Additional compliance options
Depending on the FortiOS configuration, FortiOS uses one of the following methods to determine endpoint compliance. The first option is only available in FortiOS 6.0.0 and later versions. In both cases, FortiClient must be installed on the endpoint and there must be Telemetry connection between FortiClient and FortiGate.
- An endpoint is considered compliant if its FortiClient is managed by the EMS server authorized in FortiOS.
- An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS. The table below lists the compliance rules administrators can enable or disable in a FortiClient profile.
Option
|
Description |
|
---|---|---|
Endpoint Vulnerability Scan on Client |
Endpoints must not have vulnerabilities at or higher than the configured level. |
|
System Compliance |
||
|
Minimum FortiClient version |
Endpoints must have a FortiClient version installed that is the same or higher than configured. You can set different versions for different operating systems. |
|
Upload Logs to FortiAnalyzer |
Endpoints must send the specified logs to FortiAnalyzer. FortiClient must have logging to FortiAnalyzer configured to enable this option. |
|
Check Running Applications |
Configure rules for certain applications. You can create a rule for a specific application to be running or not running, and also specify processes and signatures. |
Security Posture Check |
||
|
Realtime Protection |
You can specify that endpoints must have:
|
|
Third party AntiVirus on Windows |
Endpoints must run a specified third party antivirus program. |
|
Web Filter |
Endpoints must have the specified Web Filter profile applied. |
|
Application Firewall |
Endpoints must have the specified Application Control sensor applied. |
The below shows another example of a FortiClient compliance profile. The profile is configured as follows:
- Block endpoints with high or critical vulnerabilities from accessing the network
- Warn Windows endpoints that have a FortiClient version earlier than 5.6.0
- Warn endpoints that do not have real-time protection enabled
- Warn endpoints that do not have up-to-date signatures