoints
You can assign different user identification options to different endpoints. These options, visible in FortiClient, include: l User Input l OS l LinkedIn l Google l Salesforce
EMS sends a notification to the endpoint where the user must enter their login information. If the user closes the notification without entering any information, the notification appears again within 10 minutes.
To configure identity compliance:
1. In EMS, go to Endpoint Profiles. Select the desired profile, or create a new one. 2. On the System Settings tab, under User Identity Settings, enable the desired user identification method. 3. If desired, enable Notify Users to Submit User Identity Information. 4. Click Save. When Notify Users to Submit User Identity Information is enabled, the user sees the following notification on the endpoint. If Manually Enter User Details is enabled, the user can enter their information manually.
FortiClient EMS 7.0.1 Administration Guide
193
Fortinet Technologies Inc.
Endpoint Profiles
FortiClient displays the entered login information.
If Google is enabled, the user can log in to their Google account. FortiClient displays the Google login information.
FortiClient EMS 7.0.1 Administration Guide
194
Fortinet Technologies Inc.
Endpoint Profiles
XML Configuration
Configuration XML editor
Description
Configure the endpoint profile using the XML editor. See the FortiClient XML Reference Guide.
Creating a profile with XML
You can configure FortiClient profile settings in FortiClient EMS by using XML or a custom XML configuration file. The custom XML file must include all settings required by the endpoint at the time of deployment. For information about how to configure a profile with XML, see the FortiClient XML Reference.
To create a profile with XML:
1. Go to Endpoint Profiles > Manage Profiles, and click the Add button. 2. In the Profile Name field, enter a name for the profile. 3. Click the Advanced button. The XML Configuration tab displays, and the profile configuration displays in XML. 4. Click the XML Configuration tab, and click the Edit button. 5. Edit the XML. 6. Click Test XML. 7. Click Save to save the profile.
Importing a profile from an XML file
To import a profile from an XML file:
1. Go to Endpoint Profiles > Manage Profiles. 2. Click Import From File. 3. In the Name field, enter the desired name. 4. Under XML, browse to and select the desired XML profile configuration file. 5. Click Upload.
FortiClient EMS 7.0.1 Administration Guide
195
Fortinet Technologies Inc.
Endpoint Profiles
If the profile has a feature enabled that is disabled in Feature Select, EMS displays a warning that the feature will not be enabled on endpoints that the profile is deployed to. To enable this feature on the endpoint, you must enable the feature in Feature Select. See Feature Select on page 257.
Configuring encrypted ZTNA rules
FortiClient supports encryption and non-encryption modes for Zero Trust Network Access (ZTNA) via a toggle switch. You can manually add ZTNA rules in the FortiClient GUI or receive rules from EMS. This feature requires the prerequisites:
l A Security Fabric connector between FortiOS and EMS must be configured. l FortiOS ZTNA-related settings must be configured properly. See ZTNA TCP forwarding access proxy example. l FortiClient must be registered to EMS. l You must add ZTNA rules in EMS or FortiClient. The following shows the topology for the example configuration. In this topology, RDP access is configured to one server, and SSH access to another.
To configure ZTNA rules in EMS:
1. In EMS, go to Endpoint Profiles > Manage Profiles. 2. Edit the desired profile. 3. On the XML Configuration tab, add the following configuration:
<ztna> <enabled>1</enabled> <rules> <rule> <name>RDP Forwarding</name> <destination>172.17.60.19:3389</destination>
FortiClient EMS 7.0.1 Administration Guide
196
Fortinet Technologies Inc.
Endpoint Profiles
<gateway>192.168.139.102:8445</gateway> <encryption>1</encryption> <mode>transparent</mode> </rule> <rule> <name>SSH Forwarding</name> <destination>172.17.81.177:22</destination> <gateway>192.168.139.102:8445</gateway> <encryption>1</encryption> <mode>transparent</mode> </rule> </rules> </ztna> 4. Save the configuration.
To configure ZTNA rules in FortiClient:
1. In FortiClient, go to the ZTNA Connection Rules tab. 2. Create the RDP forwarding rule:
a. Click Add Rule. b. In the Rule Name field, enter RDP Encryption Enabled. c. In the Destination Host field, enter 172.17.60.19:3389. d. In the Proxy Gateway field, enter 192.168.139.102:8445. e. For Mode, select Transparent. f. Select the Encryption checkbox. 3. Create the SSH forwarding rule: a. Click Create. b. Click Add Rule. c. In the Rule Name field, enter SSH Encryption Enabled. d. In the Destination Host field, enter 172.17.81.177:22. e. In the Proxy Gateway field, enter 192.168.139.102:8445. f. For Mode, select Transparent. g. Select the Encryption Checkbox. h. Click Create.
To verify the configuration:
1. Start an SSH connection to 172.17.81.177 via ZTNA. 2. Run debug commands in FortiOS:
diagnose wad debug enable category all
FortiClient EMS 7.0.1 Administration Guide
197
Fortinet Technologies Inc.
Endpoint Profiles
diagnose wad debug enable level verbose diagnose debug enable 3. Check the debug logs to verify whether encryption is enabled. When encryption is enabled, the debug logs contain the line GET tcpaddress=172.17.81.177&port=22&tls=1 HTTP1.1. When encryption is disabled, the debug logs contain the line GET tcpaddress=172.17.81.177&port=22&tls=0 HTTP1.1.
FortiClient EMS 7.0.1 Administration Guide
198
Fortinet Technologies Inc.
Zero Trust Tags
You can create Zero Trust tagging rules for Windows, macOS, and Linux endpoints based on their OS versions, logged in domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints. FortiOS 6.2.0 and later versions can use the dynamic endpoint groups to build dynamic policy rules.
Zero Trust Tagging Rules
You can create, edit, and delete Zero Trust tagging rules for Windows, macOS, and Linux endpoints. You can also view and manage the tags used to dynamically group endpoints.
The following occurs when using Zero Trust tagging rules with EMS and FortiClient:
1. EMS sends Zero Trust tagging rules to endpoints via Telemetry communication. 2. FortiClient checks endpoints using the provided rules and sends the results to EMS.
When endpoint network changes or user log-on/log-off events occur, FortiClient triggers an X-FFCK-TAG message to EMS, even if there are no tag changes. Once EMS receives the tags, it processes them immediately, and FortiOS tags are updated within five seconds from the REST API response. For other tag changes, FortiClient sends the information to EMS regularly as per the configured keepalive intervals. See Configuring EMS settings on page 244. 3. EMS receives the results from FortiClient. 4. EMS dynamically groups endpoints together using the tag configured for each rule. You can view the dynamic endpoint groups in Zero Trust Tags > Zero Trust Tag Monitor. See Zero Trust Tag Monitor on page 206.
Adding a Zero Trust tagging rule set
To add a Zero Trust tagging rule set:
1. Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add. 2. In the Name field, enter the desired rule name. 3. In the Tag Endpoint As dropdown list, select an existing tag or enter a new tag. EMS uses this tag to dynamically
group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag. 4. Toggle Enabled on or off to enable or disable the rule. 5. (Optional) In the Comments field, enter any desired comments. 6. Click Add Rule. 7. Configure the rules:
a. For OS, select the desired OS. This affects what rule types are available. b. From the Rule Type dropdown list, select the rule type and configure the related options. Ensure that you click
the + button after entering each criterion. See Zero Trust tagging rule types on page 202 for descriptions of the rule types. c. Click Save. d. Configure additional rules as desired. 8. By default, an endpoint must satisfy all configured rules to be eligible for the rule set. You may want to apply the tag to endpoints that satisfy some, but not all, of the configured rules. In this case, you can modify the rule set logic. For
FortiClient EMS 7.0.1 Administration Guide
199
Fortinet Technologies Inc.
Zero Trust Tags
example, consider that you want to apply the same tag to endpoints that fulfill one of the following criteria: l Running Windows 10 l Running Windows 7 and antivirus (AV) software is installed and running
With the default rule set logic, an endpoint would be eligible for the rule set if it is running Windows 7 or 10 and has AV software installed and running. To modify the rule set logic, do the following: a. Click Edit Logic. b. Clicking Edit Logic assigns numerical values to each configured rule. In the Rule Logic field, enter the desired
logic for the rule set using the numerical values. You can use and and or to define the rule logic. You cannot use not when defining the rule logic. You can also use parentheses to group rules. For this example, you would enter (1 and 3) or 2, to indicate that endpoints that satisfy both the AV and Windows 7 rules (rules 1 and 3) or only the Windows 10 rule (rule 2) satisfy the rule set. To restore the default logic, you can click Default Logic.
9. Click Save.
Editing a Zero Trust tagging rule set
To edit a Zero Trust tagging rule: 1. Go to Zero Trust Tags > Zero Trust Tagging Rules. 2. Select the Zero Trust tagging rule. 3. Click Edit. 4. Edit as desired. 5. Click Save.
Deleting a Zero Trust tagging rule
To delete a Zero Trust tagging rule: 1. Go to Zero Trust Tags > Zero Trust Tagging Rules. 2. Click the desired Zero Trust tagging rule.
FortiClient EMS 7.0.1 Administration Guide
200
Fortinet Technologies Inc.
Zero Trust Tags
3. Click Delete. 4. In the confirmation dialog, click Yes.
Importing and exporting a Zero Trust tagging rule set
You can import and export Zero Trust tagging rule set as a JSON file.
To import a Zero Trust tagging rule set: 1. Go to Zero Trust Tags > Zero Trust Tagging Rules. 2. Click Import. 3. In the Import Rule Sets dialog, browse to and select the desired rule set JSON file. 4. Click Import.
To export a Zero Trust tagging rule set: 1. Go to Zero Trust Tags > Zero Trust Tagging Rules. 2. Select the desired rule set. 3. Click Export. 4. Save the JSON file to the desired directory.
Uploading signatures for FortiGuard Outbreak Alerts service
You can use a Zero Trust tagging rule as a predefined rule for FortiGuard outbreak alerts by uploading rule signatures.
To configure a Zero Trust tagging rule as a predefined rule for outbreak alerts by uploading rule signatures: 1. In EMS, go to Zero Trust Tags > Zero Trust Tagging Rules. 2. Click Import Signatures.
3. In the Import FortiGuard Outbreak Alert Signatures dialog, upload a JSON file. The JSON file should contain an array of alert objects, each with a tag name and array of signatures. Each signature should have the following properties: os (windows, mac, linux, ios, android), type (file, registry, process), and content. If the import succeeds, EMS displays a FortiGuard outbreak alert signatures imported successfully message. If the file is formatted incorrectly, EMS shows an Invalid JSON error.
4. View tagged endpoints in Zero Trust Tags > Zero Trust Tag Monitor.
FortiClient EMS 7.0.1 Administration Guide
201
Fortinet Technologies Inc.
Zero Trust Tags
Managing tags
The Manage Tags window displays all configured tags and the rules that apply that tag to endpoints that satisfy the rule. You can delete tags that do not have any rules attached.
To manage tags: 1. Go to Zero Trust Tags > Zero Trust Tagging Rules. 2. Click Manage Tags. You can see the list of tags and the associated rules. In the example, the BYOD and Local User
tags both have two rules attached.
3. To delete a tag with no rules attached, click the X beside the corresponding tag. In this example, the Server 2012 tag does not have any rules attached.
4. In the confirmation dialog, click Yes.
Zero Trust tagging rule types
The following table describes Zero Trust tagging rule types and the OSes that they are available for. For all rule types, you can configure multiple conditions using the + button.
Rule type AD Group
OS
l Windows l macOS
Description
From the AD Group dropdown list, select the desired AD group. EMS considers the endpoint as satisfying the rule if the logged in user belongs to the selected AD group. The rule considers the logged-in user's group membership, not the computer's attributes. You can also use the NOT option to indicate that the rule requires that the logged in user does not belong to certain AD groups. You cannot use the NOT option to indicate that the rule requires that the logged in user does not belong to any AD group. EMS does not support a rule to dynamically group all endpoints that do not belong to a domain. To use this option, you must configure your domain under Endpoints. See Adding endpoints on page 86. Only FortiClient 6.2.2+ endpoints support this rule type.
FortiClient EMS 7.0.1 Administration Guide
202
Fortinet Technologies Inc.
Zero Trust Tags
Rule type AntiVirus Software
OS
l Windows l macOS l Linux
Certificate
l Windows l macOS l Linux
EMS Management File
l Windows l macOS l Linux l iOS l Android
l Windows l macOS l Linux
Logged in Domain
l Windows l macOS
OS Version
l Windows l macOS l Linux l iOS l Android
Description
From the AV Software dropdown list, select the desired conditions. You can require that an endpoint have AV software installed and running and that the AV signature is up-to-date. You can also use the NOT option for the rule to require that the endpoint does not have AV software installed or running or that the AV signature is not up-to-date. This rule applies for FortiClient AV and third-party AV software that registers to the Windows Security Center. The third-party software notifies the Windows Security Center of the status of its signatures. FortiClient queries the Windows Security Center to determine what third party AV software is installed and if the software reports signatures as up-to-date. The endpoint must satisfy all configured conditions to satisfy this rule. Only FortiClient 6.2.2+ endpoints support this rule type.
In the Subject CN and Issuer CN fields, enter the certificate subject and issuer. You can also use the NOT option to indicate that the rule requires that a certain certificate is not present for the endpoint. FortiClient checks certificates in the current user personal store and local computer personal store. It does not check in trusted root or other stores. The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require certificate A, certificate B, and NOT certificate C, then the endpoint must have both certificates A and B and not certificate C.
EMS considers the endpoint as satisfying the rule if the endpoint has FortiClient installed and Telemetry connected to EMS.
In the File field, enter the file path. You can also use the NOT option to indicate that the rule requires that a certain file is not present on the endpoint. The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require file A, file B, and NOT file C, then the endpoint must have both files A and B and not file C.
In the Domain field, enter the domain name. If the rule is configured for multiple domains, EMS considers the endpoint as satisfying the rule if it belongs to one of the configured domains.
From the OS Version field, select the OS version. If the rule is configured for multiple OS versions, EMS considers the endpoint as satisfying the rule if it has one of the configured OS versions installed.
FortiClient EMS 7.0.1 Administration Guide
203
Fortinet Technologies Inc.
Zero Trust Tags
Rule type On-Fabric Status
Registry Key
OS
l Windows l macOS l Linux l iOS l Android
l Windows
Description
By default, the rule requires that the endpoint is on-Fabric. You can also use the NOT option to indicate that the rule requires that the endpoint is off-Fabric.
In the Registry Key field, enter the registry path or value name. End the path with \ to indicate a registry path, or without \ to indicate a registry value name. You can also use the NOT option to indicate that the rule requires that a certain registry path or value name is not present on the endpoint. This rule does not support using the value data. For example, the following shows a system where Firefox is installed. In this example, the registry path is Computer\HKEY_LOCAL_ MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\88.0 (x64 en-US)\Main. The value name is Install Directory, and the value data is C:\Program Files\Mozilla Firefox. You can configure a registry key rule to match Computer\HKEY_LOCAL_ MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\88.0 (x64 en-US)\Main as the path or Install Directory as the registry value name, but you cannot configure a rule to match C:\Program Files\Mozilla Firefox.
The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require registry key A, registry key B, and NOT registry key C, then the endpoint must have both registry keys A and B and not registry key C.
FortiClient EMS 7.0.1 Administration Guide
204
Fortinet Technologies Inc.
Zero Trust Tags
Rule type Running Process
OS
l Windows l macOS l Linux
Sandbox Detection
l Windows l macOS
Vulnerable Devices
l Windows l macOS l Linux
Security
l macOS
Windows Security
l Windows
User Identity
l Windows l macOS l Linux l iOS l Android
Description
In the Running Process field, enter the process name. You can also use the NOT option to indicate that the rule requires that a certain process is not running on the endpoint. The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require process A, process B, and NOT process C, then the endpoint must have both processes A and B running and process C not running.
From the Sandbox Detection dropdown list, select the desired condition. You can require that Sandbox detected malware on the endpoint in the last seven days. You can also use the NOT option for the rule to require that Sandbox did not detect malware on the endpoint in the last seven days. Only FortiClient 6.2.2+ endpoints support this rule type.
From the Severity Level dropdown list, select the desired vulnerability severity level. If the rule is configured for multiple severity levels, EMS considers the endpoint as satisfying the rule if it has a vulnerability of one of the configured severity levels or higher.
Select the checkbox to require that File Vault is enabled on the endpoint. You can also use the NOT option to indicate that the rule requires that File Vault is disabled on the endpoint.
From the Windows Security dropdown list, select the desired conditions. You can require that an endpoint have Windows Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or Windows Firewall enabled. You can also use the NOT option for the rule to require that the endpoint have Windows Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or Windows firewall disabled. The endpoint must satisfy all configured conditions to satisfy this rule. Only FortiClient 6.2.2+ endpoints support this rule type.
Under User Identity, select the following: l User Specified: endpoint user manually entered their personal information in FortiClient. l Social Network Login: endpoint user provided their personal information by logging in to their Google, LinkedIn, or Salesforce account in FortiClient. You can further select one of the following: l All Accounts: all endpoints where the user logged in to the specified social network account type. l Specified: enter a specific Google, LinkedIn, or Salesforce account. For example, you can enter joanexample@gmail.com to configure the rule to apply specifically to only that Google account. You can specify multiple social network accounts.
FortiClient EMS 7.0.1 Administration Guide
205
Fortinet Technologies Inc.
Zero Trust Tags
Rule type
OS
Description
EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions. You can also use the NOT option for the rule to require that the endpoint user has not manually entered user details or logged in to a social network account to allow FortiClient to obtain user details. Only FortiClient 6.2.2+ endpoints support this rule type. FortiClient iOS does not support social network login with LinkedIn or Salesforce. FortiClient Android does not support social network login with Salesforce.
Zero Trust Tag Monitor
You can view all dynamic endpoint groups in Zero Trust Tags > Zero Trust Tag Monitor. EMS creates dynamic endpoint groups based on the tag configured for each rule.
Refresh Endpoint User OS IP Tagged on
Click to refresh the list of tagged endpoints in the content pane. Endpoint's hostname. Name of the user logged into the endpoint. OS currently installed on the endpoint. Endpoint's IP address. Date and time that EMS added the endpoint to the dynamic endpoint group.
FortiClient EMS 7.0.1 Administration Guide
206
Fortinet Technologies Inc.
Zero Trust Tags
FortiOS dynamic policies using EMS dynamic endpoint groups
After defining Zero Trust tagging rules in EMS, you can configure FortiOS to receive the dynamic endpoint groups from EMS using the FortiClient EMS Fabric connector which supports SSL and imports trusted certificates. When a change to the dynamic endpoint groups occurs, such as an endpoint being added to or removed from a group, EMS sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly, providing dynamic access control based on endpoint status. EMS supports this feature with FortiOS 6.4 and 6.2. Configuration differs depending on the FortiOS version that you use:
l Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups on page 207 l Configuring FortiOS 6.2 dynamic policies using EMS dynamic endpoint groups on page 211
FortiOS only receives endpoint information and enforces compliance for directly connected endpoints. Directly connected endpoints are the ones that have FortiGate as the default gateway.
This feature works for endpoints that are connected to a VPN tunnel as long as they can access EMS and the FortiOS version is 6.4.7 or later.
Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups
FortiOS 6.4 uses an EMS connector to retrieve dynamic endpoint groups from EMS. The following instructions only apply when using FortiOS 6.4. Configuring this feature requires the following steps: 1. Checking prerequisites on page 207 2. Configuring the EMS connector on page 208:
a. Uploading certificates to EMS and FortiOS on page 208 b. Creating the EMS connector in FortiOS on page 208 c. Authorizing the FortiOS EMS connector in EMS on page 209 d. Verifying the FortiOS-EMS connection in FortiOS on page 210 3. Creating a dynamic firewall policy using dynamic endpoint groups from EMS on page 210
If you configure a connection between EMS and a FortiGate that is part of a Security Fabric with multiple FortiGates, the root FortiGate can also obtain Zero Trust tags from EMS. However, the root FortiGate does not have any IP addresses to associate with the received tags.
Checking prerequisites
You must ensure that the following prerequisites are met before configuring this feature:
FortiClient EMS 7.0.1 Administration Guide
207
Fortinet Technologies Inc.
Zero Trust Tags
l Create Zero Trust tagging rules. See Adding a Zero Trust tagging rule set on page 199. l After FortiClient connects Telemetry to EMS, confirm that EMS dynamically groups endpoints based on the Zero
Trust tagging rules. See Zero Trust Tag Monitor on page 206. l Export a certificate authority (CA)-signed certificate to upload to FortiOS and web server certificate to upload to
EMS. For details on configuring a server certificate using the Microsoft Certification Authority Management Console, see Configure the Server Certificate Template. You can use another CA as desired.
Configuring the EMS connector
Uploading certificates to EMS and FortiOS
To upload certificates to EMS and FortiOS:
Certificates are required to set up a secure connection between EMS and FortiOS. Uploading the CA-signed certificate to FortiOS allows FortiOS to trust the certificate that you upload to EMS. 1. Upload the server certificate to EMS:
a. Go to System Settings > EMS Settings. b. Under Shared Settings, click the Upload new SSL certificate button. c. Upload the server certificate and private key. Click Test. d. Click Save. 2. Upload the certificate to FortiOS: a. Go to System > Certificates. b. From the Import dropdown list, select CA Certificates. c. Upload the CA-signed certificate.
Creating the EMS connector in FortiOS
You can create the EMS connector in the FortiOS GUI or CLI.
To create the EMS connector in the FortiOS GUI:
1. Go to Security Fabric > Fabric Connectors. 2. Click Create New, then select FortiClient EMS. 3. For Type, select FortiClient EMS. 4. In the Name field, enter the desired name. 5. In the IP/Domain name field, enter the EMS IP address or domain name. If EMS multitenancy is enabled, you must
enter the FQDN instead of the IP address. You must enter the FQDN in the format side.fqdn to integrate the FortiGate to the a specific EMS multitenancy site. For example, if the site name is site A, enter sitea.ems.example.com. See Multitenancy on page 261. 6. Ensure that Synchronize firewall addresses is enabled. This allows FortiOS to automatically create and synchronize firewall addresses for dynamic endpoint groups received from EMS.
FortiClient EMS 7.0.1 Administration Guide
208
Fortinet Technologies Inc.
Zero Trust Tags 7. Click OK.
To create the EMS connector in the FortiOS CLI:
config endpoint-control fctems edit "ems137" set fortinetone-cloud-authentication disable set server "172.16.200.137" set https-port 443 set source-ip 0.0.0.0 set pull-sysinfo enable set pull-vulnerabilities enable set pull-avatars enable set pull-tags enable set call-timeout 5000 next
end
Authorizing the FortiOS EMS connector in EMS
To authorize the FortiOS EMS connector in EMS:
1. EMS must authorize the Fabric connector created in FortiOS. Do one of the following: a. Log in to EMS. A prompt displays to authorize the FortiGate. Click Authorize. b. Go to Administration > Fabric Devices. Select the desired FortiGate, then click Authorize. You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. See Fabric Devices on page 236.
FortiClient EMS 7.0.1 Administration Guide
209
Fortinet Technologies Inc.
Zero Trust Tags
Verifying the FortiOS-EMS connection in FortiOS
To verify the FortiOS-EMS connection in FortiOS:
1. Authorize the connection by doing one of the following: a. In the right pane, under FortiClient EMS Status, click Authorize. b. After EMS authorizes the FortiGate, authorize the connection in the FortiOS CLI by running the execute fctems verify <fctems> command.
2. FortiOS should now automatically pull the dynamic endpoint groups from EMS as dynamic firewall addresses. Go to Policy & Objects > Addresses to view the addresses.
Creating a dynamic firewall policy using dynamic endpoint groups from EMS
To create a dynamic firewall policy using dynamic endpoint groups from EMS:
1. In FortiOS, go to Policy & Objects > Firewall Policy. Click Create New. 2. In the Source field, click +. The Select Entries pane appears. On the Address tab, select the address based on the
desired dynamic endpoint group from EMS. 3. Configure other options as desired. Click OK. 4. Go to Policy & Objects > Firewall Policy to ensure the policy was created. FortiOS updates this policy when it
receives updates from EMS.
FortiClient EMS 7.0.1 Administration Guide
210
Fortinet Technologies Inc.
Zero Trust Tags
Configuring FortiOS 6.2 dynamic policies using EMS dynamic endpoint groups
FortiOS 6.2 uses the FSSO protocol to retrieve dynamic endpoint groups from EMS. The following instructions only apply when using FortiOS 6.2.
The following configuration is necessary for this feature:
1. In FortiClient EMS, create Zero Trust tagging rules. See Adding a Zero Trust tagging rule set on page 199. 2. After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically
grouped endpoints based on the Zero Trust tagging rules. See Zero Trust Tag Monitor on page 206. 3. In FortiOS, create the EMS Fabric connector. 4. Configure FSSO settings. 5. In FortiOS, create a user group based on EMS dynamic endpoint groups. 6. In FortiOS, create a dynamic firewall policy for the user group.
EMS can be connected to a maximum of three FortiGates at a time via the FSSO protocol.
To create the EMS Fabric connector in FortiOS:
You can create the EMS Fabric connector in the FortiOS GUI or CLI. If desired, you can optionally configure the Fabric connector with an SSL certificate and a password for FSSO. If configured, you must configure the same certificate and password in EMS to ensure a successful connection.
1. Go to Security Fabric > Fabric Connectors. 2. Click Create New, then select FortiClient EMS. 3. In the Name field, enter the desired name. 4. For Type, select FortiClient EMS. 5. In the Primary Server IP field, enter the EMS IP address. If EMS multitenancy is enabled, you must enter the FQDN
instead of the IP address. You must enter the FQDN in the format side.fqdn to integrate the FortiGate to the a specific EMS multitenancy site. For example, if the site name is site A, enter sitea.ems.example.com. See Multitenancy on page 261. 6. (Optional) From the Trusted SSL certificate dropdown list, select the certificate. 7. (Optional) In the Password field, enter the desired password. 8. Click Apply & Refresh.
To configure EMS FSSO Settings:
If you configured a certificate and/or password in To create the EMS Fabric connector in FortiOS: on page 211, you must configure the same certificate and password in EMS.
1. If you configured a certificate for the EMS Fabric connector in FortiOS, do the following: a. In FortiOS, go to System > Certificates. b. Right-click the configured certificate, then select Download.
2. In EMS, go to System Settings > EMS Settings. 3. For SSL certificate, browse to and upload the certificate downloaded in step 1. 4. In the Configure FSSO Password field, enter the password. 5. Click Save.
FortiClient EMS 7.0.1 Administration Guide
211
Fortinet Technologies Inc.
Zero Trust Tags
To create a user group based on EMS dynamic groups: 1. In FortiOS, go to User & Device > User Groups. Click Create New. 2. In the Name field, enter the desired name. 3. For Type, select Fortinet Single Sign-On (FSSO). 4. In the Members field, click +. The Select Entries pane appears. Select the dynamic endpoint groups pulled from
EMS.
5. Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group will be members of this FortiOS user group.
6. Click OK.
To create a dynamic firewall policy for the user group: You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user group. 1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New. 2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured
above. 3. Configure other options as desired. Click OK. 4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS
will update this policy when it receives updates from EMS.
Restricting VPN access to rogue/non-compliant devices with Security Fabric
The following guide provides instructions on configuring the Security Fabric to restrict VPN access to rogue/noncompliant devices using EMS and FortiOS 6.4. You can configure this feature with IPsec and SSL VPN. Configuring this feature consists of the following steps:
1. Create two Zero Trust tagging rules in EMS: one rule for compliant endpoints and one rule for non-compliant endpoints. In this example, one rule tags endpoints as "AV-Running" if they have antivirus software installed and running. The second rule tags endpoints as "RED-Alert" if they have the risk.txt file present. You must also configure
FortiClient EMS 7.0.1 Administration Guide
212
Fortinet Technologies Inc.
Zero Trust Tags
the EMS connector in FortiOS. See Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups on page 207 2. Configuring VPN settings: a. IPsec VPN b. SSL VPN 3. Verify the configuration in FortiClient: a. IPsec VPN b. SSL VPN
Configuring VPN settings
To configure FortiOS IPsec VPN settings:
1. In FortiOS, go to VPN > IPsec Tunnels. 2. Click Create New > IPsec Tunnel. 3. On the VPN Setup tab, for Template type, select Remote Access. 4. For Remote device type, select Client-based, then FortiClient. Click Next. 5. On the Authentication tab, for Authentication method, select Pre-shared Key. Configure the desired preshared key
(PSK). 6. Configure other fields as desired, then create the tunnel. 7. Configure policies:
a. Go to Policy & Objects > Firewall Policy. b. Select the VPN IPS policy. Right-click, then select Copy. c. Right-click, then select Paste > Above. Repeat to paste two copies of the policy. d. Edit the top pasted policy to allow endpoint and EMS connection:
i. For Destination, select the EMS destination. ii. For Service, set to EMS port 8013. iii. Set the Action to ACCEPT. iv. Enable, then save the policy.
e. Edit the second pasted policy to restrict access to high-risk managed endpoints: i. In the Source field, select the tag that you configured to apply to non-compliant endpoints. ii. Set the Action to DENY.
FortiClient EMS 7.0.1 Administration Guide
213
Fortinet Technologies Inc.
Zero Trust Tags iii. Enable, then save the policy.
f. Configure the third policy to permit only compliant endpoints to access resources: i. In Source, select the tag that you configured to apply to compliant endpoints. ii. Set the Action to ALLOW.
iii. Enable, then save the policy.
8. Ensure that the policies are in the correct sequence and enabled.
To configure FortiOS SSL VPN settings:
1. In FortiOS, go to VPN > SSL-VPN Settings. 2. Configure the Listen on Port and HTTPS port fields as desired. 3. Under Authentication/Portal Mapping, select All Other Users/Groups, then select the portal from the Portal
dropdown list. 4. Click the Apply button. 5. Configure policies:
a. FortiOS displays a message that no SSL VPN policies exist. Select to create a new SSL VPN policy using the newly configured settings: i. From the Outgoing Interface dropdown list, select Internal. ii. For Source, select the desired users.
FortiClient EMS 7.0.1 Administration Guide
214
Fortinet Technologies Inc.
Zero Trust Tags iii. For Destination, select the EMS server. iv. Under Service, create a custom service with destination port 8013. v. Enable, then save the policy.
b. Select the SSL VPN policy. Right-click, then select Copy. c. Right-click, then select Paste > Below. Repeat to paste two copies of the policy. d. Configure the policies:
i. Edit the top pasted policy: i. For Source, select the tag that you configured to apply to non-compliant endpoints. ii. For Destination, select all.
iii. For Service, select ALL. iv. Set the Action to DENY. v. Enable, then save the policy.
FortiClient EMS 7.0.1 Administration Guide
215
Fortinet Technologies Inc.
Zero Trust Tags
ii. Edit the second pasted policy: i. In the Source field, select the tag that you configured to apply to compliant endpoints. ii. For Destination, select all.
iii. For Service, select ALL. iv. Set the Action to ACCEPT. v. Enable, then save the policy.
6. Ensure that the policies are sequenced and enabled.
Verifying the configuration in FortiClient
To verify the configuration for IPsec VPN on FortiClient: 1. Install FortiClient on an endpoint and ensure that it is connected to EMS. 2. Configure and connect to an IPsec VPN tunnel.
FortiClient EMS 7.0.1 Administration Guide
216
Fortinet Technologies Inc.
Zero Trust Tags 3. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint: a. On the user details page, ensure that EMS has applied the appropriate tag. In this example, the AV-Running tag should be applied.
b. Ping a device on the network to ensure that it can be reached. 4. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
a. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
b. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.
FortiClient EMS 7.0.1 Administration Guide
217
Fortinet Technologies Inc.
Zero Trust Tags
5. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint: a. Delete the risk.txt file, and stop AV services. b. Ensure that the user details page does not display any tags. The endpoint should lose network access.
To verify the configuration for SSL VPN on FortiClient:
1. Install FortiClient on an endpoint. 2. Configure and connect to an SSL VPN tunnel. 3. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
a. Ensure that AV services are not running. b. On the user details, ensure that EMS has applied no tags.
c. Ping the EMS server. The endpoint should be unable to access internal resources. d. In FortiOS, go to Monitor > Firewall User Monitor. Ensure that there is no tag attribute for the user/device.
4. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint: a. Ensure that AV services are running. b. Go to the user details page to ensure that the appropriate tag has been applied. In this example, only AVRunning should be applied.
FortiClient EMS 7.0.1 Administration Guide
218
Fortinet Technologies Inc.
Zero Trust Tags
c. Ping the EMS server again. The endpoint should be able to access internal resources. 5. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
a. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
b. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example RED-Alert and AV-Running, should be applied.
Fabric Device Monitor
On the Fabric Device Monitor page, you can view all FortiGates that are connected to EMS. For information on connecting a FortiGate to EMS, see FortiOS dynamic policies using EMS dynamic endpoint groups on page 207. For each connected FortiGate, you can view the following information:
l Serial number l IP address l FortiOS version installed l Last sync time between FortiClient EMS and the FortiGate l Dynamic endpoint groups shared with the FortiGate and the number of endpoints in each group
FortiClient EMS 7.0.1 Administration Guide
219
Fortinet Technologies Inc.
FortiGuard Outbreak Alerts
FortiClient EMS receives predefined outbreak alert rules from FortiGuard to help protect your network from vulnerabilities. For example, consider that FortiGuard Labs discovers a zero-day vulnerability in a popular application. The Fortinet team then creates a new FortiGuard outbreak alert rule, which tags endpoints with that application installed as vulnerable. After EMS receives this new rule from FortiGuard, the EMS administrator can easily see which endpoints are vulnerable to the new outbreak. FortiGuard outbreak alert rules are similar to Zero Trust tagging rules in that you can use the tags to dynamically group endpoints, and the FortiOS administrator can also use the dynamic endpoint groups to build dynamic policy rules. See FortiOS dynamic policies using EMS dynamic endpoint groups on page 207. Unlike Zero Trust tagging rules, you cannot modify or delete FortiGuard outbreak alert rules. You can only enable or disable them from the FortiGuard Outbreak Alert Rules pane.
You can also view a rule to see its details. In this example, the endpoint only needs to satisfy one of the three criteria to be eligible for the rule. If EMS does not display the Rule Logic field, the default rule logic is an "or" relationship.
FortiClient EMS 7.0.1 Administration Guide
220
Fortinet Technologies Inc.
Software Inventory
You can centrally view a list of software installed on all endpoints. The list includes details for each application such as vendor and version information. You can view this information by application or vendor on the Applications pane or by host on the Hosts pane. FortiClient sends installed application information to FortiClient EMS. EMS sends software inventory logs to FortiAnalyzer for real-time and historic logging and reporting. FortiClient sends the software inventory information to EMS when it first registers to EMS. If software changes occur on the endpoint, such as installing new software, updating existing software, or removing existing software, FortiClient sends an updated inventory to EMS and EMS sends the changes to FortiAnalyzer. See System Settings on page 186. This feature requires the EPP license. See FortiClient EMS on page 21.
Applications
The FortiClient EMS administrator can view installed application information for all managed endpoints on the Applications pane.
To view the Applications content pane: You can view information about installed applications on the Applications content pane. 1. Go to Software Inventory > Applications. The list of applications, a quick status bar, and a toolbar display in the
content pane.
Total Applications Total Vendors
Number of applications that have been installed on all managed endpoints. Click to display the list of installed applications.
Number of vendors whose applications have been installed on managed endpoints. Click to display the list of installed applications sorted by vendor.
FortiClient EMS 7.0.1 Administration Guide
221
Fortinet Technologies Inc.
Software Inventory
New Detections
Display by
Refresh Clear Filters Name Vendor Version First Detected Last Installed Install Count
Number of applications that have been detected as newly installed since the last Telemetry communication. Click to display newly detected applications sorted by date detected. Select to toggle between the following options:
l Display applications alphabetically by application name. l Sort applications by vendor name. Click to refresh the list of applications in the content pane. Click to clear all filters applied to the list of files. Name of the installed application. Name of the installed application's vendor. Version number of the installed application. Date the application was first detected as installed on the endpoint. Date the application was last installed on an endpoint. Number of endpoints the application is installed on.
To filter applications:
You can filter the list of applications displayed on the Applications content pane.
1. Go to Software Inventory > Applications. The list of applications displays. 2. You can apply filters by application name, vendor name, and version number. Click the filter icon beside the desired
heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options: l All: Display all files that match the set filter. l Any: Display any file that matches the set filter. l Not: Display only files that do not match the set filter.
3. To remove a filter, click the X icon beside the filter. To remove all filters, click the Clear Filters icon on the toolbar.
Hosts
The FortiClient EMS administrator can view installed application information for all managed endpoints by host on the Hosts pane. To view the Hosts content pane: You can view information about installed applications by host on the Hosts content pane.
FortiClient EMS 7.0.1 Administration Guide
222
Fortinet Technologies Inc.
Software Inventory 1. Go to Software Inventory > Hosts. The list of hosts, a quick status bar, and a toolbar display in the content pane.
Applications Operating Systems View Details
Refresh Clear Filters Host User OS IP Application Count Last Installation
Number of applications that have been installed on all managed endpoints. Number of different operating systems on managed endpoints. Displays list of software installed on the selected endpoint. For details on the application list headings, see To view the Applications content pane: on page 221. Click to refresh the list of applications in the content pane. Click to clear all filters applied to the list of files. Hostname. Name of the endpoint user. Operating system installed on the endpoint. IP address of the endpoint. Number of applications installed on the endpoint. Date of the most recent application installation on the endpoint.
To filter hosts:
You can filter the list of hosts displayed on the Hosts content pane.
1. Go to Software Inventory > Hosts. The list of hosts displays. 2. You can apply filters by hostname, user name, OS name, and IP address. Click the filter icon beside the desired
heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options: l All: Display all files that match the set filter. l Any: Display any file that matches the set filter. l Not: Display only files that do not match the set filter.
3. To remove a filter, click the X icon beside the filter. To remove all filters, click the Clear Filters icon on the toolbar.
To filter the list of applications installed on an endpoint, select the endpoint and click View Details. See To filter applications: on page 222 for details on filtering the list of applications.
FortiClient EMS 7.0.1 Administration Guide
223
Fortinet Technologies Inc.
Quarantine Management
Quarantine Management
You can view and allowlist files that FortiSandbox or AV has quarantined from a central management Files pane. You can also view and delete allowlisted files from the Allowlist pane.
This feature is only supported for Windows endpoints.
Files
FortiClient sends quarantined file information to FortiClient EMS. The FortiClient EMS administrator can view quarantined file information for all managed endpoints on the Files pane and allowlist files from FortiClient EMS if needed.
Viewing quarantined files
After FortiClient quarantines files on endpoints and sends the quarantined file information to FortiClient EMS, you can view the list of quarantined files on the Files pane. You can also view details about each quarantined file and use filters to access quarantined files with specific qualities.
To view the Files content pane:
You can view information about quarantined files on the Files content pane.
1. Go to Quarantine Management > Files. The list of quarantined files, a quick status bar, and a toolbar display in the content pane.
Quarantined Files Restored Files Affected Hosts New Detections View
Number of files that FortiClient has quarantined on endpoints. Click to display the list of quarantined files.
Number of files that have been restored on endpoints. Click to display the list of restored files.
Number of hosts where FortiClient has quarantined files. Click to display the list of quarantined files sorted by hostname.
Number of new detections. Click to display the list of newly detected threats sorted by date detected.
Toggle between the following options: l View all files or view only quarantined files l Show or hide full path names for files
FortiClient EMS 7.0.1 Administration Guide
224
Fortinet Technologies Inc.
Quarantine Management
Display by Search All Fields Filters Refresh Clear Filters Checkbox Host File Size Threat Source
Status Summary
Select to display the list of files by instance, host, threat, or date.
Enter a value and press Enter to search for the value in the list of files.
Click to display and hide filters you can use to filter the list of files.
Click to refresh the list of files in the content pane.
Click to clear all filters applied to the list of files.
Click to select all files displayed in the content pane.
Hostname of the endpoint. Also shows the group the endpoint belongs to.
Name of the file.
Size of the file in bytes.
Name of threat.
Displays how FortiClient detected the threat: l Scheduled Scan l Email Scan l Startup Scan l Manual Scan l Realtime Scan l Rootkit Manual Scan l Sandbox Scan
Status of the file: Quarantined, Quarantined & Allowlisted, Restored, or Deleted. Also shows the time that FortiClient quarantined the file.
Displays the number of threat instances and number of affected hosts.
To filter the file list:
You can filter the list of files displayed on the Files content pane. 1. Go to Quarantine Management > Files. The list of files displays. 2. Click the Filters menu, and set filters.
The filter options display. For text values, you can use a comma (,) to separate values and an exclamation mark (!) to exclude a value.
Filename Location
Enter the file name(s) to include in the filter. Enter the file location(s) to include in the filter.
FortiClient EMS 7.0.1 Administration Guide
225
Fortinet Technologies Inc.
Quarantine Management
Checksum Threat Source Status Date Host Group
Enter the checksum(s) to include in the filter.
Enter the threat(s) to include in the filter. You can also select the desired threat(s) from the dropdown list.
Enter the source(s) to include in the filter. You can also select the desired source(s) from the dropdown list.
Enter the status(es) to include in the filter. You can also select the desired statuse(s) from the dropdown list.
Enter the range of dates to include in the filter.
Enter the host(s) to include in the filter. You can also select the desired host (s) from the dropdown list.
Enter the endpoint group(s) to include in the filter. You can also select the desired group(s) from the dropdown list.
3. Click Apply. The filtered list of files displays. 4. Click Clear Filters to clear the filter settings.
Allowlisting quarantined files
You can allowlist and restore quarantined files. This releases the files from quarantine and makes them accessible on the endpoint with the next Telemetry communication between FortiClient EMS and FortiClient.
To allowlist quarantined files:
1. Go to Quarantine Management > Files. 2. Select the desired files. 3. Click Allowlist & Restore. 4. In the confirmation dialog, click Yes, then Okay. The file status changes to Quarantined & Allowlisted.
Configuring quarantine management
You can configure EMS to delete quarantine records after a configured number of days. You cannot use EMS to delete quarantined files from endpoints. To configure EMS to delete quarantined files from an endpoint after a specified duration, configure the <cullage> XML option.
To configure quarantine management:
1. Go to Quarantine Management > Files. 2. Click the Quarantine Management Settings icon on the toolbar. 3. Enter the number of days after which to delete quarantine records from EMS. EMS determines the age of the
quarantined file as when its status was last updated. For example, if you configure the duration as 180 days,
FortiClient EMS 7.0.1 Administration Guide
226
Fortinet Technologies Inc.
Quarantine Management EMS deletes the quarantine record 180 days after the file was last updated.
Allowlist
Viewing allowlisted files
You can view the list of allowlisted files in the Allowlist pane. You can also view details about each allowlisted file and use filters to access allowlisted files with specific qualities:
Go to Quarantine Management > Allowlist. The list of allowlisted files and a toolbar display in the content pane.
Refresh Clear Filters Advanced Information Date File Checksum Threat Description
Click to refresh the list of files in the content pane. Click to clear all filters applied to the list of files. Click to view the FortiSandbox and AV signature and engine versions. Date and time the file was allowlisted. Name of the file. File's checksum. Name of threat. The file's description. Blank by default.
To filter allowlisted files:
1. Go to Quarantine Management > Allowlist. The list of files displays. 2. You can apply filters by date, file name, checksum, threat, and description. Do the following:
a. To filter files by date, click the filter icon beside the Date heading. Select the desired date range in the Start and End fields. You can also enter a start time and end time on the selected dates. The default time is 12:00 PM.
b. To filter by file name, checksum, threat, or description, click the filter icon beside the desired heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options: l All: Display all files that match the set filter. l Any: Display any file that matches the set filter. l Not: Display only files that do not match the set filter.
The filtered list of files displays. 3. To remove a filter, click the X icon beside the filter. To remove all filters, click the Clear Filters icon on the toolbar.
FortiClient EMS 7.0.1 Administration Guide
227
Fortinet Technologies Inc.
Quarantine Management
Editing file descriptions
You can edit an allowlisted file's description. By default, the file description is blank.
To edit an allowlisted file's description: 1. Go to Quarantine Management > Allowlist. 2. Select the desired file. 3. Click Edit Description. 4. In the Required field, enter the desired description. 5. Click Confirm. The description appears under the Description heading.
Deleting a file from the allowlist
You can delete files from the allowlist. This reverts the file's status to quarantined on the endpoint with the next Telemetry communication.
To delete a file from the allowlist: 1. Go to Quarantine Management > Allowlist. 2. Select the desired file. 3. Click Delete. 4. In the confirmation dialog, click Yes. EMS deletes the file from the allowlist. FortiClient quarantines the file on the
endpoint with the next Telemetry communication. You can view the file on the Files pane.
FortiClient EMS 7.0.1 Administration Guide
228
Fortinet Technologies Inc.
Administration
Administrators
This section describes how to configure Windows and LDAP users, create new user accounts, and activate disabled user accounts:
Viewing users
You can view the default admin user and all users added to FortiClient EMS. Go to Administration > Administrators. The following information displays:
Add Refresh Name Source
Role Trusted hosts Last login or activation Comments
Add a new user.
Refresh the list of users.
The username.
Type of user: l BuiltIn: User accounts built into FortiClient EMS by default, such as the admin user. l Windows: User accounts derived from Windows user accounts on the host server. l LDAP: User accounts derived from users belonging to a configured AD domain. l EMS: User accounts created in FortiClient EMS.
Admin role assigned to the user. See Admin roles on page 232.
Trusted hosts configured for this user.
Date and time of the user's last login or activation. Also shows if the account has been disabled due to inactivity. See Activating a disabled account on page 231.
Comments added when creating/configuring the user.
FortiClient EMS 7.0.1 Administration Guide
229
Fortinet Technologies Inc.
Configuring user accounts
You can configure Windows and LDAP users to have no access or administrator access to FortiClient EMS. You can also create a new user account in EMS.
EMS derives the Windows users from the host server that it is installed on. If you want to add more Windows users, you must add them to the host server. EMS derives the list of LDAP users from those in the AD domain imported into FortiClient EMS. If you want to add more LDAP users, they must already exist in the AD domain configured as the user server:
To configure Windows and LDAP user accounts:
1. Go to Administration > Administrators. 2. Click the Add button. 3. Under User source, select Choose from Windows users or Choose from LDAP. 4. If you selected Choose from LDAP, do the following to connect to a new LDAP server:
a. Configure the following:
Option IP address/Hostname Port Distinguished name
Bind type
Username
Password
Show Password
LDAPS connection
Description Enter the user server's IP address or name. Enter the port for EMS to use to connect to the user server. Enter the user server's DN. You must use only capital letters when configuring the DN. Select Simple, Anonymous or Regular for the bind type. Appears only when the Regular bind type is selected. Enter the username. Appears only when the Regular bind type is selected. Enter the password. Show the password.
Enable LDAPS connection.
b. Click Test to check the LDAP server settings. 5. Click Next.
FortiClient EMS 7.0.1 Administration Guide
230
Fortinet Technologies Inc.
Administration
6. Configure the permissions:
Option
Username
User
Role
Domain Access
Restrict Login to Trusted Hosts
Comment
Description (New user account only) enter the desired username. (Windows/LDAP only) Select the user to configure permissions for. Select the desired admin role for this user. See Admin roles on page 232. Select or add access to a domain for the Windows/LDAP user.
When this option is enabled, users can only log into this account from a trusted host machine. In the Trusted Hosts field, enter a trusted host machine's IP address. Use the + button to add multiple trusted host machines.
Enter optional comments/information for the Windows/LDAP user.
7. Click Save.
When an admin user from an AD domain logs into EMS, they must provide the domain name as part of their username to log in successfully. For example, if the domain name is "exampledomain" and the username is "admin", the user must enter "example-domain/admin" when logging into EMS.
Activating a disabled account
FortiClient EMS disables user accounts that have been inactive for the period configured in User Settings > Allowed inactive days. See Configuring User Settings on page 236. When EMS disables an account, the user cannot log into FortiClient EMS and sees an error message that reads "Your account has been disabled due to inactivity. Please contact an EMS admin for assistance." An FortiClient EMS super administrator can activate the disabled account. After the super administrator activates the account, the user can log in as usual.
The built-in admin user account is always active. The Allowed inactive days setting does not affect the admin account.
To activate a disabled account:
1. Go to Administration > Administrators. EMS shows the deactivated user with a lock icon beside their name. The Last login or activation shows that EMS has disabled the account.
2. Click Activate. The user's status updates and they can log in as usual.
FortiClient EMS 7.0.1 Administration Guide
231
Fortinet Technologies Inc.
Administration
Admin roles
You can use admin roles to define the permissions each administrator account has in FortiClient EMS. You can use one of the default admin roles in FortiClient EMS or create a new admin role to assign to an administrator account. Each admin role can include permissions from three categories: endpoint permissions, policy permissions, and settings permissions.
The following describes the default admin roles in FortiClient EMS. You cannot edit or delete these admin roles.
Name Super administrator
Standard administrator Endpoint administrator Read-only administrator Restricted administrator
Description
Most privileged admin role. Complete access to all FortiClient EMS permissions, including modification, user permissions, approval, discovery, and deployment. Only built-in role that has access to the Administration section of the GUI. Has access to all configured Windows and LDAP servers and users and has the authority to configure user privileges and permissions. The default admin account is a Super Administrator. You cannot assign another admin role to the admin account.
Includes all endpoint and policy permissions, and read-only permissions to settings permissions.
Includes all endpoint permissions and read-only permissions to policy and settings permissions.
Includes read-only permissions to endpoint, policy, and settings permissions.
No permissions enabled.
For admin roles that are not authorized for certain tasks or devices, EMS hides or disables the related menu items, items in content pages, and buttons.
Adding an admin role
To add an admin role:
1. Go to Administration > Admin Roles. 2. Click Add. 3. In the Name field, enter the admin role name. 4. (Optional) In the Description field, enter the description. 5. Configure the permissions as desired. See Admin role permissions reference on page 233. 6. Click Save.
Cloning an admin role
1. Go to Administration > Admin Roles. 2. Select the desired admin role. 3. Click Clone. 4. Configure settings for the cloned admin role, then click Save.
FortiClient EMS 7.0.1 Administration Guide
232
Fortinet Technologies Inc.
Administration
Deleting admin roles
1. Go to Administration > Admin Roles. 2. Select the desired admin role. 3. Click Delete. 4. In the confirmation dialog, click Yes.
Admin role permissions reference
The following tables list the permissions available when configuring an admin role. The tables also include a description of what the permission allows the user to do and a link to the relevant section in this guide. Permissions that apply to Chromebook management are denoted with an asterisk (*).
Endpoint permissions
Permission Manage LDAPs Manage Google domains*
Manage custom groups Run commands on endpoints
Block/Unblock/Quarantine/Unquarantine/Reregister endpoints Manage and assign endpoint policies View group assignment rules Manage group assignment rules View endpoint filter bookmarks Manage endpoint filter bookmarks View quarantine management
Link to description
Manage connections to LDAP servers to import users from. See Configuring user accounts on page 230.
Manage connections to Google domains to decide which Chromebooks to manage. See Google Domains on page 110.
Create, rename, and edit groups to manage endpoints. See Managing groups on page 86.
Perform actions to endpoints on the Endpoints pane, including uploading FortiClient logs, requesting diagnostic results, and so on. See Managing endpoints on page 99.
Manage endpoint access to the network through blocking, quarantine, and registration. See Managing endpoints on page 99.
See Endpoint Policy & Components on page 124.
View group assignment rules. See Group assignment rules on page 106.
Create, delete, and edit group assignment rules. See Group assignment rules on page 106.
View endpoint filter bookmarks. See Using bookmarks to filter the list of endpoints on page 96.
Create, delete, and edit endpoint filter bookmarks. See Using bookmarks to filter the list of endpoints on page 96.
View lists of quarantined and allowlisted files. See Quarantine Management on page 224.
FortiClient EMS 7.0.1 Administration Guide
233
Fortinet Technologies Inc.
Administration
Permission Manage quarantine management
View software inventory Manage software inventory
Link to description Allowlist and restore quarantined files and remove files from the allowlist. See Quarantine Management on page 224. See Software Inventory on page 221. See Software Inventory on page 221.
Policy permissions
Permission
Link to description
View endpoint policies*
View endpoint policies. See Endpoint Policy & Components on page 124.
View endpoint profiles*
View endpoint profiles. See Endpoint Profiles on page 136.
Manage endpoint profiles*
Create, delete, and edit endpoint profiles. See Endpoint Profiles on page 136.
View Zero Trust View Zero Trust tagging rules. See Zero Trust Tagging Rules on page 199. tagging rules
Manage Zero Trust tagging rules
Create, delete, and edit Zero Trust tagging rules. See Zero Trust Tagging Rules on page 199.
View Zero Trust telemetry server lists
View Telemetry server lists.
Manage Zero Trust telemetry server lists
Create, delete, and edit Telemetry server lists.
View installers View installers. FortiClient Installer on page 120.
Manage installers
Create, delete, and edit installers. See FortiClient Installer on page 120.
View CA certificates
View CA certificates. See CA Certificates on page 129.
Manage CA certificates
Upload, import, and delete CA certificates. See CA Certificates on page 129.
View on-fabric detection rules
View on-fabric detection rules. See On-fabric Detection Rules on page 131.
Manage onfabric detection rules
Create, delete, and edit on-fabric detection rules. See On-fabric Detection Rules on page 131.
FortiClient EMS 7.0.1 Administration Guide
234
Fortinet Technologies Inc.
Administration
Setting permissions
Permission Link to description
View server settings*
View Server settings. See Configuring EMS settings on page 244
Manage server Modify Server settings. See Configuring EMS settings on page 244. settings*
View Fortinet services settings
View FortiGuard Services settings. See Configuring FortiGuard Services settings on page 249.
Manage Fortinet services settings
Modify FortiGuard Services settings. See Configuring FortiGuard Services settings on page 249.
View endpoint View Endpoints settings. See Configuring EMS settings on page 244. settings
Manage endpoint settings
Modify Endpoints settings. See Configuring EMS settings on page 244.
View login banner settings*
View login banner settings. See Configuring EMS settings on page 244.
Manage login banner settings*
Modify login banner settings. See Configuring EMS settings on page 244.
View alert settings*
View Alerts settings. See Alerts on page 251.
Manage alert settings*
Modify Alerts settings. See Alerts on page 251.
View custom message settings
View endpoint quarantine message settings. See Customizing the endpoint quarantine message on page 255.
Manage custom message settings
Modify endpoint quarantine message settings. See Customizing the endpoint quarantine message on page 255.
View feature View feature select settings. See Feature Select on page 257. select settings
Manage feature select settings
Modify feature select settings. See Feature Select on page 257.
FortiClient EMS 7.0.1 Administration Guide
235
Fortinet Technologies Inc.
Administration
Configuring User Settings
To configure User Settings:
1. Go to Administration > User Settings. 2. Set the following options:
Inactivity timeout Allowed inactive days
Maximum password age
Specify how long to keep inactive users logged into FortiClient EMS. When the time expires, EMS automatically logs the user out. Enter 0 to keep inactive users logged into FortiClient EMS indefinitely.
Specify the number of days of inactivity after which to disable a user account. For example, if this field is specified to 10 and a user does not log into FortiClient EMS for ten days, EMS disables their account so that they cannot log into FortiClient EMS. A super administrator can reactivate their account. See Activating a disabled account on page 231.
Specify the number of days after which to force the user to change their password. Enter 0 to disable this setting. This setting only applies to built-in users such as the admin user and EMS users.
3. Click Save.
Fabric Devices
You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. You can also deny or authorize a FortiGate.
You can also use the Share tag info from all FortiClients and Share tag info from FortiClients connected to additional FortiGates options to configure sharing endpoints' resolved IP or MAC addresses (hereafter referred to as "host tag") to the FortiGates. The following summarizes the results for these two options' configuration combinations:
FortiClient EMS 7.0.1 Administration Guide
236
Fortinet Technologies Inc.
Administration
Share tag info from all FortiClients configuration Disabled Disabled
Enabled
Share tag info from FortiClients connected to additional FortiGates configuration Disabled
Enabled, with additional FortiGates selected
Disabled
Result
This is the default setting. The selected FortiGate only receives the host tags for endpoints whose gateways point to the selected FortiGate.
The selected FortiGate receives host tags for the following:
l Endpoints whose gateways point to the selected FortiGate
l Endpoints whose gateways point to the configured additional FortiGates
The selected FortiGate receive host tags for all endpoints, regardless of whether the gateways point to the selected FortiGate.
To change the FortiGate authorization status:
1. Go to Administration > Fabric Devices. 2. Select the desired FortiGate. 3. Click Deny or Authorize. The FortiGate status in the Authorized column changes.
Configuring EMS to share tagging information with multiple FortiGates
When an endpoint has a Zero Trust tag applied and EMS is operating as part of a Fortinet Security Fabric, the FortiGate that the endpoint's FortiClient gateway points to receives the endpoint's resolved IP or MAC address (hereafter referred to as "host tag") from EMS.
If your EMS is operating as part of a Security Fabric with multiple FortiGates, you may want to configure EMS to send the host tag to other FortiGates in the Fabric, in addition to the FortiGate that the endpoint's FortiClient gateway points to. You can configure this as follows.
The following illustrates the topology in this example:
FortiClient EMS 7.0.1 Administration Guide
237
Fortinet Technologies Inc.
Administration
The following is true for this scenario: l Both FortiGates are connected to EMS as part of a Security Fabric. l FortiClient is registered to EMS. l The FortiClient gateway points to the first floor FortiGate. l The FortiClient endpoint has the TAG_ANTIVIRUS_ON Zero Trust tag applied. l The host tag of the FortiClient endpoint with TAG_ANTIVIRUS_ON applied is 10.100.91.100.
By default in this example, the core FortiGate does not retrieve the host-tag information for TAG_ANTIVIRUS_ON. This is because the FortiClient device gateway is 10.100.91.1, which does not match the core FortiGate.
You can configure the core FortiGate to retrieve the host tag for TAG_ANTIVIRUS_ON by allowing the host tag to sync from FortiClient endpoints connected to the first floor FortiGate to the core FortiGate.
To configure EMS to share the host tag to additional FortiGates:
1. Go to Administration > Fabric Devices. 2. Select the serial number associated with the core FortiGate. In this example, it is FGVM02TM21011924. By default,
Send tag info from all FortiClients is disabled. 3. Click Edit. 4. Enable Share tag info from FortiClients connected to additional FortiGates. 5. From the dropdown list, select the serial number of the FortiGate on the first floor. In this example, it is
FGVM02TM21011669. This change triggers EMS to resynchronize tag information to the first floor FortiGate. 6. Click Save. 7. Reselect the core FortiGate. It now displays that it receives host tag information from the first floor FortiGate.
8. Verify that the core FortiGate is receiving the tag information: a. In FortiOS on the core FortiGate, go to Policy & Objects > ZTNA > ZTNA Tags. b. Hover over the ZTNA tag TAG_ANTIVIRUS_ON. Confirm that the Resolves To IP address displays the FortiClient IP address.
SAML SSO
You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an Identity Provider (IdP).
FortiClient EMS 7.0.1 Administration Guide
238
Fortinet Technologies Inc.
Administration
You can only use the SAML SSO feature in EMS with a FortiGate as the IdP. EMS does not support using FortiAuthenticator as an IdP or custom IdPs.
To configure SAML SSO: 1. Configure SAML SSO in FortiOS. See Configuring single-sign-on in the Security Fabric. Ensure that you download
the IdP certificate and copy the SP prefix to use when configuring SAML SSO on EMS.
2. In EMS, go to System Settings > SAML SSO. 3. Click Enable SAML SSO. 4. Configure Service Provider Settings. In this configuration, EMS is the Service Provider (SP):
Setting SP Address
SP Certificate
Description
Enter the EMS IP address. You can also click the Use Current Browser Address button to autopopulate the field. Your browser must be able to access this IP address.
Click Upload new certificate to upload the SP certificate. Only upload an SP certificate if you uploaded the same certificate for this SP (in this case, EMS) in FortiOS in step 1.
5. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:
Setting IdP Address
Prefix IdP Certificate
Description Enter the FortiGate IP address. Your browser must be able to access this IP address. Enter the prefix generated in FortiOS for the SP. Click Upload new certificate to upload the IdP certificate.
FortiClient EMS 7.0.1 Administration Guide
239
Fortinet Technologies Inc.
Administration Setting
Description
Upload the same certificate that you configured for the IdP (the FortiGate) in FortiOS in step 1.
6. Click Save. 7. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See Configuring EMS settings on page 244.
To log in to EMS using SSO: 1. Double-click the FortiClient Endpoint Management Server icon. 2. Click Sign in with SSO. 3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
When an administrator logs in to EMS with SSO for the first time, they have restricted permissions. An EMS super administrator can adjust permissions for the new administrator.
FortiClient EMS 7.0.1 Administration Guide
240
Fortinet Technologies Inc.
Administration
Licenses
See Licensing FortiClient EMS on page 41.
Log Viewer
To view logs: 1. Go to Administration > Log Viewer. 2. Click the Filter icon in each column heading to apply filters. 3. Click Clear Filters to remove the filters. To download logs: You can download the logs that FortiClient EMS generates. 1. Go to Administration > Logs. 2. Click Download. A zip of the raw logs is downloaded to your computer.
Generate Diagnostic Logs
You can create a diagnostic logs package that includes a snapshot of EMS CPU and memory usage, SQL Server logs, performance data, and so on. You can send this package to the Fortinet technical support team for troubleshooting.
To create a diagnostic logs package: 1. Go to Administration > Generate Diagnostic Logs. 2. If desired, select Include Database Backup. If enabled, the package includes a partial database backup. This
backup is not intended to replace the regular backup. See To back up the database: on page 70. 3. If you select to include a database backup, EMS displays fields to enter a password. In the Password and Confirm
Password fields, enter the password. 4. Click Create.
Marking all endpoints as uninstalled
You can mark all endpoints as uninstalled, which erases their historical event data. This option is mainly useful for customers using virtual desktop infrastructure environments, where temporary desktop instances are used for a short duration, then terminated. After you use this option to mark all endpoints as uninstalled, only active instances will reconnect to EMS. This conveniently frees up the licenses that the terminated instances were using, and you can provision these licenses to active unlicensed endpoints.
FortiClient EMS 7.0.1 Administration Guide
241
Fortinet Technologies Inc.
Administration
To mark all endpoints as uninstalled: 1. Go to Administration > Mark All Endpoints As Uninstalled. 2. In the dialog, click Yes.
FortiClient EMS 7.0.1 Administration Guide
242
Fortinet Technologies Inc.
System Settings
FortiClient EMS 7.0.1 Administration Guide
243
Fortinet Technologies Inc.
Configuring EMS settings
FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiClient EMS.
When you enable multitenancy, you must configure some EMS settings at the global level, and other settings at the site level. See Global and per-site configuration on page 262.
To configure EMS settings:
1. Go to System Settings > EMS Settings.
2. Configure the following options under Shared Settings. EMS uses these settings for FortiClient EMS managing Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints:
Hostname Listen on IP
Use FQDN
Displays the FortiClient EMS server's hostname.
Displays the IP addresses for the FortiClient EMS server. FortiClient connects to FortiClient EMS on the specified IP address.
You can generate a QR code for the specified IP address. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints on page 260.
Specify an FQDN for the FortiClient EMS server.
FortiClient's connection to EMS is critical to managing endpoint security. Managing this is relatively easy for internal devices. For external devices or devices that may leave the internal network, you must consider how to maintain this connection. FortiClient can connect to EMS using an IP address or fully qualified domain name (FQDN). An FQDN is preferable for the following reasons:
l Easy to migrate EMS to a different IP address l Easy to migrate to a different EMS instance l Flexible to dynamically resolve the FQDN The third reason is particularly valuable for environments where devices may be internal or external from day to day. When using an FQDN, you can configure your internal DNS servers to resolve the FQDN to the EMS internal IP address and register your external IP address with public DNS servers. You must then configure the device with your external IP address to forward communication received on port 8013 to your EMS internal IP address. This allows your external clients to leverage a virtual IP address on the FortiGate so that they can reach EMS, while allowing internal clients to use the same FQDN to reach EMS directly. Alternatively, you can use a private IP address for the connection. This configuration would require external clients to establish a VPN connection to reach the EMS (VPN policies permitting). This configuration can be problematic if all endpoints need an urgent update but some are not connected to VPN at that time.
FortiClient EMS 7.0.1 Administration Guide
244
Fortinet Technologies Inc.
System Settings
FQDN
Enter the FortiClient EMS server FQDN. FortiClient can connect using the specified IP address in the Listen on IP Addresses option or the specified FQDN.
Remote HTTPS access
Specify settings for remote administration access to FortiClient EMS.
Turn remote HTTPS access to FortiClient EMS on and off. When enabled, enter a hostname in the Custom hostname field to let administrators use a browser and HTTPS to log into FortiClient EMS. When disabled, administrators can only log into FortiClient EMS on the server.
HTTPS port
Available when Remote HTTPS Access is enabled. Displays the predefined HTTPS port. You cannot change the port.
Pre-defined hostname
Available when Remote HTTPS Access is enabled. Displays the predefined hostname. You cannot change the name.
Custom hostname
Available when Remote HTTPS Access is turned on. Displays the predefined hostname of the server on which FortiClient EMS is installed. You can customize the hostname. When you change the hostname, the web server restarts.
Redirect HTTP request to HTTPS
Available when Remote HTTPS Access is turned on. If this option is enabled, if you attempt to remotely access FortiClient EMS at http://<server_name>, this automatically redirects to https://<server_name>.
SSL certificate
Displays the currently imported SSL certificate. If you have already uploaded an SSL certificate, a Replace button displays.
Certificate
Browse and upload a new SSL certificate file.
Password
Configure a new SSL password.
Show FortiGate Server List
When this option is enabled, you can configure FortiGate IP addresses in a Telemetry server list to allow FortiClient to connect directly to FortiOS. FortiClient 6.4.0 and later versions cannot directly connect Telemetry to FortiOS. FortiClient 6.4.0 only connects Telemetry to EMS, which then sends FortiClient data to FortiOS. Only endpoints with FortiClient versions older than 6.4.0 installed can connect Telemetry directly to FortiOS.
When this option is disabled, you can only configure EMS IP addresses in a Telemetry server list.
EMS CA certificate (ZTNA)
This feature requires the ZTNA or EPP license and only applies for endpoints running FortiClient 7.0.0 and later versions. See Windows, macOS, and Linux endpoint licenses on page 22.
Displays the EMS CA certificate expiry. EMS sends this certificate to FortiOS. See FortiClient in the Security Fabric on page 14.
Click the Revoke and Update button to revoke and update the certificate. You may want to revoke a certificate if it is compromised and can no longer be trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient with a new certificate signing request. This may affect existing connections.
Reset Stalled Deployment Interval
Enter number of hours after which to reset stalled deployments.
FortiClient EMS 7.0.1 Administration Guide
245
Fortinet Technologies Inc.
System Settings
3. Configure the following options under EMS Settings. FortiClient EMS uses these settings when managing Windows, macOS, and Linux endpoints:
Listen on port
Displays the FortiClient EMS server default port. You can change the port by typing a new port number. FortiClient connects using the specified port number.
Enable TLS 1.0/1.1
Enable TLS 1.0 and 1.1 for file downloads. You must enable this option when upgrading FortiClient on a Windows 7 device via FortiClient EMS.
FortiClient download URL
FortiClient deployment packages created in FortiClient EMS are available for download at this URL.
Open port 10443 in Windows Firewall
Open port 10443 or close port 10443. Port 10443 is used to download FortiClient.
Enforce invitation-only registration for
Select the desired endpoints to enforce invitation-only registration for. See Invitations on page 85. Modifying this setting causes any endpoints that do not meet the new setting to deregister from EMS.
Sign software packages
Enable this option to have Windows FortiClient software installers created by or uploaded to FortiClient EMS digitally signed with a code signing certificate.
Timestamp server
Enter the server address to timestamp software installers with.
Certificate
Upload the desired code signing certificate. This must be a .pfx file. After a certificate has been uploaded, its expiry date is also displayed.
Password
Enter the certificate password. This is required for FortiClient EMS to sign the software installers with the certificate.
Enable Managed by EMS
Select an option from the dropdown list. Users can configure this IP address in Shared Settings > Listen on IP.
Connect to local subnets Only allow connection to local subnets. only
Notify FortiGate
Enter the FortiGates IP address(es) or hostname(s). You can also use an FQDN. Press the Enter key to add additional entries. This option is only available if you enable Show FortiGate Server List.
Use connection key
Enable the connection key endpoints can use to connect to FortiGates. Enter and reenter the connection key.
Enable login banner
When you enable the login banner, a message appears prior to a user logging into FortiClient EMS. In the Message field, type your message. The Preview section displays a preview of the message.
4. If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after enabling this option.
5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS managing Chromebook endpoints:
FortiClient EMS 7.0.1 Administration Guide
246
Fortinet Technologies Inc.
System Settings
Listen on port
User inactivity timeout Profile update interval SSL certificate
Certificate
Password Service account Update service account Reset service account
ID Private key
Displays the default port for the FortiClient EMS server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiClient EMS using the specified port number.
Enter the number of hours of inactivity after which to timeout the user.
Specify the profile update interval (in seconds).
Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.
Browse and upload a new SSL certificate file. See Adding an SSL certificate to FortiClient EMS for Chromebook endpoints on page 248.
Configure a new SSL password.
Displays the service account ID currently in use.
Update the service account with new credentials.
In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You must Save the settings for the change to take effect.
Available if the Update service account button is clicked. Enter a new service account ID.
Available if the Update service account button is clicked. Upload a new service account private key.
6. Configure the following options under Endpoints Settings:
FortiClient telemetry connection key
Add the FortiClient Telemetry connection key for FortiClient EMS. FortiClient must provide this key during connection.
You can generate a QR code for the specified key. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints on page 260.
Keep alive interval
Each connected FortiClient endpoint sends a short keep-alive (KA) message to FortiClient EMS at the specified interval.
Offline timeout
Configure the number of KA intervals after which EMS considers the endpoint to be offline.
Delete timeout
Configure the number of days after which EMS deletes a deregistered endpoint. For example, if you configure this value to be 45 days, EMS deletes the endpoint 45 days after its deregistration.
License timeout
Configure the number of days after which EMS deregisters an endpoint.
FortiClient EMS 7.0.1 Administration Guide
247
Fortinet Technologies Inc.
System Settings
Automatically upload avatars
Enable endpoint snapshot reports
FortiClient uploads user avatars to all FortiGates, FortiAnalyzers, and FortiClient EMS servers it is connected to.
Enable endpoint snapshot reports and enter the interval at which to take reports in seconds. The interval must be between 300 and 86400 seconds.
7. Enable Manage Multiple Customer Sites. This enables multitenancy for EMS.
8. Configure the following options under EMS FSSO Settings. These settings add SSL encryption to the FSSO protocol between EMS and FortiOS.
SSL certificate
Certificate Password
Displays the SSL certificate currently imported. If you have already uploaded an SSL certificate, a Replace button displays.
Browse and upload a new SSL certificate file.
Configure a new SSL password.
9. Click Save.
Adding an SSL certificate to FortiClient EMS for Chromebook endpoints
You must add an SSL certificate to FortiClient EMS to allow Chromebooks to connect to FortiClient EMS. If you are using a public SSL certificate, add the certificate to FortiClient EMS. You do not need to add the certificate to the Google Admin console. If you are not using a public SSL certificate, you must add the SSL certificate to FortiClient EMS, and the root certificate to the Google Admin console. See Adding root certificates on page 53.
To add an SSL certificate to EMS for Chromebook endpoints:
1. In FortiClient EMS, go to System Settings > EMS Settings > EMS for Chromebooks Settings. 2. Do one of the following:
a. To replace an existing SSL certificate, beside SSL certificate, click Update SSL certificate. b. If no SSL certificate has been added yet, click the Upload new SSL certificate button. 3. Click Browse and locate the certificate file (<name>.pfx). 4. In the Password field, enter the password. 5. Click Test. 6. Click Save.
If the SSL certificate expires in less than three months, the expiry date label is yellow. If it is expired, the label is red. Otherwise, it is green.
FortiClient EMS 7.0.1 Administration Guide
248
Fortinet Technologies Inc.
System Settings
Configuring Logs settings
You can specify what level of log messages to capture in the logs for FortiClient EMS. You can also specify when to automatically delete logs and alerts.
To configure Logs settings:
1. Go to System Settings > Logs. 2. Configure the following options:
Log level
Select the level of messages to include in FortiClient EMS logs. For example, if you select Info, all log messages from Info to Emergency are added to the FortiClient EMS logs.
Clear logs older than
Enter the number of days that you want to store logs. For example, if you enter 30, EMS stores logs for 30 days. EMS automatically deletes any logs older than 30 days.
Clear alerts older than
Enter the number of days that you want to keep alerts. For example, if you enter 30, EMS keeps alerts for 30 days. EMS automatically deletes any alerts older than 30 days.
Clear events older than
Enter the number of daysthat you want to keep events. For example, if you enter 30, EMS keeps events for 30 days. EMS automatically deletes any events older than 30 days.
Clear Chromebook events older Enter the number of days that you want to keep Chromebook events. For
than
example, if you enter 30, EMS keeps Chromebook events for 30 days.
EMS automatically deletes any Chromebook events older than 30 days.
Clear now
Click to immediately delete all FortiClient EMS logs or alerts.
3. Click Save.
Configuring FortiGuard Services settings
FortiClient relies on several signature databases to identify and stop malware. Keeping these database up-to-date to remain protected from new threats as they are identified is imperative. In some situations, FortiClient may fail to update these signatures. In these situations, the EMS administrator must be able to readily identify these endpoints so corrective action can be taken. EMS can detect when an endpoint is out-of-date by downloading a list of the current versions for signatures and engines and comparing that to the versions reported from FortiClient status updates. EMS can also send an email when this happens. See Configuring Endpoint Alerts on page 252. You can verify if EMS has up-to-date signatures by going to System Settings > FortiGuard Services > View Signature List, and comparing that to FortiGuard.com > Services > Service of interest, such as AV.
FortiClient EMS 7.0.1 Administration Guide
249
Fortinet Technologies Inc.
System Settings
FortiClient EMS 7.0.1 Administration Guide
250
Fortinet Technologies Inc.
System Settings
To configure FortiGuard Services settings:
1. Go to System Settings > FortiGuard Services. 2. Configure the Software and Signature Update Services options:
FortiGuard Server Location
Port Enable SSL
View Signature List Use FortiManager for client software/signature updates IP address/Hostname Port Failover port Timeout Failover
Configure FortiGuard server location to Global, US, or Europe. Europe is only available if you have selected the Enable SSL checkbox. Enter the desired port number to communicate to the FortiGuard server. Enable SSL to connect to FortiGuard using HTTPS, or disable SSL to connect using HTTP. HTTPS must be enabled to use the FortiGuard Europe server. View a list of latest signature versions. Turn on to use FortiManager for updating FortiClient software or signatures. You must specify the IP address or hostname for FortiManager as well as the port number.
Enter the IP address/hostname. Configure the port number. Configure the failover port. Configure the timeout interval (in seconds). Enable failover to FDN when FortiManager is unavailable.
3. Configure the Cloud Services options:
FortiCloud Region Time Offset
Select the FortiCloud region from the dropdown list. Select the FortiCloud time offset from the dropdown list.
4. Click Save.
Alerts
Configuring EMS Alerts
You can set up an SMTP server to enable alerts for FortiClient EMS or endpoint events. When an alert is triggered, EMS sends an email notification.
FortiClient EMS 7.0.1 Administration Guide
251
Fortinet Technologies Inc.
System Settings
To configure EMS Alerts:
1. Go to System Settings > EMS Alerts. 2. Set the following options to send an email when the following events happen:
Version Alerts
New EMS version is available for deployment
New FortiClient EMS version is available.
Remind me everyday for 2 weeks
Remind you when a new FortiClient EMS version is available everyday for two weeks.
New FortiClient version is available for deployment
New FortiClient version is available for deployment.
Remind me everyday for 2 weeks
Remind you when a new FortiClient version is available for deployment everyday for two weeks.
FortiClient Alerts
EMS license is expired or about Expiring or expired FortiClient EMS license. to expire
EMS fails to sync with LDAP domains
FortiClient EMS does not sync with LDAP domains.
Less than 10% of client licenses Be notified when there are less than 10% of client licenses left. are left
Client licenses have run out
Be notified when you run out of client licenses.
New software is detected
Be notified when new FortiClient software is detected.
FortiClient for Chromebook Alerts
EMS license for Chromebooks Expiring or expired FortiClient EMS license for Chromebooks. is expired or about to expire
Less than 10% of the client licenses for Chromebooks are left
Be notified when there are less than 10% of client licenses left for Chromebooks.
Client licenses for Chromebooks have run out
Be notified when you run out of client licenses for Chromebooks.
3. Click Save. If you have not already set up an SMTP server, the GUI automatically prompts you to configure SMTP server settings. See Configuring SMTP Server settings on page 253.
Configuring Endpoint Alerts
To configure endpoint alerts: 1. Go to System Settings > Endpoint Alerts. 2. From the Send an email every... dropdown list, select the frequency to send emails.
FortiClient EMS 7.0.1 Administration Guide
252
Fortinet Technologies Inc.
System Settings
3. Select the events to send emails for: a. Malware is detected b. Repeated malware is detected (same malware is detected on the same machine within the last 24 hours) c. Multiple malwares are detected (different malwares are detected on the same machine within the last 24 hours) d. Malware outbreak is detected (same malware is detected on different endpoints within the last 24 hours) e. Zero-day malware is detected by FortiSandbox f. C&C attack communication channel is detected g. Critical vulnerability is detected h. Endpoint FortiClient Telemetry is manually disconnected by user i. Endpoint signature database is out-of-date j. Endpoint software is out-of-date
Configuring SMTP Server settings
You can set up an SMTP server to enable alerts for EMS and endpoint events. When an alert is triggered, EMS sends an email notification to the configured email address(es).
To configure SMTP server settings:
1. Go to System Settings > SMTP Server. 2. Set the following options:
Server Port Security
From Reply-To Subject Recipients
Username Password
Test subject Test message Test recipient Send Test Email 3. Click Save.
Enter the SMTP server name. Enter the port number. Select None, STARTTLS, or SMTPS for the security type, or select the Auto Detect button to automatically select the security type. If STARTTLS or SMTPS is selected, the Username and Password fields become available. Enter the username. Enter the password. Enter the email address to send the alerts from. Enter the email address to send the replies to. The sent e-mail alert's subject. Enter email address(es) to send alerts to. Press Enter to add more email addresses. Test email's subject. Test email's message. Email address to send the test email to. Click the button to test the configured email settings.
FortiClient EMS 7.0.1 Administration Guide
253
Fortinet Technologies Inc.
System Settings
To confirm that the EMS server can verify the SMTP server certificate:
When using STARTTLS or SMTPS, the SMTP server presents a certificate to prove its identity. If the server hosting EMS does not have the corresponding CA in its certificate store, EMS cannot trust the SMTP server certificate and the connection fails to establish. You can verify this using tools on the server hosting EMS to establish a secure connection to the SMTP server. Using openssl as an example, you can run the following from the Windows command line: openssl s_client -starttls smtp -crlf -connect <smtp_url:port> The following is an example of an SMTP URL and port: smtp.office365.com:587 The command output displays the certificate that the mail server offers in the first few lines, accompanied by unable to get local issuer certificate. This indicates that Windows cannot verify the certificate.
FortiClient EMS 7.0.1 Administration Guide
254
Fortinet Technologies Inc.
Viewing alerts
You can view alerts that FortiClient EMS generates. Examples of events that generate an alert include: l A new version of FortiClient is available. l FortiClient deployment failed. l Failed to check for signature updates. l Error encountered when downloading AD server entries. l Error encountered when scanning for local computers.
A red label is associated with the Alert icon when new notifications are available or received. EMS clears the label when you view the alert. 1. Click the Alert icon (a bell) in the toolbar. 2. Click the Filter icon in each column heading to apply filters. 3. Click Clear Filters to remove the filters.
Custom Messages
You can customize messages that display on endpoints in certain situations, such as if EMS has quarantined the endpoint. For example, you can customize the message to include your organization's help desk phone number so that users can contact the network administration about their machine.
Customizing the endpoint quarantine message
You can customize the message that displays on an endpoint when FortiClient EMS has quarantined it.
To customize the endpoint quarantine message:
1. Go to System Settings > Custom Messages. 2. Select Endpoint Quarantine Message. 3. In the Message field, enter the desired message. You can enter up to 512 characters. The Preview section displays
the custom message as it would appear on the latest version of FortiClient. You can also use the Preview slider to zoom in and out on the message preview.
FortiClient EMS 7.0.1 Administration Guide
255
Fortinet Technologies Inc.
4. Click Save.
Customizing Web Filter messages
You can customize the messages that display on an endpoint in in-browser Web Filter result pages.
To customize Web Filter messages:
1. Go to System Settings > Custom Messages. 2. Select WebFilter Custom Messages. The left panel displays the customization fields, while the right panel previews
the custom messages as they will appear in a web browser when using the latest version of FortiClient. There are different types of Web Filter messages:
l Blocklisted page l Blocked page l Blocked FortiGuard inaccessible page l Warning page l Warning FortiGuard inaccessible page Some customization fields apply to all messages, while others apply to only specific messages. This is indicated beside the field name. 3. In the left pane, enable/disable the fields and enter the desired messages. You can also upload images for logo and icon fields. The right pane displays previews of the messages. 4. Click Save.
FortiClient EMS 7.0.1 Administration Guide
256
Fortinet Technologies Inc.
Feature Select
In Feature Select, you can choose which features to show and hide in EMS. Only features that are enabled in Feature Select are available for configuration in other areas of EMS. For example, disabling Web Filter in Feature Select results in the following:
l Endpoint profiles: l The Web Filter tab is not available for configuration. l The option to enable Web Filter logs on the System Settings tab is not available.
l If you enable Web Filter in a deployment package, the deployment package installs Web Filter on the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.
l The Web Filter Detection widget is not available on the Status dashboard. l Importing a profile from FortiGate/FortiManager is not available.
Only an EMS superadministrator can enable and disable features in Feature Select. Other EMS users can view which features are enabled and disabled on the Feature Select page, but cannot modify the configuration.
If an endpoint previously had a feature enabled, but you later disable the feature in Feature Select, EMS then disables the feature on the endpoint.
The following table provides details on features that you must enable for certain functionalities to be available in FortiClient. You must enable the feature in Feature Select, then configure on the applicable endpoint profile for the functionality to be available in FortiClient. Note that this table is not exhaustive:
Feature to enable in Feature Select Application Firewall
Web Filter
FortiClient functionalities
l C&C blocking l Endpoint quarantine l Category-based malicious site blocking l Keyword blocking (also requires web browser plugin)
Only features that FortiClient EMS is licensed for are available for enablement in Feature Select. For example, if you have only applied the ZTNA license, you cannot enable Application Firewall. See Windows, macOS, and Linux endpoint licenses on page 22 for details on which features each license type includes.
You cannot disable Web Filter if you have enabled the Chromebook feature in Feature Select.
FortiClient EMS 7.0.1 Administration Guide
257
Fortinet Technologies Inc.
To enable/disable a feature in Feature Select:
1. Go to System Settings > Feature Select. 2. Enable or disable features as desired. This example disables Web Filter.
3. Click Save. The Web Filter tab is not available for configuration in an endpoint profile. The Import from FortiGate/FortiManager option under Endpoint Profiles in the left pane is also not available.
When creating a deployment package, a warning displays beside Web Filtering that the feature is disabled. You cannot create a deployment package that installs the Web Filter feature on endpoints while Web Filter is disabled in Feature Select.
FortiClient EMS 7.0.1 Administration Guide
258
Fortinet Technologies Inc.
In Dashboard > Status, when you click Manage Widgets, the Web Filter Detection widget is not available under Top 3 Lists.
FortiClient EMS 7.0.1 Administration Guide
259
Fortinet Technologies Inc.
Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints
You can create a QR code to distribute to FortiClient (Android) and (iOS) users. FortiClient (Android) and (iOS) users can scan the QR code from their device to automatically enable FortiTelemetry and attempt connection to the specified FortiClient EMS server.
QR codes can optionally contain the FortiClient telemetry connection key, if desired.
To generate the QR code:
1. Go to System Settings > EMS Settings. 2. Do one of the following:
a. To generate the QR code without a connection key, beside the Listen on IP field, click the View QR Code button.
b. To generate the QR code with a connection key, ensure that the FortiClient telemetry connection key field is populated, then click the View QR Code button beside it.
3. In the dialog, select or deselect Show FortiClient telemetry connection key as desired. 4. Click Continue. 5. Click Download. 6. Save the QR code image to your machine. 7. Email the QR code to FortiClient (Android) and FortiClient (iOS) users.
For instructions on scanning the QR code from an Android or iOS device, see the FortiClient (Android) Administration Guide or FortiClient (iOS) Administration Guide.
FortiClient EMS 7.0.1 Administration Guide
260
Fortinet Technologies Inc.
Multitenancy
With EMS multitenancy, you can create multiple sites to provide granular access to different sites for different administrators and separate endpoint data and configuration into different sites. The site are completely separate from each other and cannot share data between them. For example, if an administrator only has access to Site A, they cannot view data from any other site. EMS supports up to 500 multitenancy sites. The following sections detail how to enable multitenancy and multitenancy-specific setings. When multitenancy is enabled, Fabric connectors must use an FQDN to connect to EMS, where the FQDN hostname matches a site name in EMS (including "Default"). The following are examples of FQDNs to provide when configuring the connector to connect to the default site and to a site named SiteA, respectively: default.ems.yourcompany.com, sitea.ems.yourcompany.com.
Enabling and configuring multitenancy
By default, multitenancy is disabled in EMS.
To configure multitenancy:
1. Go to System Settings > EMS Settings. 2. Enable Manage Multiple Customer Sites, then click Save. EMS forces the GUI to restart for the changes to take
effect. After you enable multitenancy, all previously created administrators except the default admin user become administrators for the default site. 3. After restarting, the GUI displays the global dashboard. When you initially enable multitenancy, there are two sites: global, where you can set and view global settings; and default, which contains your original EMS instance's endpoints. Your original EMS instance's settings are retained. To switch between sites, select the site name in the upper right corner, then select the desired site from the dropdown list.
4. Select Configure Sites from the site selection list. You can also go to Administration > Configure Sites. This page displays all sites and their license usage.
5. Click Add. 6. In the Add FortiClient EMS Site dialog, enter the desired site name. You must use only ASCII characters in site
names. 7. Select the checkboxes to assign the desired number of licenses to this site. The dialog displays how many licenses
are available for assignment. Click Save. The newly created site appears in the FortiClient Sites list. You can go to
FortiClient EMS 7.0.1 Administration Guide
261
Fortinet Technologies Inc.
Multitenancy the site using the site selection list in the upper right corner.
Global and per-site configuration
When multitenancy is enabled, you can configure some settings only from the global level, and other settings only from the site level. You cannot view site-level settings from the global site. For descriptions of the settings, see the relevant section in this document.
Global configuration
The following lists settings you must configure from the global site:
l System Settings > EMS Settings: l Shared Settings: l Hostname l Listen on IP l Use FQDN l Remote HTTPS access l SSL certificate l Show FortiGate Server List l EMS Settings: l Listen on port l Enable TLS 1.0/1.1 l FortiClient download URL l Enable login banner. This login banner only shows when you sign in to the global site. l EMS for Chromebooks Settings: l Listen on port l SSL certificate l Service account
l Administrators with multisite access. See Adding a multitenancy administrator on page 267. l Database backup and restoration l (On-premise EMS-only) License management: You must license EMS from the global site. You can then assign the
licenses to other sites. For example, consider that you have three other sites: Sites A, B, and C. If you then activate
FortiClient EMS 7.0.1 Administration Guide
262
Fortinet Technologies Inc.
Multitenancy
500 ZTNA licenses on the global site, you could assign 200 ZTNA licenses to Site A, 150 to Site B, and 150 Site C. See Editing a site on page 267. l EMS Alerts l SMTP Server
On the global site Dashboard, you can only view the System and License Information widgets. The other widgets, which display endpoint information, are available at the site level.
Site level configuration
The following lists settings you must configure separately for each site:
l System Settings > EMS Settings: l Shared Settings > Reset Stalled Deployment Interval l EMS Settings: l Sign software packages l Enable Managed by EMS l Enable login banner. This login banner only shows when you sign in to the current specified site. l EMS for Chromebooks Settings: l User inactivity timeout l Profile update interval l Endpoints Settings l EMS FSSO Settings
l System Settings > FortiGuard Services l System Settings > Custom Messages l System Settings > Feature Select l Dashboard widgets and charts. The License Information widget for each site displays the information for the
licenses that are assigned to that site. When using an on-premise EMS, you cannot update any licensing information from the site-level Dashboard. l (FortiClient Cloud-only) License management: You must license EMS at the site level. You cannot later assign these licenses to other sites. l Site-level administrator permissions l Endpoint management l Endpoint policies l Endpoint profiles l Deployment packages. When an endpoint installs FortiClient using a deployment package configured from a particular site, it registers to that site automatically. l Endpoint profile components l Zero Trust tagging rules l Software Inventory l Email endpoint alerts
FortiClient EMS 7.0.1 Administration Guide
263
Fortinet Technologies Inc.
Multitenancy
Left pane with multitenancy enabled
The left navigation pane displays content in the right pane. The following describes the left pane for the global site when multitenancy is enabled:
Option Dashboard
Status
Administration
Administrators User Settings Configure License Configure Sites Log Viewer
System Settings EMS Settings
Log Settings FortiGuard Services
EMS Alerts SMTP Server
Description
Displays a dashboard of information about all managed endpoints.
Add and manage FortiClient EMS administrators. Configure the inactivity timeout and other user settings. Upgrade or renew the FortiClient EMS license. Configure multitenancy sites. View log messages generated by FortiClient EMS and download raw logs.
Change the IP address and port and configure other EMS settings for FortiClient EMS, including enabling Chromebook management. Specify what level of log messages to capture in FortiClient EMS logs and when to automatically delete logs and alerts. Configure the FortiGuard server location. Configure FortiManager to use for client software/signature updates and configure FortiCloud settings. Enable alerts for FortiClient EMS events. Set up an SMTP server to enable email alerts.
The following describes the left pane at the site level when multitenancy is enabled. For all options at the site-level, you can only view and manage endpoints and settings for the current selected site:
Option Dashboard
Status
Description
Displays a dashboard of information about all managed endpoints.
FortiClient EMS 7.0.1 Administration Guide
264
Fortinet Technologies Inc.
Multitenancy
Option
Vulnerability Scan
Chromebook Status
Endpoints
All Endpoints Manage Domains Domains
Workgroups Group Assignment Rules
Google Domains
All Users Manage Domains Domains
Deployment & Installers Manage Deployment
FortiClient Installers Endpoint Policy & Components
Manage Policies
CA Certificates On-fabric Detection Rules Chromebook Policy
Endpoint Profiles
Description Displays the Current Vulnerabilities Summary chart that provides a centralized vulnerability summary for all managed endpoints. You can observe high-risk hosts and critical vulnerabilities existing on endpoints. You can also access links on how to fix or repair the vulnerabilities. Displays a dashboard of information about all managed Chromebooks. Only available if the EMS for Chromebooks Settings option is enabled in System Settings > EMS Settings.
Manage all endpoints. Add and manage AD domains. Manage endpoints from AD domains. You can also add an AD domain if none exist. Manage endpoints from workgroups. Configure rules to automatically place endpoints into custom groups based on their installer ID, IP address, or OS. Only available if the EMS for Chromebooks Settings option is enabled in System Settings > EMS Settings. Manage users from all Google domains. Add and manage Google domains. Manage users from specific Google domains. You can also add a Google domain if none exist.
Create deployment configurations to deploy FortiClient to endpoints. Add and manage FortiClient deployment packages.
Create endpoint policies and manage policy updates for Windows, macOS, and Linux endpoints. Upload and import CA certificates into FortiClient EMS. Configure on-fabric detection rules for endpoints. Create endpoint policies and manage policy updates for Chromebook endpoints. Only available if the EMS for Chromebooks Settings option is enabled in System Settings > EMS Settings.
FortiClient EMS 7.0.1 Administration Guide
265
Fortinet Technologies Inc.
Multitenancy
Option Manage Profiles Import from FortiGate/FortiManager
Zero Trust Tags Zero Trust Tagging Rules Zero Trust Tag Monitor Fabric Device Monitor
Software Inventory Applications
Hosts Quarantine Management
Files
Administration
Allowlist
Administrators Admin Roles Fabric Devices SAML SSO Log Viewer
System Settings EMS Settings
Log Settings FortiGuard Services
EMS Alerts Endpoint Alerts
Description Create profiles and manage profile updates for all profiles. Import Web Filter profiles from FortiOS or FortiManager.
Define Zero Trust tagging rules. View tagged endpoints. View all FortiGates connected to EMS for Zero Trust tagging and the list of tags that are shared with each FortiGate.
View applications installed on endpoints. Display applications by application or application vendor name. View applications installed on endpoints, sorted by endpoint.
View and allowlist files on endpoints that Sandbox or AV has quarantined. View and delete allowlisted files from the Allowlist pane.
Add and manage FortiClient EMS administrators. Add and manage FortiClient EMS admin roles and permissions. View Fabric devices connected to EMS. Configure SAML SSO authentication. View log messages generated by FortiClient EMS and download raw logs.
Change the IP address and port and configure other EMS settings for FortiClient EMS, including enabling Chromebook management. Specify what level of log messages to capture in FortiClient EMS logs and when to automatically delete logs and alerts. Configure the FortiGuard server location. Configure FortiManager to use for client software/signature updates and configure FortiCloud settings. Enable alerts for FortiClient EMS events. Enable alerts for endpoint events.
FortiClient EMS 7.0.1 Administration Guide
266
Fortinet Technologies Inc.
Multitenancy Option
SMTP Server Custom Messages
Feature Select
Description Set up an SMTP server to enable email alerts. Customize the message that displays on an endpoint when it has been quarantined by FortiClient EMS Choose which features to show and hide in EMS.
Editing a site
To edit a site:
1. From the global site, go to Administration > Configure Sites. 2. Select the desired site. 3. Click Edit. 4. Edit the site as desired. You can edit its name and the number and type of licenses assigned. 5. Click Save.
Adding a multitenancy administrator
To add a multitenancy administrator:
1. From the global site, go to Administration > Administrators.
2. Click Add.
3. Configure the administrator as Configuring user accounts on page 230 describes. When adding a new administrator from the global site, you can create a local administrator or configure a Windows or LDAP user. When adding a new administrator from the site level, you can only configure an LDAP user. Administrator names from the same source (EMS, LDAP, or Windows) must be unique across all sites. Administrators can have the same name if they are from different sources. When configuring the administrator role, select from one of the following. The following administrator roles are specific to global administrator mangement when multitenancy is enabled:
Administrator role Super administrator
Settings administrator
Description
Full access to the global site and all other sites. Can access all configuration options on all sites, including the global site. The built-in admin account is a super administrator and cannot be configured as another administrator role.
Access to the global site only. Can access all configuration options on the global site, except for administrator configuration.
FortiClient EMS 7.0.1 Administration Guide
267
Fortinet Technologies Inc.
Multitenancy
Administrator role
Description
Site administrator
Access to specified sites only, with no access to the global site. A site administrator can have access to multiple sites. By default, a site administrator is a super administrator for all sites that they have access to. A site administrator can configure the site license and system settings, including server, FortiGuard, login banner, alerts, and SMTP server settings. You can modify the site administrator's available configuration options for a site by assigning them a different admin role for that site after you log in to the site. See Admin roles on page 232.
4. Click Finish. The new administrator appears on the Administrators page.
The following example shows a site administrator, AlecB. The Global Administration > Administrators page shows that AlecB has access to two sites, SiteA and SiteB.
The SiteA Administration > Administrators page shows that AlecB is a super administrator for this site. This means that AlecB has complete access to all EMS permissions within SiteA, as Admin roles on page 232 describes.
The SiteB Administration > Administrators page shows that AlecB is a read-only administrator for this site. This means that AlecB has only read-only access to endpoint, policy, and settings permissions within SiteB, as Admin roles on page 232 describes.
If you had configured a SAML SSO administrator prior to enabling multitenancy, enabling multitenancy causes this administrator to become a global superadministrator. You can configure a different role for this administrator. You can only have one SAML SSO administrator for the entire EMS server.
FortiClient EMS 7.0.1 Administration Guide
268
Fortinet Technologies Inc.
Multitenancy
Logging into EMS with multitenancy enabled
To log into EMS with multitenancy enabled: 1. Double-click the FortiClient Endpoint Management Server icon. 2. Enter the username and password for an administrator with the desired site access. If you are logging in as an
LDAP user, add the domain prefix for the user. 3. Click Sign in. If you logged in as a global administrator, the EMS GUI displays the Global dashboard. You can then
switch sites using the site selection list in the upper right corner.
If you logged in as a site administrator, the EMS GUI displays the dashboard for the first site that you have access to in the dropdown list. The site selection list displays sites that you have access to in alphabetical order.
FortiClient EMS 7.0.1 Administration Guide
269
Fortinet Technologies Inc.
Creating a support package
You can create a support package to provide to the Fortinet technical support team for troubleshooting. Creating a support package backs up your database but clears all sensitive username and password fields.
To create a support package: 1. Go to Help > Create Support Package. 2. In the Password field, enter a password that conforms to the displayed rules. The Fortinet technical support team
needs this password to access the support package. 3. In the Confirm Password field, enter the password again. 4. Click Create.
FortiClient EMS 7.0.1 Administration Guide
270
Fortinet Technologies Inc.
Migrating to another EMS instance
You can simply and efficiently move configurations, data, and endpoint connections between EMS instances without disrupting FortiClient endpoint functionality. This document describes migrating one EMS on-premise environment to another. This migration requires the following:
l The EMS version in both environments is 6.4.3 GA. l FortiClient for all supported endpoint platforms (Windows, macOS, Linux, Android, and iOS) are connected before,
during, and after migration. l You have fully configured EMS and generated data such as logs and events before starting the migration. l Licensing on the two EMS instances is similar, if not the same, in terms of the number of seats, entitlement, license
types, and duration. This guide refers to the EMS instance that you are migrating from as "EMS A". It refers to the EMS instance that you are migrating to as "EMS B".
To migrate from EMS A to EMS B:
1. Install and license EMS B as Installation and licensing on page 32 describes. 2. Back up the EMS A database as To back up the database: on page 70 describes. 3. Restore the database on EMS B as To restore the database: on page 70 describes. 4. Migrate the FortiClient endpoints. This migration process supports all FortiClient endpoint platforms, except
Chromebook: a. On EMS A, go to Endpoints. b. Select the desired endpoints to migrate. c. Select Action > Switch EMS > Choose a Different IP.
d. In the dialog, enter the EMS B FQDN or IP address. Once the migration begins, the Connections column on the Endpoints pane in EMS B for the selected endpoints displays as Migrating. Events may not display immediately on the Endpoints pane in EMS B, but are present in the database. Endpoints that are offline when you apply the Choose a Different IP action migrate when they reconnect to EMS A.
FortiClient EMS 7.0.1 Administration Guide
271
Fortinet Technologies Inc.
Migrating to another EMS instance
e. Shut down EMS A. f. For any remaining endpoints that have not been migrated, manually connect them to EMS B by entering the
EMS B IP address on the Zero Trust Telemetry tab. See Connecting FortiClient Telemetry after installation. g. Monitor EMS B services and system performance to ensure stability.
Limitations
l Chromebook: The migration does not support migration for Chromebook endpoints.
FortiClient EMS 7.0.1 Administration Guide
272
Fortinet Technologies Inc.
Change log
Change log
Date 2021-08-10 2021-08-16 2021-09-09 2021-09-24
2021-10-13
2021-10-14
Change Description Initial release. Updated System Settings on page 186. Updated Configuring EMS settings on page 244. Added Using a browser as an external user-agent for SAML authentication in an SSL VPN connection on page 182. Updated Installing FortiClient EMS to specify SQL Server Enterprise or Standard instance on page 34. Added Configuring encrypted ZTNA rules on page 196.
FortiClient EMS 7.0.1 Administration Guide
273
Fortinet Technologies Inc.
www.fortinet.com
Copyright� 2021 Fortinet, Inc. All rights reserved. Fortinet�, FortiGate�, FortiCare� and FortiGuard�, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.