Fortinet black logo

Vulnerability Scan

Vulnerability Scan

Configurations for Vulnerability Scan are contained in the <vulnerability_scan></vulnerability_scan> XML tags.

<forticlient_configuration>

<vulnerability_scan>

<enabled>1</enabled>

<scan_on_registration>1</scan_on_registration>

<scan_on_signature_update>1</scan_on_signature_update>

<auto_patch>

<level>critical</level>

</auto_patch>

<windows_update>1</windows_update>

<proxy_enabled>0</proxy_enabled>

<exempt_manual>1</exempt_manual>

<exemptions>

<exemption>Google Chrome</exemption>

<exemption>Java JDK</exemption>

</exemptions>

<exempt_no_auto_patch>1</exempt_no_auto_patch>

<scheduled_scans>

<schedule>

<enable_schedule>1</enable_schedule>

<repeat>1</repeat>

<day>1</day>

<time>19:30</time>

</schedule>

<automatic_maintenance>

<scan_on_maintenance>0</scan_on_maintenance>

<maintenance_period></maintenance_period>

<maintenance_deadline></maintenance_deadline>

</automatic_maintenance>

</scheduled_scans>

</vulnerability_scan>

</forticlient_configuration>

The following table provides the XML tags for Vulnerability Scan, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Vulnerability Scan is enabled.

<scan_on_registration>

Specifies whether to start a vulnerability scan when FortiClient registers to FortiGate. When set to 1, start vulnerability scan on registration. When set to 0, do not start a vulnerability scan on registration.

In older versions of FortiClient, this tag was named <scan_on_fgt_registration>.

Boolean value: [0 | 1]

<scan_on_signature_update>

Specifies whether to start a vulnerability scan when signatures are updated. When set to 1, start vulnerability scan when signatures updated. When set to 0, do not start a vulnerability scan when signatures updated.

Boolean value: [0 | 1]

<auto_patch>

Specifies whether to automatically install patches. Use <level> to enable and disable automatic patch installation.

<level>

Specify whether to patch vulnerabilities with a severity higher than the defined level. Disabled when set to 0, and patches are not automatically installed when vulnerabilities are detected. When set to info, all patches are automatically installed when vulnerabilities are detected. Select one of the following:

  • 0
  • critical
  • high
  • medium
  • low
  • info

<windows_update>

Specifies whether to scan both Windows updates and third-party application updates. When set to 1, scan both Windows updates and third-party application updates. When set to 0, scan only third-party application updates.

Boolean value: [0 | 1]

<proxy_enabled>

Enable or disable using proxy settings configured in FortiClient when downloading updates for vulnerability patches.

Boolean value: [0 | 1]

0

<exempt_manual>

Specifies whether to exempt from vulnerability scanning any applications that require the endpoint user to manually install patches.

Boolean value: [0 | 1]

<exemptions>

Identifies the names of applications that are exempted.

<exempt_no_auto_patch>

Specifies whether to exempt any applications that FortiClient can automatically patch from vulnerability scanning.

Boolean value: [0 | 1]

<scheduled_scans><schedule> elements

Currently there can only be one scheduled item. If <scan_on_maintenance> is enabled, other configured scheduled scans are discarded.

<enable_schedule>

Enable or disable scheduled vulnerability scans.

Boolean value: [0 | 1]

<repeat>

Frequency of scans. Select one of the following:

  • 0: daily scan
  • 1: weekly scan
  • 2: monthly scan

<day>

Used only for weekly scan and monthly scan. If the <repeat> tag is set to 0 (daily), the <day> tag is ignored.
If the <repeat> tag is set to 1 (weekly), <day> is the day of the week to run scan. Select one of the following:

  • 1: Sunday
  • 2: Monday
  • 3: Tuesday
  • 4: Wednesday
  • 5: Thursday
  • 6: Friday
  • 7: Saturday

If the <repeat> tag is set to 2 (monthly), <day> is the date of each month to run a scan. A number from 1 to 31.

The default is the date the policy was installed from FortiGate.

<time>

The time when to run the scan. Specify a time value in 24 hour clock.

The default is the time the policy was installed from FortiGate.

<scheduled_scans><automatic_maintenance> elements

This configures Vulnerability Scan to run as part of Windows automatic maintenance. Adding FortiClient Vulnerability Scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that will have minimal impact to the user, PC performance, and energy efficiency. See Automatic Maintenance.

<scan_on_maintenance>

Enable or disable running vulnerability scan as part of Windows automatic maintenance.

Boolean value: [0 | 1]

0

<maintenance_period>

Specify how often Vulnerability Scan needs to be started during automatic maintenance. Enter the desired period in the format PnYnMnDTnHnMnS, where nY is the number of years, nM is the number of months, nD is the number of days, T is the date/time separator, nH is the number of hours, nM is the number of minutes, and nS is the number of seconds.

For example, to configure a period of five minutes, you would enter the following:

<maintenance_period>PT5M</maintenance_period>

To configure a period of one month, four days, two hours, and five minutes, you would enter the following:

<maintenance_period>P1M4DT2H5M</maintenance_period>

<maintenance_deadline>

Specify when Windows must start Vulnerability Scan during emergency automatic maintenance, if Vulnerability Scan did not complete during regular automatic maintenance. This value must be greater than the <maintenance_period> value. Enter the desired deadline in the format PnYnMnDTnHnMnS. For details on this format, see <maintenance_period> above.

Daily scan example

<schedule>

<repeat>0</repeat>

<time>19:30</time>

</schedule>

Vulnerability Scan

Configurations for Vulnerability Scan are contained in the <vulnerability_scan></vulnerability_scan> XML tags.

<forticlient_configuration>

<vulnerability_scan>

<enabled>1</enabled>

<scan_on_registration>1</scan_on_registration>

<scan_on_signature_update>1</scan_on_signature_update>

<auto_patch>

<level>critical</level>

</auto_patch>

<windows_update>1</windows_update>

<proxy_enabled>0</proxy_enabled>

<exempt_manual>1</exempt_manual>

<exemptions>

<exemption>Google Chrome</exemption>

<exemption>Java JDK</exemption>

</exemptions>

<exempt_no_auto_patch>1</exempt_no_auto_patch>

<scheduled_scans>

<schedule>

<enable_schedule>1</enable_schedule>

<repeat>1</repeat>

<day>1</day>

<time>19:30</time>

</schedule>

<automatic_maintenance>

<scan_on_maintenance>0</scan_on_maintenance>

<maintenance_period></maintenance_period>

<maintenance_deadline></maintenance_deadline>

</automatic_maintenance>

</scheduled_scans>

</vulnerability_scan>

</forticlient_configuration>

The following table provides the XML tags for Vulnerability Scan, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Vulnerability Scan is enabled.

<scan_on_registration>

Specifies whether to start a vulnerability scan when FortiClient registers to FortiGate. When set to 1, start vulnerability scan on registration. When set to 0, do not start a vulnerability scan on registration.

In older versions of FortiClient, this tag was named <scan_on_fgt_registration>.

Boolean value: [0 | 1]

<scan_on_signature_update>

Specifies whether to start a vulnerability scan when signatures are updated. When set to 1, start vulnerability scan when signatures updated. When set to 0, do not start a vulnerability scan when signatures updated.

Boolean value: [0 | 1]

<auto_patch>

Specifies whether to automatically install patches. Use <level> to enable and disable automatic patch installation.

<level>

Specify whether to patch vulnerabilities with a severity higher than the defined level. Disabled when set to 0, and patches are not automatically installed when vulnerabilities are detected. When set to info, all patches are automatically installed when vulnerabilities are detected. Select one of the following:

  • 0
  • critical
  • high
  • medium
  • low
  • info

<windows_update>

Specifies whether to scan both Windows updates and third-party application updates. When set to 1, scan both Windows updates and third-party application updates. When set to 0, scan only third-party application updates.

Boolean value: [0 | 1]

<proxy_enabled>

Enable or disable using proxy settings configured in FortiClient when downloading updates for vulnerability patches.

Boolean value: [0 | 1]

0

<exempt_manual>

Specifies whether to exempt from vulnerability scanning any applications that require the endpoint user to manually install patches.

Boolean value: [0 | 1]

<exemptions>

Identifies the names of applications that are exempted.

<exempt_no_auto_patch>

Specifies whether to exempt any applications that FortiClient can automatically patch from vulnerability scanning.

Boolean value: [0 | 1]

<scheduled_scans><schedule> elements

Currently there can only be one scheduled item. If <scan_on_maintenance> is enabled, other configured scheduled scans are discarded.

<enable_schedule>

Enable or disable scheduled vulnerability scans.

Boolean value: [0 | 1]

<repeat>

Frequency of scans. Select one of the following:

  • 0: daily scan
  • 1: weekly scan
  • 2: monthly scan

<day>

Used only for weekly scan and monthly scan. If the <repeat> tag is set to 0 (daily), the <day> tag is ignored.
If the <repeat> tag is set to 1 (weekly), <day> is the day of the week to run scan. Select one of the following:

  • 1: Sunday
  • 2: Monday
  • 3: Tuesday
  • 4: Wednesday
  • 5: Thursday
  • 6: Friday
  • 7: Saturday

If the <repeat> tag is set to 2 (monthly), <day> is the date of each month to run a scan. A number from 1 to 31.

The default is the date the policy was installed from FortiGate.

<time>

The time when to run the scan. Specify a time value in 24 hour clock.

The default is the time the policy was installed from FortiGate.

<scheduled_scans><automatic_maintenance> elements

This configures Vulnerability Scan to run as part of Windows automatic maintenance. Adding FortiClient Vulnerability Scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that will have minimal impact to the user, PC performance, and energy efficiency. See Automatic Maintenance.

<scan_on_maintenance>

Enable or disable running vulnerability scan as part of Windows automatic maintenance.

Boolean value: [0 | 1]

0

<maintenance_period>

Specify how often Vulnerability Scan needs to be started during automatic maintenance. Enter the desired period in the format PnYnMnDTnHnMnS, where nY is the number of years, nM is the number of months, nD is the number of days, T is the date/time separator, nH is the number of hours, nM is the number of minutes, and nS is the number of seconds.

For example, to configure a period of five minutes, you would enter the following:

<maintenance_period>PT5M</maintenance_period>

To configure a period of one month, four days, two hours, and five minutes, you would enter the following:

<maintenance_period>P1M4DT2H5M</maintenance_period>

<maintenance_deadline>

Specify when Windows must start Vulnerability Scan during emergency automatic maintenance, if Vulnerability Scan did not complete during regular automatic maintenance. This value must be greater than the <maintenance_period> value. Enter the desired deadline in the format PnYnMnDTnHnMnS. For details on this format, see <maintenance_period> above.

Daily scan example

<schedule>

<repeat>0</repeat>

<time>19:30</time>

</schedule>