Fortinet black logo

EMS Administration Guide

Vulnerability Scan

Vulnerability Scan

Configuration

Description

Vulnerability Scan

Enable or disable Vulnerability Scan.

Scan on Registration

Scan endpoints upon connecting to a FortiGate.

Scan on Vulnerability Signature Update

Scan endpoints upon updating a vulnerability signature.

Scan for OS Updates

Scan for OS updates.

Enable Proxy

Enable proxy.

Scheduled Scan

Configure settings for scheduled scanning.

Schedule Type

Configure either Daily, Weekly, Monthly.

Scan On

Configure the day the scan will run (1st-31st of the month). This only applies if the schedule type is configured to Monthly.

Start At

Configure the time the scan will start.

Automatic Patching

Patch Level

When enabled, patches are installed automatically when vulnerabilities are detected. Select one of the following:

  • Critical: Patch critical vulnerabilities only
  • High: Patch high severity, and above, vulnerabilities
  • Medium: Patch medium severity, and above, vulnerabilities
  • Low: Patch low severity, and above, vulnerabilities
  • All: Patch all vulnerabilities.

Automatic patching may require endpoint reboot.

Exclusions

Exempt Application Vulnerabilities Requiring Manual Update from Vulnerability Compliance Check

When enabled, all applications that require the endpoint user to manually patch vulnerabilities are excluded from vulnerability compliance check.

Even if compliance is enabled for FortiClient in managed mode and FortiGate compliance rules require it, manual software patches required for application vulnerabilities do not need to be installed within the specified time frame to maintain compliant status and network access.

This option does not exclude applications from vulnerability scanning.

Exclude Selected Applications from Vulnerability Compliance Check

In the <number> Applications list, click the applications to exclude from vulnerability compliance check, and they are automatically moved to the <number> Excluded Applications list.

In the <number> Excluded Applications list, click the applications to remove from the exclusion list.

Applications on the exclusion list are exempt from needing to install software patches within the timeframe specified in FortiGate compliance rules to maintain compliant status and network access.

Applications on the list are not excluded from vulnerability scanning.

Disable Automatic Patching for These Applications

Disable automatic patching for the applications excluded from vulnerability compliance check.

Vulnerability Scan

Configuration

Description

Vulnerability Scan

Enable or disable Vulnerability Scan.

Scan on Registration

Scan endpoints upon connecting to a FortiGate.

Scan on Vulnerability Signature Update

Scan endpoints upon updating a vulnerability signature.

Scan for OS Updates

Scan for OS updates.

Enable Proxy

Enable proxy.

Scheduled Scan

Configure settings for scheduled scanning.

Schedule Type

Configure either Daily, Weekly, Monthly.

Scan On

Configure the day the scan will run (1st-31st of the month). This only applies if the schedule type is configured to Monthly.

Start At

Configure the time the scan will start.

Automatic Patching

Patch Level

When enabled, patches are installed automatically when vulnerabilities are detected. Select one of the following:

  • Critical: Patch critical vulnerabilities only
  • High: Patch high severity, and above, vulnerabilities
  • Medium: Patch medium severity, and above, vulnerabilities
  • Low: Patch low severity, and above, vulnerabilities
  • All: Patch all vulnerabilities.

Automatic patching may require endpoint reboot.

Exclusions

Exempt Application Vulnerabilities Requiring Manual Update from Vulnerability Compliance Check

When enabled, all applications that require the endpoint user to manually patch vulnerabilities are excluded from vulnerability compliance check.

Even if compliance is enabled for FortiClient in managed mode and FortiGate compliance rules require it, manual software patches required for application vulnerabilities do not need to be installed within the specified time frame to maintain compliant status and network access.

This option does not exclude applications from vulnerability scanning.

Exclude Selected Applications from Vulnerability Compliance Check

In the <number> Applications list, click the applications to exclude from vulnerability compliance check, and they are automatically moved to the <number> Excluded Applications list.

In the <number> Excluded Applications list, click the applications to remove from the exclusion list.

Applications on the exclusion list are exempt from needing to install software patches within the timeframe specified in FortiGate compliance rules to maintain compliant status and network access.

Applications on the list are not excluded from vulnerability scanning.

Disable Automatic Patching for These Applications

Disable automatic patching for the applications excluded from vulnerability compliance check.