Fortinet black logo

Administration Guide

FortiGate only

FortiGate only

The version of FortiClient and FortiOS do not affect the on-net, off-net, or online status. The following examples show how the endpoint status is determined when FortiClient is connected to FortiGate only:

  • The endpoint has an on-net status when the endpoint is behind a FortiGate and receives option 224 with the FortiGate serial number. In this case, FortiGate is the DHCP server, and FortiGate checks that the serial number matches its own serial number.
  • The endpoint has an on-net status when the endpoint is inside one of the on-net subnets defined by FortiGate. You can configure on-net subnets in the FortiClient Compliance profile using the FortiOS CLI and the set on-net addr command.
  • The endpoint has an off-net status when the endpoint is outside of the FortiGate network, such as connected through an external interface or has not received option 224 with the FortiGate serial number.
  • The endpoint has an offline status when the endpoint cannot connect FortiClient Telemetry to FortiGate and the endpoint is outside one of the on-net networks, even when option 224 and the FortiGate serial number are configured.
  • The endpoint has an offline on-net status when the endpoint is inside one of the on-net networks, but cannot connect FortiClient Telemetry to FortiGate.

For FortiClient to be in an on-net network, the IP address of FortiGate or EMS should be routed via the IP address from the on-net network.

FortiGate only

The version of FortiClient and FortiOS do not affect the on-net, off-net, or online status. The following examples show how the endpoint status is determined when FortiClient is connected to FortiGate only:

  • The endpoint has an on-net status when the endpoint is behind a FortiGate and receives option 224 with the FortiGate serial number. In this case, FortiGate is the DHCP server, and FortiGate checks that the serial number matches its own serial number.
  • The endpoint has an on-net status when the endpoint is inside one of the on-net subnets defined by FortiGate. You can configure on-net subnets in the FortiClient Compliance profile using the FortiOS CLI and the set on-net addr command.
  • The endpoint has an off-net status when the endpoint is outside of the FortiGate network, such as connected through an external interface or has not received option 224 with the FortiGate serial number.
  • The endpoint has an offline status when the endpoint cannot connect FortiClient Telemetry to FortiGate and the endpoint is outside one of the on-net networks, even when option 224 and the FortiGate serial number are configured.
  • The endpoint has an offline on-net status when the endpoint is inside one of the on-net networks, but cannot connect FortiClient Telemetry to FortiGate.

For FortiClient to be in an on-net network, the IP address of FortiGate or EMS should be routed via the IP address from the on-net network.