Fortinet black logo

Administration Guide

FortiGate and FortiClient Compliance profiles

FortiGate and FortiClient Compliance profiles

In FortiOS, administrators can configure a FortiClient Compliance profile and apply the profile to endpoints. The profile achieves the following goals:

  • Defines compliance rules for endpoint access to the network through FortiGate
  • Defines the non-compliance action for FortiGate–that is, how FortiGate handles endpoints that fail to comply with compliance rules

Compliance rules

FortiGate compliance rules define what configuration FortiClient software and the endpoint must have for the endpoint to maintain access to the network through FortiGate.

FortiOS 6.0.0 and later versions use one of the following two methods to determine endpoint compliance. The FortiOS configuration determines which method is used. FortiOS versions prior to 6.0.0 only use the second method below to determine endpoint compliance. In both cases, FortiClient must be installed on the endpoint.

  1. An endpoint is considered compliant if FortiClient is managed by the EMS server authorized in FortiOS.
  2. An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS. The following list shows a sample of the compliance rules administrators can enable or disable in a FortiClient profile using the FortiOS GUI:
    • Telemetry data
    • Endpoint Vulnerability Scan on client
    • System compliance:
      • Minimum FortiClient version
      • What log types FortiClient will send to FortiAnalyzer
      • What applications/processes are running on client. May include requirements for specific signatures.

        Configuring compliance rules for running applications requires using the FortiOS CLI to set the following fields: application-check-rule, process-name, and app-sha256-signature. The app-sha256-signature field is optional. See the FortiOS CLI Reference.

    • Security posture check:
      • Realtime protection
      • Third party AV on Windows
      • Web filter
      • Application firewall

Administrators can also define additional compliance rules using the FortiOS CLI.

Although the compliance rules define what configuration FortiClient software and the endpoint must have, the FortiClient profile from FortiGate does not include any configuration information. The endpoint user or administrator is responsible for configuring FortiClient to adhere to the compliance rules. An administrator can use EMS to configure FortiClient.

Non-compliance action

In addition to compliance rules, the FortiClient profile also defines how FortiGate handles non-compliant endpoints. FortiGate can block and quarantine endpoints, or FortiGate can warn endpoints about the non-compliance but allow network access. Administrators set the rules and non-compliance action using FortiOS, and FortiGate enforces the rules.

FortiOS 5.6.0 and later versions allow FortiGate to enforce compliance rules for FortiClient endpoints.

FortiClient displays compliant and non-compliant status and information about how endpoint users can return non-compliant endpoints to a compliant state. The administrator or endpoint user is responsible for reading the information in FortiClient and updating FortiClient software on the endpoint to adhere to the compliance rules. Endpoint users can edit settings in FortiClient not controlled by the compliance rules or EMS.

Compliance rules configured using the CLI

When using FortiOS to create FortiClient profiles, administrators can configure some rules only by using the FortiOS CLI. Administrators must use the CLI to configure the following options:

  • Allowed OS for endpoints
  • Registry entries for endpoints
  • File in the file system on endpoints

See the FortiOS CLI Reference.

FortiGate and FortiClient Compliance profiles

In FortiOS, administrators can configure a FortiClient Compliance profile and apply the profile to endpoints. The profile achieves the following goals:

  • Defines compliance rules for endpoint access to the network through FortiGate
  • Defines the non-compliance action for FortiGate–that is, how FortiGate handles endpoints that fail to comply with compliance rules

Compliance rules

FortiGate compliance rules define what configuration FortiClient software and the endpoint must have for the endpoint to maintain access to the network through FortiGate.

FortiOS 6.0.0 and later versions use one of the following two methods to determine endpoint compliance. The FortiOS configuration determines which method is used. FortiOS versions prior to 6.0.0 only use the second method below to determine endpoint compliance. In both cases, FortiClient must be installed on the endpoint.

  1. An endpoint is considered compliant if FortiClient is managed by the EMS server authorized in FortiOS.
  2. An endpoint is considered compliant if it complies with the specific compliance rules configured in FortiOS. The following list shows a sample of the compliance rules administrators can enable or disable in a FortiClient profile using the FortiOS GUI:
    • Telemetry data
    • Endpoint Vulnerability Scan on client
    • System compliance:
      • Minimum FortiClient version
      • What log types FortiClient will send to FortiAnalyzer
      • What applications/processes are running on client. May include requirements for specific signatures.

        Configuring compliance rules for running applications requires using the FortiOS CLI to set the following fields: application-check-rule, process-name, and app-sha256-signature. The app-sha256-signature field is optional. See the FortiOS CLI Reference.

    • Security posture check:
      • Realtime protection
      • Third party AV on Windows
      • Web filter
      • Application firewall

Administrators can also define additional compliance rules using the FortiOS CLI.

Although the compliance rules define what configuration FortiClient software and the endpoint must have, the FortiClient profile from FortiGate does not include any configuration information. The endpoint user or administrator is responsible for configuring FortiClient to adhere to the compliance rules. An administrator can use EMS to configure FortiClient.

Non-compliance action

In addition to compliance rules, the FortiClient profile also defines how FortiGate handles non-compliant endpoints. FortiGate can block and quarantine endpoints, or FortiGate can warn endpoints about the non-compliance but allow network access. Administrators set the rules and non-compliance action using FortiOS, and FortiGate enforces the rules.

FortiOS 5.6.0 and later versions allow FortiGate to enforce compliance rules for FortiClient endpoints.

FortiClient displays compliant and non-compliant status and information about how endpoint users can return non-compliant endpoints to a compliant state. The administrator or endpoint user is responsible for reading the information in FortiClient and updating FortiClient software on the endpoint to adhere to the compliance rules. Endpoint users can edit settings in FortiClient not controlled by the compliance rules or EMS.

Compliance rules configured using the CLI

When using FortiOS to create FortiClient profiles, administrators can configure some rules only by using the FortiOS CLI. Administrators must use the CLI to configure the following options:

  • Allowed OS for endpoints
  • Registry entries for endpoints
  • File in the file system on endpoints

See the FortiOS CLI Reference.