Vulnerability Scan

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

If you enable both Automatic Maintenance and Scheduled Scan, FortiClient EMS only uses the Automatic Maintenance settings.

Configuration		Description
Vulnerability Scan		Enable or disable Vulnerability Scan.
Scanning
	Scan on Registration	Scan endpoints upon connecting to a FortiGate.
	Scan on Vulnerability Signature Update	Scan endpoints upon updating a vulnerability signature.
	Scan for OS Updates	Scan for OS updates.
	Enable Proxy	Enable proxy.
Automatic Maintenance		Configure settings for automatic maintenance. This configures Vulnerability Scan to run as part of Windows automatic maintenance. Adding FortiClient Vulnerability Scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that has minimal impact to the user, PC performance, and energy efficiency. See Automatic Maintenance.
	Period	Specify how often Vulnerability Scan needs to be started during automatic maintenance. Enter the desired number of days.
	Deadline	Specify when Windows must start Vulnerability Scan during emergency automatic maintenance, if Vulnerability Scan did not complete during regular automatic maintenance. Enter the desired number of days. This value must be greater than the Period value.
Scheduled Scan		Configure settings for scheduled scanning.
	Schedule Type	Configure either Daily, Weekly, Monthly.
	Scan On	Configure the day the scan runs. Select 1st-31st of the month for a monthly scan, or Sunday to Saturday for a weekly scan.
	Start At	Configure the time the scan starts.
Automatic Patching
	Patch Level	When enabled, FortiClient installs patches automatically when it detects vulnerabilities. Select one of the following: Critical: Patch critical vulnerabilities only High: Patch high severity, and above, vulnerabilities Medium: Patch medium severity, and above, vulnerabilities Low: Patch low severity, and above, vulnerabilities All: Patch all vulnerabilities. Automatic patching may require endpoint reboot.
Exclusions
	Exempt Application Vulnerabilities Requiring Manual Update from Vulnerability Compliance Check	When enabled, all applications that require the endpoint user to manually patch vulnerabilities are excluded from vulnerability compliance check. Even if compliance is enabled for FortiClient in managed mode and FortiGate compliance rules require it, you do not need to install manual software patches required for application vulnerabilities within the specified time frame to maintain compliant status and network access. This option does not exclude applications from vulnerability scanning.
	Exclude Selected Applications from Vulnerability Compliance Check	In the <number> Applications list, click the applications to exclude from vulnerability compliance check, and they are automatically moved to the <number> Excluded Applications list. In the <number> Excluded Applications list, click the applications to remove from the exclusion list. Applications on the exclusion list are exempt from needing to install software patches within the timeframe specified in FortiGate compliance rules to maintain compliant status and network access. Applications on the list are not excluded from vulnerability scanning.
	Disable Automatic Patching for These Applications	Disable automatic patching for the applications excluded from vulnerability compliance check.

Configuration	Description
Vulnerability Scan	Enable or disable Vulnerability Scan.
Scanning
	Scan on Registration	Scan endpoints upon connecting to a FortiGate.
	Scan on Vulnerability Signature Update	Scan endpoints upon updating a vulnerability signature.
	Scan for OS Updates	Scan for OS updates.
	Enable Proxy	Enable proxy.
Automatic Maintenance	Configure settings for automatic maintenance. This configures Vulnerability Scan to run as part of Windows automatic maintenance. Adding FortiClient Vulnerability Scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that has minimal impact to the user, PC performance, and energy efficiency. See Automatic Maintenance.
	Period	Specify how often Vulnerability Scan needs to be started during automatic maintenance. Enter the desired number of days.
	Deadline	Specify when Windows must start Vulnerability Scan during emergency automatic maintenance, if Vulnerability Scan did not complete during regular automatic maintenance. Enter the desired number of days. This value must be greater than the Period value.
Scheduled Scan	Configure settings for scheduled scanning.
	Schedule Type	Configure either Daily, Weekly, Monthly.
	Scan On	Configure the day the scan runs. Select 1st-31st of the month for a monthly scan, or Sunday to Saturday for a weekly scan.
	Start At	Configure the time the scan starts.
Automatic Patching
	Patch Level	When enabled, FortiClient installs patches automatically when it detects vulnerabilities. Select one of the following: Critical: Patch critical vulnerabilities only High: Patch high severity, and above, vulnerabilities Medium: Patch medium severity, and above, vulnerabilities Low: Patch low severity, and above, vulnerabilities All: Patch all vulnerabilities. Automatic patching may require endpoint reboot.
Exclusions
	Exempt Application Vulnerabilities Requiring Manual Update from Vulnerability Compliance Check	When enabled, all applications that require the endpoint user to manually patch vulnerabilities are excluded from vulnerability compliance check. Even if compliance is enabled for FortiClient in managed mode and FortiGate compliance rules require it, you do not need to install manual software patches required for application vulnerabilities within the specified time frame to maintain compliant status and network access. This option does not exclude applications from vulnerability scanning.
	Exclude Selected Applications from Vulnerability Compliance Check	In the <number> Applications list, click the applications to exclude from vulnerability compliance check, and they are automatically moved to the <number> Excluded Applications list. In the <number> Excluded Applications list, click the applications to remove from the exclusion list. Applications on the exclusion list are exempt from needing to install software patches within the timeframe specified in FortiGate compliance rules to maintain compliant status and network access. Applications on the list are not excluded from vulnerability scanning.
	Disable Automatic Patching for These Applications	Disable automatic patching for the applications excluded from vulnerability compliance check.

Configuration

Description

Vulnerability Scan

Enable or disable Vulnerability Scan.

Scanning

Scan on Registration

Scan endpoints upon connecting to a FortiGate.

Scan on Vulnerability Signature Update

Scan endpoints upon updating a vulnerability signature.

Scan for OS Updates

Scan for OS updates.

Enable Proxy

Enable proxy.

Automatic Maintenance

Configure settings for automatic maintenance. This configures Vulnerability Scan to run as part of Windows automatic maintenance. Adding FortiClient Vulnerability Scans to the Windows automatic maintenance queue allows the system to choose an appropriate time for the scan that has minimal impact to the user, PC performance, and energy efficiency. See Automatic Maintenance.

Period

Specify how often Vulnerability Scan needs to be started during automatic maintenance. Enter the desired number of days.

Deadline

Specify when Windows must start Vulnerability Scan during emergency automatic maintenance, if Vulnerability Scan did not complete during regular automatic maintenance. Enter the desired number of days.

This value must be greater than the Period value.

Scheduled Scan

Configure settings for scheduled scanning.

Schedule Type

Configure either Daily, Weekly, Monthly.

Scan On

Configure the day the scan runs. Select 1st-31st of the month for a monthly scan, or Sunday to Saturday for a weekly scan.

Start At

Configure the time the scan starts.

Automatic Patching

Patch Level

When enabled, FortiClient installs patches automatically when it detects vulnerabilities. Select one of the following:

Critical: Patch critical vulnerabilities only
High: Patch high severity, and above, vulnerabilities
Medium: Patch medium severity, and above, vulnerabilities
Low: Patch low severity, and above, vulnerabilities
All: Patch all vulnerabilities.

Automatic patching may require endpoint reboot.

Exclusions

Exempt Application Vulnerabilities Requiring Manual Update from Vulnerability Compliance Check

When enabled, all applications that require the endpoint user to manually patch vulnerabilities are excluded from vulnerability compliance check.

Even if compliance is enabled for FortiClient in managed mode and FortiGate compliance rules require it, you do not need to install manual software patches required for application vulnerabilities within the specified time frame to maintain compliant status and network access.

This option does not exclude applications from vulnerability scanning.

Exclude Selected Applications from Vulnerability Compliance Check

In the <number> Applications list, click the applications to exclude from vulnerability compliance check, and they are automatically moved to the <number> Excluded Applications list.

In the <number> Excluded Applications list, click the applications to remove from the exclusion list.

Applications on the exclusion list are exempt from needing to install software patches within the timeframe specified in FortiGate compliance rules to maintain compliant status and network access.

Applications on the list are not excluded from vulnerability scanning.

Disable Automatic Patching for These Applications

Disable automatic patching for the applications excluded from vulnerability compliance check.

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Table of Contents

EMS Administration Guide

Vulnerability Scan

Vulnerability Scan