manualshive.com logo in svg

Fortinet FortiGate Voice 4.0 MR1, Administration Manual

Share
Download
Fortinet FortiGate Voice 4.0 MR1 Administration Manual Download Page 35

Endpoint Network Access Control 

Overview

FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626

29

http://docs.fortinet.com/

 • 

Feedback

 

Endpoint Network Access Control

This chapter describes how to enforce the use of FortiClient by using a FortiGate unit’s 
Endpoint NAC feature.
This chapter contains the following sections:

Overview

Enforcing use of FortiClient software

Configuring FortiGuard Services

Setting the FortiClient version

Enabling Endpoint Control

Overview

FortiGate units prevent viruses and other threats on the Internet from passing through the 
firewall to your private network. However, a computer, especially a portable computer, 
might become infected from media or unprotected connection to another network. This 
infection could spread on your internal network. FortiClient Endpoint Control protects the 
computer on which it is installed.
Endpoint NAC (Network Access Control) enforces the use of FortiClient endpoint security 
in your network. The compliance check ensures that the endpoint is running the most 
recent version of the FortiClient software, checks that the antivirus signatures are up-to-
date, and are not using any blocked applications (application detection). 
You enable endpoint control in a FortiGate firewall policy. When traffic attempts to pass 
through the firewall policy, the FortiGate unit runs compliance checks on the originating 
host on the source interface. Non-compliant endpoints are blocked. If web browsing, they 
receive a message telling them that they are non-compliant, or they are redirected to a 
web portal where they can download the FortiClient application installer.

Enforcing use of FortiClient software

Endpoint control requires that all hosts using the firewall policy have FortiClient Endpoint 
Security software installed. Make sure that all hosts affected by this policy are able to 
install this software. Currently, FortiClient Endpoint Security is available for Microsoft 
Windows 2000 and later only.
To set up endpoint control on your FortiGate unit, you need to 
• Enable FortiGuard. This is required if you will use FortiGuard Services to update 

FortiClient software or antivirus signatures. You do not need to enter account 
information. See 

“Configuring FortiGuard Services” on page 30

.

• Set the minimum required version of FortiClient and configure the source of FortiClient 

installer downloads for non-compliant endpoints. See 

“Setting the FortiClient version” 

on page 30

.

• Enable endpoint control in the appropriate FortiGate firewall policies. See 

“Enabling 

Endpoint Control” on page 32

.

Summary of Contents for FortiGate Voice 4.0 MR1

Page 1: ...FortiClient Endpoint Security Version 4 0 MR1 Administration Guide...

Page 2: ...ASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam FortiGuard Antivirus FortiGuard Intrusion FortiGuard Web FortiLog FortiAnalyz...

Page 3: ...6 Standard FortiClient Installation 6 Single user installation 6 Multiple user installation 7 Custom Installer Packages 9 Overview 9 Creating a customized installer using FCRepackager 9 Creating the...

Page 4: ...Configuring enterprise licenses 24 Creating enterprise client license keys 25 Deploying enterprise client license keys 25 Creating customized FortiClient installers 25 Corporate Security Policies 27...

Page 5: ...nfiguring VPNs without FortiClient Endpoint Security 47 Overview 47 Using the FortiClient VPN Editor 47 Importing VPN tunnel settings 48 Configuring VPN tunnel settings 48 Configuring certificates for...

Page 6: ...Contents FortiClient Endpoint Security Version 4 0 MR1 Administration Guide iv 04 40001 99556 20090626 http docs fortinet com Feedback...

Page 7: ...and applications by setting up firewall policies apply Endpoint Network Application Control NAC to monitor and control applications running on endpoints use WAN Optimization to improve the efficiency...

Page 8: ...e simple end user installations described in the FortiClient Endpoint Security User Guide Custom Installer Packages describes how to create a customized installation package to deploy to users in an o...

Page 9: ...cumentation is available on the Fortinet Tools and Documentation CD shipped with your Fortinet product You do not receive this CD if you download the FortiClient application The documents on this CD a...

Page 10: ...Customer service and technical support Introduction FortiClient Endpoint Security Version 4 0 MR1 Administration Guide 4 04 40001 99556 20090626 http docs fortinet com Feedback...

Page 11: ...ws executable exe installer provides easy installation on a single computer by the end user Any existing FortiClient installation on the computer is upgraded The FortiClient Endpoint Security User Gui...

Page 12: ...ter before installing the FortiClient application Installing on servers When installing FortiClient Endpoint Security on a server follow the antivirus guidelines for other products installed on the se...

Page 13: ...istration Guide 04 40001 99556 20090626 7 http docs fortinet com Feedback Multiple user installation You can use the FortiGate s Web Config to manage the version of FortiClient endpoint control runnin...

Page 14: ...Standard FortiClient Installation Installation FortiClient Endpoint Security Version 4 0 MR1 Administration Guide 8 04 40001 99556 20090626 http docs fortinet com Feedback...

Page 15: ...le the installation wizard enable or disable update scheduling set update schedule randomly on install enable or disable upgrade of existing installation enable management by a FortiManager system and...

Page 16: ...tTools zip file from the Fortinet Support Web site and extract the files into a folder 2 Ensure FortiClient is installed and configured with the desired settings The mst file is created based on your...

Page 17: ...aged FortiClient computer receive push updates for antivirus definitions Mobile users might not always be able to connect to the FortiManager unit Optionally you can configure FortiClient to use the d...

Page 18: ...1024 bits 15 1536 bits 2 2048 bits 3 3072 bits or 4 4096 bits Creating the custom MSI installation file With the sample application configured as you want for your users you can create a custom MSI in...

Page 19: ...ying the customized FortiClient application You can distribute your new FortiClient msi file to users Users simply double click the file to begin installation On a Windows Advanced Server network you...

Page 20: ...g run as you can apply the same transform file to future FortiClient releases If possible avoid modifying any other components FortiClient sub features do not support Advertised installations The foll...

Page 21: ...e following command msiexec i path to package FortiClient msi TRANSFORMS custom_4 0 mst L v c log txt where path to package is the path to your package if not in the current directory There are no spa...

Page 22: ...temp logfile txt Alternatively you can install the appropriate logging active directory group policies Language transforms The MST files that ship with the baseline FortiClient package are the Englis...

Page 23: ...from which users can install the FortiClient application The FortiClient msi file is a compressed archive containing all of the needed files Creating an uncompressed set of installation files can impr...

Page 24: ...specified in FMGRIP is automatically trusted and does not need to be added to the FMGTRUSTEDIPS value Configuring central management by specified FortiManager units Using installer command line option...

Page 25: ...ller command line options you can enable discovery of FortiManager units and specify by IP address the FortiManager units from which the FortiClient application accepts central management The command...

Page 26: ...hard disk image 1 Using an MSI FortiClient installer install and configure the FortiClient application to suit your requirements You can use a standard or a customized installation package 2 Right cl...

Page 27: ...FortiClient searches the attachments for the words or patterns in your sensitive words list If any of the words or patterns are found FortiClient logs the message and can also block sending of the me...

Page 28: ...Advanced Scenarios Custom Installer Packages FortiClient Endpoint Security Version 4 0 MR1 Administration Guide 22 04 40001 99556 20090626 http docs fortinet com Feedback...

Page 29: ...s licensed by means of a license key entered into the application The license can be a single user or a volume license FortiManager does not manage this method of licensing but it can distribute the l...

Page 30: ...rprise licensing To use enterprise licensing you need to 1 Obtain an Enterprise License from FortiCare and register it on your FortiManager unit For more information see Configuring enterprise license...

Page 31: ...a name to identify the license 5 In the Seats Permitted field enter a number seats that is no larger than the maximum shown at the right 6 In the Expiry Date field enter a date that is no later than t...

Page 32: ...key in some other way m installer_file where installer_file is the FortiClient msi installer file you used to create the model installation For example to customize the FortiClient installer at c Fort...

Page 33: ...icy can require that any or all of the following features are enabled Antivirus real time protection Antispam Firewall Normal mode Web Filter This provides security when users connect to your corporat...

Page 34: ...figure 3 From the FortiClient menu select VPN Security Policy 4 Select any of the following policies that you want to enforce Firewall must be enabled Realtime AV must be enabled Webfiltering must be...

Page 35: ...d applications application detection You enable endpoint control in a FortiGate firewall policy When traffic attempts to pass through the firewall policy the FortiGate unit runs compliance checks on t...

Page 36: ...tribution Network and FortiGuard Services Setting the FortiClient version By default FortiClient software is provided by FortiGuard Services and the latest version is the required version In your Fort...

Page 37: ...oftware For information about uploading a FortiClient installer to your FortiGate unit see Uploading the FortiClient installer to your FortiGate unit on page 32 Custom URL Specify a URL for a server f...

Page 38: ...estore forticlient tftp filename server_ip where filename is for example FortiClientSetup_4 0 2 msi and server_ip is the IP address of the TFTP server The TFTP server uploads the file to the FortiGate...

Page 39: ...cannot access the internet until FortiClient is installed 4 Select the Additional Client Options check box and select the following options Antivirus enabled Checks that the FortiClient Endpoint Secur...

Page 40: ...ck Create New 6 In the New Application Detection Entry area enter the following information See Table 2 on page 35 for the list of category definitions Category Select the applicable category Vendor S...

Page 41: ...d log activity on a computer network including both legitimate use and attempts to access or use network assets in unauthorized fashion and to assess the status and security of the network Multimedia...

Page 42: ...sets of information the structure being provided by the definition of fields or data objects and the utilization consisting of analysis synthesis and comparison across large quantities of such data Do...

Page 43: ...on about creating firewall policies see the Firewall chapter of the FortiGate Administration Guide To apply an Endpoint Control Profile to a firewall policy 1 Go to Firewall Policy and select the Poli...

Page 44: ...an view details such as the status FortiClient version detected applications and so on 4 Click Close 5 To allow temporary access to the endpoint select an entry and click Exempt Temporarily 6 In the T...

Page 45: ...ew There are several ways to create VPN connections for remote users FortiClient FortiGate FortiManager Custom installation Configuring VPN connections using FortiClient FortiClient Endpoint Security...

Page 46: ...ists of routes The routes are then installed on the user s computer at the top of its routing table If split tunneling is disabled the FortiGate unit will tell the VPN client to direct all traffic thr...

Page 47: ...matic configuration When FortiClient users connect to the FortiGate gateway to download VPN policies they are challenged for a user name and password Configure the FortiGate unit as follows 1 Create a...

Page 48: ...nfiguring the FortiGate gateway as a policy server Creating FortiClient VPNs FortiClient Endpoint Security Version 4 0 MR1 Administration Guide 42 04 40001 99556 20090626 http docs fortinet com Feedba...

Page 49: ...for a computer with a limited number of users or if you decide to assign occasional users to a default web filter profile For information about configuring FortiClient web filtering see the Web Filte...

Page 50: ...to the Managed clients list select Auto populate managed client list Otherwise select Add to temporary client list 5 Click Apply To search for FortiClient computer 1 In the FortiClient Manager go to C...

Page 51: ...each web filter profile you want to assign Name Enter a name for the profile Comments Optionally enter descriptive information about the profile Bypass URLs Block URLs Bypass URLs are allowed even if...

Page 52: ...AD domain controller 3 Select Synchronize 4 Select LDAP Users at the top left of the page 5 From the Domain list select the required domain 6 From the Web Filter Profile list select the profile you wa...

Page 53: ...the FortiClient VPN package from the Fortinet Support web site at http support fortinet com The FortiClient VPN package contains the FortiClient VPN installer file 32 bit and 64 bit for several locale...

Page 54: ...t VPN editor select the Tunnels tab 2 Select Import 3 In the Open window select one of the following file types a VPN policy package vpz a VPN policy files vpl a customized FortiClient installer file...

Page 55: ...Set and enter the IP address Subnet Mask DNS Server and WINS Server addresses as required 3 Select OK To add additional remote networks to a connection In the Advanced Settings window do the followin...

Page 56: ...ortiClient application Only the page names differ Refer to the Managing digital certificates section in the VPN chapter of the FortiClient Endpoint Security User Guide for detailed information about w...

Page 57: ...Send XAuth credentials Set the security policy for the FortiClient VPN Retrieve status information configured tunnel list active tunnel name connected or not idle or not remaining key life current sec...

Page 58: ...ol List1 is populated with the tunnel names List1 Clear For i LBound tunnelList To UBound tunnelList List1 AddItem tunnelList i Next Opening the VPN tunnel Use the Connect method to establish the tunn...

Page 59: ...t any time you can programmatically determine which VPN connection is active using the GetActiveTunnel function like this TunnelName VPN1 GetActiveTunnel The returned string is empty if no VPN tunnel...

Page 60: ...you set you must use the MakeSystemPolicyCompliant method Reading a security policy You can retrieve the security policy from the FortiClient application with the GetPolicy method This returns four b...

Page 61: ...an ByVal bWF As Boolean OOCDialog Show 1 OOCDialog Text If bAV Then OOCDialog Text OOCDialog Text Antivirus n End If If bAS Then OOCDialog Text OOCDialog Text Antispam n End If If bFW Then OOCDialog T...

Page 62: ...vePassword As Boolean Send XAuth credentials for the named connection User name Password True if password should be saved SetPolicy bAV As Boolean bAS As Boolean bFW As Boolean bWF As Boolean Set secu...

Page 63: ...ore it is complete FortiClient will refuse to connect the VPN tunnel COMPLIANCE_POLIC Y OR together FW 0x1h AV 0x2h WF 0x4h AS 0x8h AL 0x10h 0 Sets the default corporate compliance policy When 0 Forti...

Page 64: ...CO UNT 1 3 If this many consecutive heartbeats are not returned from FortiClient Manager FortiClient will assume the FortiClient Manager is not online FMGRIP a single ip address or a fqdn This is the...

Page 65: ...After installation the features will self optimize in the background with no assistance required from the end user However the optimization is spread over a much longer period hours days Allowing Fort...

Page 66: ...rtiClientID tool before creating the image WFLOGALLURLS 0 1 0 If this is set to 1 and WF is installed all URLs visited will be logged WANACCDBDIR any valid directory installatio n directory The direct...

Page 67: ...2 custom installer packages 9 customer service 3 customization of FortiClient installer changing installer language 13 creating 15 deploying 13 Endpoint NAC distribution 16 for enterprise licensing 25...

Page 68: ...ULTAPPACTION 58 H hide FortiTray installation option 11 HIDETRAY 58 I installation options block access unless firewall rule permits 12 disable web filter rating by IP address 11 disable XAUTH passwor...

Page 69: ...ion 10 SWUPDATEREQUIRESADMIN 59 system requirements 1 T technical support 3 U UPDATEFAILOVERPORT 59 UPDATEFALLBACK 59 USESWUID 60 USESWUID installation option 20 V viewing corporate security policy 27...

Page 70: ...Index FortiClient Endpoint Security Version 4 0 MR1 Administration Guide 64 04 40001 99556 20090626 http docs fortinet com Feedback...

Page 71: ...www fortinet com...

Page 72: ...www fortinet com...

Reviews:

No comments

Brands by name

Popular brands

Load more brands