Additional compliance options

6.0.3

Copy Link

Copy Doc ID 071aa83e-d7c4-11e8-8784-00505692583a:70963

Download PDF

Additional compliance options

Depending on the FortiOS configuration, FortiOS uses one of the following methods to determine endpoint compliance. The first option is only available in FortiOS 6.0.0 and later versions. In both cases, FortiClient must be installed on the endpoint and there must be Telemetry connection between FortiClient and FortiGate.

An endpoint is considered compliant if its FortiClient is managed by the EMS server authorized in FortiOS.
An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS. The table below lists the compliance rules administrators can enable or disable in a FortiClient profile.

Option		Description
Endpoint Vulnerability Scan on Client		Endpoints must not have vulnerabilities at or higher than the configured level.
System Compliance
	Minimum FortiClient version	Endpoints must have a FortiClient version installed that is the same or higher than configured. You can set different versions for different operating systems.
	Upload Logs to FortiAnalyzer	Endpoints must send the specified logs to FortiAnalyzer. FortiClient must have logging to FortiAnalyzer configured to enable this option.
	Check Running Applications	Configure rules for certain applications. You can create a rule for a specific application to be running or not running, and also specify processes and signatures.
Security Posture Check
	Realtime Protection	You can specify that endpoints must have: Realtime Protection enabled Signatures must be up-to-date FortiSandbox scanning must be enabled. FortiClient must have FortiSandbox integration configured to enable this option.
	Third party AntiVirus on Windows	Endpoints must run a specified third party antivirus program.
	Web Filter	Endpoints must have the specified Web Filter profile applied.
	Application Firewall	Endpoints must have the specified Application Control sensor applied.

The below shows another example of a FortiClient compliance profile. The profile is configured as follows:

Block endpoints with high or critical vulnerabilities from accessing the network
Warn Windows endpoints that have a FortiClient version earlier than 5.6.0
Warn endpoints that do not have real-time protection enabled
Warn endpoints that do not have up-to-date signatures

Additional compliance options

An endpoint is considered compliant if its FortiClient is managed by the EMS server authorized in FortiOS.

An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS. The table below lists the compliance rules administrators can enable or disable in a FortiClient profile.

Option	Description
Endpoint Vulnerability Scan on Client	Endpoints must not have vulnerabilities at or higher than the configured level.
System Compliance
	Minimum FortiClient version	Endpoints must have a FortiClient version installed that is the same or higher than configured. You can set different versions for different operating systems.
	Upload Logs to FortiAnalyzer	Endpoints must send the specified logs to FortiAnalyzer. FortiClient must have logging to FortiAnalyzer configured to enable this option.
	Check Running Applications	Configure rules for certain applications. You can create a rule for a specific application to be running or not running, and also specify processes and signatures.
Security Posture Check
	Realtime Protection	You can specify that endpoints must have: Realtime Protection enabled Signatures must be up-to-date FortiSandbox scanning must be enabled. FortiClient must have FortiSandbox integration configured to enable this option.
	Third party AntiVirus on Windows	Endpoints must run a specified third party antivirus program.
	Web Filter	Endpoints must have the specified Web Filter profile applied.
	Application Firewall	Endpoints must have the specified Application Control sensor applied.

Option

Description

Endpoint Vulnerability Scan on Client

Endpoints must not have vulnerabilities at or higher than the configured level.

System Compliance

Minimum FortiClient version

Endpoints must have a FortiClient version installed that is the same or higher than configured. You can set different versions for different operating systems.

Upload Logs to FortiAnalyzer

Endpoints must send the specified logs to FortiAnalyzer. FortiClient must have logging to FortiAnalyzer configured to enable this option.

Check Running Applications

Configure rules for certain applications. You can create a rule for a specific application to be running or not running, and also specify processes and signatures.

Security Posture Check

Realtime Protection

You can specify that endpoints must have:

Realtime Protection enabled
Signatures must be up-to-date
FortiSandbox scanning must be enabled. FortiClient must have FortiSandbox integration configured to enable this option.

Third party AntiVirus on Windows

Endpoints must run a specified third party antivirus program.

Web Filter

Endpoints must have the specified Web Filter profile applied.

Application Firewall

Endpoints must have the specified Application Control sensor applied.

The below shows another example of a FortiClient compliance profile. The profile is configured as follows:

Block endpoints with high or critical vulnerabilities from accessing the network

Warn Windows endpoints that have a FortiClient version earlier than 5.6.0

Warn endpoints that do not have real-time protection enabled

Warn endpoints that do not have up-to-date signatures

Use Cases

Additional compliance options

Additional compliance options

Additional compliance options