Settings
This section describes the available options on the File > Settings page for FortiClient in standalone mode.
In managed mode, options on the Settings page are configured in the FortiClient profile by using FortiGate/EMS.
Backup or restore full configuration
To backup or restore the full configuration file, select File > Settings from the toolbar. Expand the System section, then select Backup or Restore as needed. Restore is only available when operating in standalone mode.
When performing a backup, you can select the file destination, password requirements, and add comments as needed.
Signature updates
This setting can only be configured when FortiClient is in standalone mode.
To configure updates, select File > Settings from the toolbar, then expand the System section.
Select to either automatically download and install updates when they are available on the FortiGuard Distribution Servers, or to send an alert when updates are available.
In managed mode, you can select to use a FortiManager device for signature updates. When configuring the endpoint profile in EMS, select Use FortiManagerforclient software/signature updates to enable the feature and enter the IP address of your FortiManager device.
To configure FortiClient to use FortiManager for signature updates (EMS):
- On EMS, select an endpoint profile, then go to the System Settings
- Toggle the Use FortiManagerforclient software/signature update option to ON.
- Specify the IP address or hostname of the FortiManager device.
- Select Failoverto FDN when FortiManageris not available to have FortiClient receive updates from the FortiGuard Distribution Network when the FortiManager is not available.
- Select Save to save the settings.
Logging
To configure logging, select File > Settings from the toolbar then expand the Logging section.
Logging
VPN | VPN logging is available when in standalone mode or in managed mode when FortiClient is connected to FortiGate/EMS. |
Application Firewall | Application Firewall logging is available in managed mode when FortiClient is connected to FortiGate/EMS. |
AntiVirus | Antivirus activity logging is available when in standalone mode or in managed mode when FortiClient is connected to FortiGate/EMS. |
Web Security/Web Filter | Web Security logging is available when in standalone mode. Web Filter logging is available in managed mode. |
Update | Update logging is available when in standalone mode or in managed mode when FortiClient is connected to FortiGate/EMS. |
Vulnerability Scan | Vulnerability Scan logging is available in managed mode when FortiClient is connected to FortiGate/EMS. |
Log Level | This setting can be configured when in standalone mode. When FortiClient is connected to FortiGate, this setting is set by the XML configuration (if configured). |
Log File | The option to export the log file (.log) is available when in standalone mode or in managed mode when FortiClient is connected to
FortiGate/EMS. The option to clear logs is only available when in standalone mode. |
The following table lists the logging levels and description:
Logging Level | Description |
Emergency | The system becomes unstable. |
Alert | Immediate action is required. |
Critical | Functionality is affected. |
Error | An error condition exists and functionality could be affected. |
Warning | Functionality could be affected. |
Logging
Logging Level | Description | |
Notice | Information about normal events. | |
Information | General information about system operations. | |
Debug | Debug FortiClient. |
It is recommended to use the debug logging level only when needed. Do not leave the debug logging level permanently enabled in a production environment to avoid unnecessarily consuming disk space.
Sending logs to FortiAnalyzer or FortiManager
To configure FortiClient to send logs to FortiAnalyzer or FortiManager, you require the following:
l FortiClient 5.2.0 or later l A FortiGate device running FortiOS 5.2.0 or later or EMS 1.0 or later l A FortiAnalyzer or FortiManager device running 5.0.7 or later
The connected FortiClient device can send traffic logs, vulnerability scan logs, and event logs to the log device on port 514 TCP.
Enable logging on the FortiGate device:
- On your FortiGate device, select Log & Report > Log Settings. The Log Settings window opens.
- Enable Send Logs to FortiAnalyzer/FortiManager.
- Enter the IP address of your log device in the IP Address You can select Test Connectivity to ensure your FortiGate is able to communicate with the log device on this IP address.
- Select Apply to save the setting.
Enable logging in the FortiGate FortiClient profile:
- Go to Security Profiles > FortiClient Profiles.
- Select the FortiClient Profile and select Edit from the toolbar. The Edit FortiClient Profile page opens.
- Enable Upload Logs to FortiAnalyzer.
VPN options
- Select either Same as System to send the logs to the FortiAnalyzer or FortiManager configured in the Log Settings, or Specify to enter a different IP address.
- In the Schedule field, select to upload logs Hourly or Daily.
- Select Apply to save the settings.
Once the FortiClient Profile change is synchronized with the client, you will start receiving logs from connected clients on your FortiAnalyzer/FortiManager system.
Alternatively, you can configure logging in the command line interface. Go to System > Dashboard > Status. In the CLI Console widget, enter the following CLI commands:
config endpoint-control profile edit <profile-name>
config forticlient-winmac-settings set forticlient-log-upload enable set forticlient-log-upload-server <IP address> set forticlient-log-upload-schedule {hourly | daily} set forticlient-log-ssl-upload {enable | disable} set client-log-when-on-net {enable | disable}
end
end
Enable logging in the EMS endpoint profile:
- On EMS, select an endpoint profile, then go to the System Settings
- Enable Upload Logs to FortiAnalyzer/FortiManager.
- Enable the type of logs to upload. Choose from traffic, vulnerability, and event.
- Enter the IP address or hostname, schedule upload (in minutes), and log generation timeout (in seconds).
- Select Save to save the settings.
VPN options
To configure VPN options, select File > Settings from the toolbar and expand the VPN section. Select Enable VPN before logon to enable VPN before log on.
This setting can only be configured when in standalone mode.
Certificate management
To configure VPN certificates, select File > Settings from the toolbar and expand the Certificate Management section. Select Use local certificate uploads (IPsec only) to configure IPsec VPN to use local certificates and import certificates to FortiClient.
This setting can only be configured when in standalone mode.
Antivirus options
To configure antivirus options, select File > Settings from the toolbar and expand the Antivirus Options section.
Advanced options
These settings can be configured only when FortiClient is in standalone mode.
Configure the following settings:
Grayware Options | Grayware is an umbrella term applied to a wide range of malicious applications such as spyware, adware and key loggers that are often secretly installed on a user’s computer to track and/or report certain information back to an external source without the user’s permission or knowledge. |
Adware | Select to enable adware detection and quarantine during the antivirus scan. |
Riskware | Select to enable riskware detection and quarantine during the antivirus scan. |
Scan removable media on
insertion |
Select to scan removable media when it is inserted. |
Alert when viruses are detected | Select to have FortiClient provide a notification alert when a threat is detected on your personal computer. When Alert when viruses are detected under AntiVirus Options is not selected, you will not receive the virus alert dialog box when attempting to download a virus in a web browser. |
Pause background scanning on battery power | Select to pause background scanning when your computer is operating on battery power. |
Enable FortiGuard Ana-
lytics |
Select to automatically send suspicious files to the FortiGuard Network for analysis. |
When connected to FortiGate/EMS, you can enable or disable FortiClient Antivirus Protection in the FortiClient profile.
Advanced options
To configure advanced options, select File > Settings from the toolbar and expand the Advance section.
These settings can be configured only when FortiClient is in standalone mode. When a FortiClient endpoint is connected to FortiGate/EMS, these settings are set by the XML configuration (if configured).
Single Sign-On mobility agent
Configure the following settings:
Enable WAN Optimization | Select to enable WAN Optimization. You should enable only if you have a FortiGate device and your FortiGate is configured for WAN Optimization.
This setting can be configured when in standalone mode. |
Maximum Disk Cache Size | Select to configure the maximum disk cache size. The default value is 512MB. |
Enable Single Sign-On mobility agent | Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator device.
This setting can be configured when in standalone mode. |
Server address | Enter the FortiAuthenticator IP address. |
Customize port | Enter the port number. The default port is 8001. |
Pre-shared Key | Enter the pre-shared key. The pre-shared key should match the key configured on your FortiAuthenticator device. |
Disable proxy (troubleshooting only) | Select to disable proxy when troubleshooting FortiClient.
This setting can be configured when in standalone mode. |
Default tab | Select the default tab to be displayed when opening FortiClient. This setting can be configured when in standalone mode. |
Single Sign-On mobility agent
The FortiClient Single Sign-On (SSO) Mobility Agent is a client that updates FortiAuthenticator with user logon and network information.
FortiClient/FortiAuthenticator protocol
The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to FortiAuthenticator using TLS/SSL with two-way certificate authentication. The FortiClient sends a logon packet to FortiAuthenticator, which replies with an acknowledgment packet.
FortiClient/FortiAuthenticator communication requires the following:
- The IP address should be unique in the entire network. l The FortiAuthenticator should be accessible from clients in all locations.
Single Sign-On mobility agent
- The FortiAuthenticator should be accessible by all FortiGates.
FortiClient Single Sign-On Mobility Agent requires a FortiAuthenticator running 2.0.0 or later, or v3.0.0 or later. Enter the FortiAuthenticator (server) IP address, port number, and the pre-shared key configured on the FortiAuthenticator.
Enable Single Sign-On mobility agent on FortiClient:
- Select File in the toolbar and select Settings in the drop-down menu.
- Select Advanced to view the drop-down menu.
- Select Enable Single Sign-On mobility agent.
- Enter the FortiAuthenticator server address and the pre-shared key.
This setting can be configured when in standalone mode. When connected to FortiGate, this setting is set by the XML configuration (if configured).
Enable FortiClient SSO mobility agent service on the FortiAuthenticator:
- Select Fortinet SSO Methods > SSO > General. The Edit SSO Configuration page opens.
- Select Enable FortiClient SSO Mobility Agent Service and enter a TCP port value for the listening port.
- Select Enable authentication and enter a secret key or password.
- Select OK to save the setting.
Enable FortiClient FSSO services on the interface:
- Select System > Network > Interfaces. Select the interface and select Edit from the toolbar. The Edit Network Interface window opens.
- Select the checkbox to enable FortiClient FSSO.
- Select OK to save the setting.
Configuration lock
To enable the FortiClient SSO Mobility Agent Service on the FortiAuthenticator, you must first apply the applicable FortiClient license for FortiAuthenticator. For more information, see the FortiAuthenticator Administration Guide in the Fortinet Document Library.
For information on purchasing a FortiClient license for FortiAuthenticator, please contact your authorized Fortinet reseller.
Configuration lock
To prevent unauthorized changes to the FortiClient configuration, select the lock icon located at the bottom left of the Settings page. You will be prompted to enter and confirm a password. When the configuration is locked, configuration changes are restricted and FortiClient cannot be shut down or uninstalled.
When the configuration is locked you can perform the following actions:
- Compliance l Connect and disconnect FortiClient for Endpoint Control
- Antivirus l Complete an antivirus scan, view threats found, and view logs l Select Update Now to update signatures
- Web Security l View violations
- Application Firewall l View applications blocked
- Remote Access l Configure, edit, or delete an IPsec VPN or SSL VPN connection l Connect to a VPN connection
- Vulnerability Scan l Complete a vulnerability scan of the system l View vulnerabilities found
- Settings l Export FortiClient logs l Back up the FortiClient configuration
To perform configuration changes, or to shut down FortiClient, select the lock icon and enter the password used to lock the configuration.
FortiTray
When FortiClient is running on your system, you can select the FortiTray icon in the Windows system tray to perform various actions. The FortiTray icon is available in the system tray even when the FortiClient console is closed.
- Default menu options: l Open FortiClient console FortiTray
- Shut down FortiClient
- Dynamic menu options, depending on configuration:
- Connect to a configured IPsec VPN or SSL VPN connection l Display the antivirus scan window (if a scheduled scan is currently running) l Display the Vulnerability scan window (if a vulnerability scan is running)
If you hover the mouse cursor over the FortiTray icon, you will receive various notifications including the version, antivirus signature, and antivirus engine.
Connecting to VPN connections
To connect to a VPN connection from FortiTray, select the Windows System Tray and right-click in the FortiTray icon. Select the connection you wish to connect to, enter your username and password in the authentication window, then select OK to connect.