FortiClient profiles
When FortiClient is in managed mode, a profile is used to communicate compliance rules and to configure FortiClient software on endpoints. FortiClient receives the profile after FortiClient Telemetry is connected to FortiGate/EMS. The contents of the profile depend on whether FortiGate or EMS provide the profile.
FortiGate and compliance rules
In FortiGate, a FortiClient profile is used to achieve the following goals:
l Define compliance rules for endpoint access to the network through FortiGate l Define the non-compliance action—that is, how endpoints are handled that fail to comply with compliance rules l (Optional) Define some configuration settings for FortiClient software on endpoints
Compliance rules
FortiGate compliance rules are used to define what configuration FortiClient software must have for the endpoint to maintain access to the network through FortiGate. Following is a sample of the compliance rules that you can define (enable or disable) by using the GUI:
- Antivirus l Web filter l Application firewall l Vulnerability scan
- FortiClient software specific version
You can also define additional compliance rules by using the FortiOS CLI.
Non-compliance action
You define how FortiClient endpoints are handled that fail to comply with the compliance rules. You can block, warn, or automatically update FortiClient endpoints. You set the rules by using FortiGate, and both FortiGate and FortiClient enforce the rules.
Both FortiGate and FortiClient enforce compliance rules for FortiClient 5.4.1 and later endpoints. FortiGate enforces compliance for FortiClient 5.4.0 and earlier endpoints, and for all versions of unregistered/unconnected FortiClient endpoints.
Following is a description of how each setting affects FortiClient endpoints:
- Block
When FortiClient endpoints fail to comply with compliance rules, FortiClient blocks endpoint access to the network. Noncompliance information is displayed in the FortiClient console. The administrator or endpoint user is responsible for reading the noncompliance information and updating FortiClient software on the endpoint to adhere to the compliance rules. In this case, endpoint users can edit settings in the FortiClient console that are not controlled by the compliance rules or EMS.
- Warn
When FortiClient endpoints fail to comply with compliance rules, FortiClient warns the endpoint users, but allows the endpoint user to access the network. Noncompliance information is displayed in the FortiClient console. The administrator or endpoint user is responsible for reading the noncompliance information and updating FortiClient software on the endpoint to adhere to the compliance rules. In this case, endpoint users can edit settings in the FortiClient console that are not controlled by the compliance rules or EMS. l Auto-update
FortiGate provides the compliance rules and some configuration information for FortiClient software that helps FortiClient and the endpoint remain compliant. However FortiClient endpoints can fail to comply with compliance rules because FortiGate cannot automatically update all aspects of the compliance rules, such as the required version of FortiClient or the operating system on the endpoint. FortiGate displays noncompliance information in the FortiOS GUI. The FortiGate administrator and endpoint user are responsible for reading the noncompliance information and keeping FortiClient endpoints compliant. In this case, most settings in FortiClient console are read-only. However, the endpoint user can edit some settings.
FortiClient configuration
When you use FortiGate to configure a FortiClient profile with a non-compliance setting of auto-update, the FortiClient profile can include configuration information for FortiClient software, which helps the FortiClient endpoint remain compliant with the compliance rules.
You can specify the following configuration information for FortiClient software:
l AntiVirus l Web Filter l Application Firewall l Vulnerability Scan l System Compliance
When the FortiClient endpoint receives the configuration information from FortiGate in the FortiClient profile, the settings in FortiClient console are automatically updated. Most settings in FortiClient console are read-only when FortiGate provides the configuration in a FortiClient profile. However, the endpoint user can change settings in FortiClient console that are not controlled by the FortiClient profile.
For more information about configuring FortiClient profiles by using FortiGate, see the FortiOS Handbook, available in the Fortinet Document Library.
FortiGate and EMS integration
When FortiGate is integrated with EMS, and the non-compliance action in FortiGate is set to block or warn, you can use EMS to assign a profile to endpoints. The profile from EMS is in addition to the compliance rules from FortiGate. When FortiClient receives compliance rules from FortiGate and a profile from EMS, settings in the FortiClient console are locked. Administrators can control the settings by updating the assigned profile in FortiGate/EMS.
CLI only
When using FortiGate to create FortiClient profiles, some settings can be configured only by using the
FortiOS CLI. You must use the CLI to configure the following options in FortiClient profiles provided by FortiGate: l Allowed operating system for FortiClient endpoints l Required third-party applications for FortiClient endpoints l Registry entries for FortiClient endpoints l File in the file system on FortiClient endpoints
Get started
For more information, see the CLI Reference forFortiOS.
EMS and profiles
In FortiClient EMS, a profile is used to install FortiClient on endpoint devices and/or define the configuration for FortiClient software on endpoint devices. The profile consists of the following sections:
- FortiClient Installer l Antivirus l Web Filtering l Application Firewall
- VPN
- Vulnerability Scan l System Settings
When the FortiClient endpoint receives the configuration information in the FortiClient profile, the settings in FortiClient console are automatically updated. Settings in FortiClient console are locked and read-only when EMS provides the configuration in a profile.
For more information about configuring profiles by using FortiClient EMS, see the FortiClient EMS Administration Guide, available in the Fortinet Document Library.