Fortinet Document Library

Version:


Table of Contents

6.2.0
Download PDF
Copy Link

FortiClient feature recommendations

When creating deployment packages in FortiClient EMS to deploy FortiClient to endpoints, it is recommended to include different sets of FortiClient features to install depending on the endpoint. Do not install components that are not required. For example, if you have no users who need to access the network remotely, do not install the Remote Access feature.

Endpoint description

Recommended features

No third-party AntiVirus product installed

  • Security Fabric Agent (Vulnerability Scan)
  • Advanced Persistent Threat (APT) Components (FortiSandbox)
  • AntiVirus, Anti-Exploit
  • Web Filtering

Only VPN needed (endpoint already has a third-party AntiVirus product installed)

  • Security Fabric Agent (Vulnerability Scan)
  • Secure Access Architecture Components (SSL and IPsec VPN)

The following lists the recommended options to enable for each feature:

Feature

Recommended options

AntiVirus

  • Block Access to Malicious Websites
  • Block Known Communication Channels Used by Attackers: This feature uses Application Firewall. If Application Firewall is not enabled, it will still be active if Block Known Communication Channels Used by Attackers is enabled.
  • Automatically Submit Suspicious Files to FortiGuard for Analysis: Unless restricted by the organizational security policy, it is recommended to enable this option. It allows faster detection of malicious files.
  • Exclusions: Follow the OS and other software vendors' recommendations to configure AV scan exclusions. It is important to configure recommended exclusions on servers.
  • If FortiClient is deployed on a Windows Server with Web Filter and Application Firewall components, Block Access to Malicious Websites and Block Known Communication Channels Used by Attackers should be disabled. Scan Email should also be disabled for Windows Servers.

Web Filter

VPN

The following options are available when configuring a VPN tunnel:

  • Allow Non-Administrators to Use Machine Certificates: You must configure the <run_fcauth_system> element. See the FortiClient XML Reference for details.
  • Save Password
  • Auto Connect
  • Enable Local LAN
  • Dead Peer Detection: It is recommended to disable this option when on a poor connection, as this option can cause dropped connections.
  • Enable Implied SPDO
  • Auto Keep Alive
  • On Connect/On Disconnect Scripts

Vulnerability Scan

  • Configure Scheduled Scan
  • Enable Automatic Patching for vulnerabilities that are rated High and above
  • Some programs, such as Adobe software and Java, cannot be patched automatically. For these programs, manual patch is required. See the FortiClient Administration Guide for details.

System Settings

  • UI > Require Password to Disconnect from EMS: A password lock can be used to allow end users to disconnect FortiClient from EMS using a configured password. Instead of disabling the option for users to disconnect, it is recommended to leave it enabled and configure the password lock. This allows administrators to disconnect FortiClient using the configured password when needed and is useful for troubleshooting scenarios.
  • Log > Level: It is not recommended to set the log level to Debug, except for troubleshooting purposes.
  • Update > Use FortiManager for Client Signature Update: FortiClient downloads updates directly from FortiGuard servers. Ensure all endpoints can access the update servers. If a FortiManager or Micro-FortiGuard Server for FortiClient is present, it can be used to receive signature updates.
  • Endpoint Control > Disable Unregister: When enabled, FortiClient cannot disconnect from EMS. It is recommended to use Require Password to Disconnect from EMS instead.
  • Endpoint Control > On-Net Subnets and Endpoint Control > Gateway MAC Addresses: See the FortiClient Administration Guide for how FortiClient determines on-net/off-net status. The MAC address list is optional and can only be used with on-net subnet configuration.

Since only Vulnerability Scan and AntiVirus are supported on Windows Server machines, it is recommended to create separate installers for them where only AntiVirus is enabled. Windows Servers do not support Web Filter or Application Firewall, so these features must be disabled on the installer.

note icon

When creating a deployment package, if Keep updated to the latest patch is enabled, the deployment package is automatically updated when a new FortiClient version is available on FDS servers, then deployed to endpoints. To control software updates manually, disable this option. It is recommended to disable this feature on installers used to deploy FortiClient to servers to prevent uncontrolled service disruption during a FortiClient upgrade.

If a FortiGate is present, connect Fabric Agent to FortiGate for deep visibility. List the FortiGate IP address in the gateway IP list so the endpoint can connect to the authorized FortiGate.

FortiClient feature recommendations

When creating deployment packages in FortiClient EMS to deploy FortiClient to endpoints, it is recommended to include different sets of FortiClient features to install depending on the endpoint. Do not install components that are not required. For example, if you have no users who need to access the network remotely, do not install the Remote Access feature.

Endpoint description

Recommended features

No third-party AntiVirus product installed

  • Security Fabric Agent (Vulnerability Scan)
  • Advanced Persistent Threat (APT) Components (FortiSandbox)
  • AntiVirus, Anti-Exploit
  • Web Filtering

Only VPN needed (endpoint already has a third-party AntiVirus product installed)

  • Security Fabric Agent (Vulnerability Scan)
  • Secure Access Architecture Components (SSL and IPsec VPN)

The following lists the recommended options to enable for each feature:

Feature

Recommended options

AntiVirus

  • Block Access to Malicious Websites
  • Block Known Communication Channels Used by Attackers: This feature uses Application Firewall. If Application Firewall is not enabled, it will still be active if Block Known Communication Channels Used by Attackers is enabled.
  • Automatically Submit Suspicious Files to FortiGuard for Analysis: Unless restricted by the organizational security policy, it is recommended to enable this option. It allows faster detection of malicious files.
  • Exclusions: Follow the OS and other software vendors' recommendations to configure AV scan exclusions. It is important to configure recommended exclusions on servers.
  • If FortiClient is deployed on a Windows Server with Web Filter and Application Firewall components, Block Access to Malicious Websites and Block Known Communication Channels Used by Attackers should be disabled. Scan Email should also be disabled for Windows Servers.

Web Filter

VPN

The following options are available when configuring a VPN tunnel:

  • Allow Non-Administrators to Use Machine Certificates: You must configure the <run_fcauth_system> element. See the FortiClient XML Reference for details.
  • Save Password
  • Auto Connect
  • Enable Local LAN
  • Dead Peer Detection: It is recommended to disable this option when on a poor connection, as this option can cause dropped connections.
  • Enable Implied SPDO
  • Auto Keep Alive
  • On Connect/On Disconnect Scripts

Vulnerability Scan

  • Configure Scheduled Scan
  • Enable Automatic Patching for vulnerabilities that are rated High and above
  • Some programs, such as Adobe software and Java, cannot be patched automatically. For these programs, manual patch is required. See the FortiClient Administration Guide for details.

System Settings

  • UI > Require Password to Disconnect from EMS: A password lock can be used to allow end users to disconnect FortiClient from EMS using a configured password. Instead of disabling the option for users to disconnect, it is recommended to leave it enabled and configure the password lock. This allows administrators to disconnect FortiClient using the configured password when needed and is useful for troubleshooting scenarios.
  • Log > Level: It is not recommended to set the log level to Debug, except for troubleshooting purposes.
  • Update > Use FortiManager for Client Signature Update: FortiClient downloads updates directly from FortiGuard servers. Ensure all endpoints can access the update servers. If a FortiManager or Micro-FortiGuard Server for FortiClient is present, it can be used to receive signature updates.
  • Endpoint Control > Disable Unregister: When enabled, FortiClient cannot disconnect from EMS. It is recommended to use Require Password to Disconnect from EMS instead.
  • Endpoint Control > On-Net Subnets and Endpoint Control > Gateway MAC Addresses: See the FortiClient Administration Guide for how FortiClient determines on-net/off-net status. The MAC address list is optional and can only be used with on-net subnet configuration.

Since only Vulnerability Scan and AntiVirus are supported on Windows Server machines, it is recommended to create separate installers for them where only AntiVirus is enabled. Windows Servers do not support Web Filter or Application Firewall, so these features must be disabled on the installer.

note icon

When creating a deployment package, if Keep updated to the latest patch is enabled, the deployment package is automatically updated when a new FortiClient version is available on FDS servers, then deployed to endpoints. To control software updates manually, disable this option. It is recommended to disable this feature on installers used to deploy FortiClient to servers to prevent uncontrolled service disruption during a FortiClient upgrade.

If a FortiGate is present, connect Fabric Agent to FortiGate for deep visibility. List the FortiGate IP address in the gateway IP list so the endpoint can connect to the authorized FortiGate.