Configuring firewall policies
Firewall Policy
FortiGate Version 4.0 Administration Guide
336
01-400-89802-20090424
Endpoint Compliance Check options
You can require users of a firewall policy to have FortiClient Endpoint Security software
installed. Optionally, you can also require that the antivirus signatures are up-to-date and
check for the presence of specific applications on the computer. You can quarantine non-
compliant users to a web portal, from which they can download the FortiClient installer or
update their antivirus signatures. For more information about configuring the Endpoint
Control feature and monitoring endpoints, see
“Endpoint control” on page 641
.
In a new or existing firewall policy, the following options configure the Endpoint
Compliance Check:
Figure 199: Endpoint Compliance firewall policy options
Traffic Shaping
The traffic shaping configuration for this policy.
For more information, see
Log Traffic
If the
Log Allowed Traffic
option is selected when adding an identity-
based policy, a green check mark appears. Otherwise, a white cross
mark appears.
Delete icon
Select to delete this policy.
Edit icon
Select to edit this policy.
Move Up or Move Down
Select to move the policy in the list. Firewall policy order affects policy
matching. You can arrange the firewall policy list to influence the order
in which policies are evaluated for matches with user groups.
Tip:
If you select NAT, the IP address of the outgoing interface of the FortiGate unit is used
as the source address for new sessions started by SSL VPN.
Note:
The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN traffic,
but has no effect on web-mode SSL VPN traffic.
Enable Endpoint
Compliance Check
Check that the source hosts of this firewall policy have FortiClient
Endpoint Security software installed. Make sure that all of these hosts
are capable of installing the software.
You cannot enable
Endpoint Compliance Check
in firewall policies if
Redirect HTTP Challenge to a Secure Channel (HTTPS)
is enabled in
User > Options > Authentication
.
Enforce FortiClient AV
Up-to-date
Check that the FortiClient Endpoint Security application has the
antivirus (real-time protection) feature enabled and is using the latest
version of the antivirus signatures available from FortiGuard Services.
Collect System
Information from the
Endpoints
Collect information about the host computer, its operating system and
specific installed applications. This information is displayed in the
Endpoints list. See
“Monitoring endpoints” on page 644
Redirect
Non-conforming
Clients to Download
Portal
The non-compliant user sees a web page that explains why they are
non-compliant. The page also provides links to download a FortiClient
application installer. To edit this web page go to
System > Config >
Replacement Messages
and edit the
Endpoint Control Download
Portal
replacement message.
If the redirect is not enabled, the non-compliant user simply has no
network access.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...