Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

EMS Administration Guide

System Settings

The majority of these configuration options are only available for Windows, macOS, and Linux profiles. Options available for Chromebook profiles, such as Upload Logs to FortiAnalyzer/FortiManager, are indicated as such in the table below.

Some options are only available when Advanced view is enabled.

Configuration

Description

UI

Specify how the FortiClient user interface appears when installed on endpoints.

Require Password to Disconnect from EMS

Turn on password lock for FortiClient.

 

Password

Enter a password. The endpoint user must enter this password to disconnect FortiClient from FortiClient EMS.

Do Not Allow User to Back Up Configuration

Disallow users from backing up the FortiClient configuration.

Hide System Tray Icon

Hide the FortiClient system tray icon.

Show Host Tag on FortiClient GUI

Show the applied host tag on the FortiClient GUI. See Compliance Verification.

Language

Configure the language that FortiClient uses. By default, FortiClient uses the system operating language. Select one of the following:

  • os-default (System operating language, selected by default)
  • zh-tw (Taiwanese Mandarin)
  • cs-cz (Czech)
  • de-de (German)
  • en-us (United States English)
  • fr-fr (French)
  • hu-hu (Hungarian)
  • ru-ru (Russian)
  • ja-jp (Japanese)
  • ko-kr (Korean)
  • pt-br (Brazilian Portuguese)
  • sk-sk (Slovak)
  • es-es (Spanish)
  • zh-cn (Chinese (Simplified))
  • et-ee (Estonian)
  • lv-lv (Latvian)
  • lt-lt (Lithuanian)
  • fi-fi (Finnish)
  • sv-se (Swedish)
  • da-dk (Danish)
  • pl-pl (Portuguese (Portugal))
  • nb-no (Norwegian)

Log

Specify FortiClient log settings.

Level

This option is available for Chromebook profiles. Generates logs equal to and more critical than the selected level. Select one of the following:

  • Emergency: The system becomes unstable.
  • Alert: Immediate action is required.
  • Critical: Functionality is affected.
  • Error: An error condition exists and may affect functionality.
  • Warning: Functionality could be affected.
  • Notice: Information about normal events.
  • Info: General information about system operations.
  • Debug: Debug FortiClient.

Features

Select features to generate logs for:

  • AntiVirus
  • Application Firewall
  • Telemetry
  • FSSOMA
  • Proxy
  • IPsec VPN
  • AntiExploit
  • SSL VPN
  • Update
  • Vulnerability
  • Web Filter
  • Sandbox

Client-Based Logging When On-Net

Include local log messages when FortiClient is onnet. For information about the onnet feature, see the FortiClient Administration Guide.

Upload Logs to FortiAnalyzer/FortiManager

This option and all nested options are available for Chromebook profiles. Configure endpoints to sends logs to the FortiAnalyzer or FortiManager at the specified address or hostname.

If the Send Software Inventory option below is also enabled, FortiClient also sends software inventory information to FortiAnalyzer or FortiManager.

 

Upload UTM Logs

Upload unified threat management logs to FortiAnalyzer.

 

Upload Vulnerability Logs

Upload vulnerability logs to FortiAnalyzer.

 

Upload Event Logs

Upload event logs to FortiAnalyzer.

 

Send Software Inventory

Send software inventory to FortiAnalyzer.

 

IP Address/Hostname

Enter the FortiAnalyzer IP address or hostname/FQDN. With Chromebook profiles, use the format https://FAZ-IP:port/logging.

If using a port other than the default, use <address>:<port>.

 

SSL Enabled

Enable SSL.

 

Upload Schedule (minutes)

Configure the upload schedule in minutes.

 

Log Generation Timeout (seconds)

Configure the log generation timeout in seconds.

 

Log Retention (days)

Configure the duration of time to retain logs in days.

Proxy

 

 

Use Proxy for Updates

Access FortiGuard using the configured proxy.

 

Connect to FDN Directly If Proxy Is Offline

Connect to FDN directly if proxy is offline.

Use Proxy for Virus Submission

Use the configured proxy to submit viruses to FortiGuard.

 

Type

Configure the type. Options include:

  • http
  • socks4
  • socks5

 

IP Address/Hostname

Enter the proxy server's IP address/hostname.

 

Port

Enter the proxy server's port number. The port range is from 1 to 65535.

 

Username

If the proxy requires authentication, enter the username. Enter the encrypted or non-encrypted username.

 

Password

If the proxy requires authentication, enter the password. Enter the encrypted or non-encrypted username. Enable Show Password to show the password in plain text.

Update

Specify whether to use FortiManager or Micro-FortiGuard Server for FortiClient to update FortiClient on endpoints.

Use FortiManager for Client Signature Update

Enable FortiClient EMS to obtain AV signatures from the FortiManager or Micro-FortiGuard Server for FortiClient at the specified IP address or hostname.

 

IP Address/Hostname

Enter the FortiManager IP address/hostname.

 

Port

Enter the port number.

 

Failover Port

Enter the failover port.

 

Timeout

Enter the timeout interval.

 

Failover to FDN When FortiManager Is Not Available

Fail over to FDN when FortiManager or Micro-FortiGuard Server for FortiClient is not available.

Software Update

 

Automatically update FortiClient software on endpoints.

 

Update Action

Select the option to implement when new software updates are available:

  • Notify Only

    The Update Action is set to Disabled. The Advanced XML configuration should be:

    <update_action>disable</update_action>

  • Download And Install

Scheduled Updates

 

Configure the schedule to check for new software updates and signatures.

 

Schedule Type

Select Interval or Daily for your schedule time.

 

Update Every

Configure the interval to check for new software updates and signatures.

FortiGuard Server Location

Configure FortiGuard server location to Nearest or US.

If Nearest is selected, the endpoint connects to the FortiGuard server whose IP address is provided by the DNS server.

If US is selected, the endpoint can only connect to FortiGuard servers available in the United States and does not attempt to access a FortiGuard server outside the U.S.

FortiProxy

Enable FortiProxy (disable only when troubleshooting). You must enable FortiProxy to use Web Filter and some AV options.

HTTPS Proxy

Enable HTTPS proxy. If disabled, FortiProxy no longer inspects HTTPS traffic.

 

HTTP Timeout

Enter the HTTP connection timeout interval in seconds. FortiProxy determines if the remote server is available based on this timeout value. Lower this timeout value if your client requires a faster fail response.

POP3 Client Comforting

Enable POP3 client comforting. Client comforting helps to prevent POP3 clients from complaining that the server has not responded in time.

POP3 Server Comforting

Enable POP3 server comforting. Server comforting helps to prevent POP3 servers from complaining that the client has not responded in time. This may be used in a situation where FortiClient is installed on a mail server.

SMTP Client Comforting

Enable SMTP client comforting. SMTP comforting helps to prevent SMTP clients from complaining that the server has not responded in time.

Self Test

FortiProxy can detect if other software is disrupting internal traffic between FortiProxy's internal modules. It does this by sending packets periodically to 1.1.1.1, which are intercepted by FortiClient and dropped (they never leave the computer). If the packets are not detected, then it is deemed highly likely that third party software is intercepting the packets, signaling that FortiProxy cannot perform regular traffic filtering.

Enable self tests. FortiProxy periodically checks its own connectivity to determine if it is able to proxy other applications' traffic.

 

Notify

Display a bubble notification when self-testing detects that a third party program has blocked HTTP/HTTPS filtering and SMTP/POP3 AV scanning.

 

Last Port

Enter the last port number used. This is the highest port number you want to allow FortiProxy to listen on. Use to prevent FortiProxy from binding to another port that another service normally uses.

The available port range is 65535 to 10000.

Endpoint Control

Show Bubble Notifications

Show bubble notifications when FortiClient installs new policies on endpoints.

Silent Registration

Enable silent connection of endpoints, which means that endpoints are connected to FortiGate or EMS without user interaction. Turn off to require user interaction to connect endpoints.

Log off When User Logs Out of Windows

Log off FortiClient when the endpoint user logs out of Windows. Turn off to remain logged in.

Disable Unregister

Forbid users from disconnecting FortiClient from FortiClient EMS.

Disable FortiGate Switch

Disable FortiGate switch. When the FortiGate switch is disabled, the following occurs:

  • FortiClient does not probe the default gateway.
  • FortiClient does not automatically connect to the default gateway.
  • FortiClient ignores FortiGate broadcasts.
  • The discovered list displays only predefined FortiGates, if discovered.

Hide Compliance Enforcement Feature Message from Compliance Tab

Hide the compliance enforcement feature message from the Compliance & Telemetry tab. This option is only enforced on FortiClients connected to FortiClient EMS. This option does not apply to monitored clients.

This option only applies for endpoints running FortiClient versions earlier than 6.2.0.

On-Net Subnets

Turn on to enable onnet subnets.

For details on how FortiClient determines onnet/offnet status, see the FortiClient Administration Guide.

 

IP Addresses/Subnet Masks

Enter IP addresses/subnet mask to connect to onnet subnets.

 

Gateway MAC Address

Enable gateway MAC address.

 

MAC Addresses

Enter MAC addresses.

Send Software Inventory

Send installed application information to FortiClient EMS. If the Upload Logs to FortiAnalyzer/FortiManager option is enabled, the endpoint also sends the software inventory information to FortiAnalyzer. See Software Inventory.

Other

 

Install CA Certificate on Client

Turn on to select and install a CA certificate on the FortiClient endpoint.

You can add certificates by going to Profile Components > Manage CA Certificates.

FortiClient Single Sign-On Mobility Agent

Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator.

 

IP Address/Hostname

Enter the FortiAuthenticator IP address or hostname.

 

Port

Enter the port number.

 

Pre-Shared Key

Enter the preshared key. The preshared key should match the key configured on your FortiAuthenticator.

iOS

 

Distribute Configuration Profile

Enable and browse for your .mobileconfig file to distribute the configuration profile.

Privacy

 

 

Send Usage Statistics to Fortinet

 

Submit virus information to FDS. This information is used to improve Fortinet's product quality and user experience.

System Settings

The majority of these configuration options are only available for Windows, macOS, and Linux profiles. Options available for Chromebook profiles, such as Upload Logs to FortiAnalyzer/FortiManager, are indicated as such in the table below.

Some options are only available when Advanced view is enabled.

Configuration

Description

UI

Specify how the FortiClient user interface appears when installed on endpoints.

Require Password to Disconnect from EMS

Turn on password lock for FortiClient.

 

Password

Enter a password. The endpoint user must enter this password to disconnect FortiClient from FortiClient EMS.

Do Not Allow User to Back Up Configuration

Disallow users from backing up the FortiClient configuration.

Hide System Tray Icon

Hide the FortiClient system tray icon.

Show Host Tag on FortiClient GUI

Show the applied host tag on the FortiClient GUI. See Compliance Verification.

Language

Configure the language that FortiClient uses. By default, FortiClient uses the system operating language. Select one of the following:

  • os-default (System operating language, selected by default)
  • zh-tw (Taiwanese Mandarin)
  • cs-cz (Czech)
  • de-de (German)
  • en-us (United States English)
  • fr-fr (French)
  • hu-hu (Hungarian)
  • ru-ru (Russian)
  • ja-jp (Japanese)
  • ko-kr (Korean)
  • pt-br (Brazilian Portuguese)
  • sk-sk (Slovak)
  • es-es (Spanish)
  • zh-cn (Chinese (Simplified))
  • et-ee (Estonian)
  • lv-lv (Latvian)
  • lt-lt (Lithuanian)
  • fi-fi (Finnish)
  • sv-se (Swedish)
  • da-dk (Danish)
  • pl-pl (Portuguese (Portugal))
  • nb-no (Norwegian)

Log

Specify FortiClient log settings.

Level

This option is available for Chromebook profiles. Generates logs equal to and more critical than the selected level. Select one of the following:

  • Emergency: The system becomes unstable.
  • Alert: Immediate action is required.
  • Critical: Functionality is affected.
  • Error: An error condition exists and may affect functionality.
  • Warning: Functionality could be affected.
  • Notice: Information about normal events.
  • Info: General information about system operations.
  • Debug: Debug FortiClient.

Features

Select features to generate logs for:

  • AntiVirus
  • Application Firewall
  • Telemetry
  • FSSOMA
  • Proxy
  • IPsec VPN
  • AntiExploit
  • SSL VPN
  • Update
  • Vulnerability
  • Web Filter
  • Sandbox

Client-Based Logging When On-Net

Include local log messages when FortiClient is onnet. For information about the onnet feature, see the FortiClient Administration Guide.

Upload Logs to FortiAnalyzer/FortiManager

This option and all nested options are available for Chromebook profiles. Configure endpoints to sends logs to the FortiAnalyzer or FortiManager at the specified address or hostname.

If the Send Software Inventory option below is also enabled, FortiClient also sends software inventory information to FortiAnalyzer or FortiManager.

 

Upload UTM Logs

Upload unified threat management logs to FortiAnalyzer.

 

Upload Vulnerability Logs

Upload vulnerability logs to FortiAnalyzer.

 

Upload Event Logs

Upload event logs to FortiAnalyzer.

 

Send Software Inventory

Send software inventory to FortiAnalyzer.

 

IP Address/Hostname

Enter the FortiAnalyzer IP address or hostname/FQDN. With Chromebook profiles, use the format https://FAZ-IP:port/logging.

If using a port other than the default, use <address>:<port>.

 

SSL Enabled

Enable SSL.

 

Upload Schedule (minutes)

Configure the upload schedule in minutes.

 

Log Generation Timeout (seconds)

Configure the log generation timeout in seconds.

 

Log Retention (days)

Configure the duration of time to retain logs in days.

Proxy

 

 

Use Proxy for Updates

Access FortiGuard using the configured proxy.

 

Connect to FDN Directly If Proxy Is Offline

Connect to FDN directly if proxy is offline.

Use Proxy for Virus Submission

Use the configured proxy to submit viruses to FortiGuard.

 

Type

Configure the type. Options include:

  • http
  • socks4
  • socks5

 

IP Address/Hostname

Enter the proxy server's IP address/hostname.

 

Port

Enter the proxy server's port number. The port range is from 1 to 65535.

 

Username

If the proxy requires authentication, enter the username. Enter the encrypted or non-encrypted username.

 

Password

If the proxy requires authentication, enter the password. Enter the encrypted or non-encrypted username. Enable Show Password to show the password in plain text.

Update

Specify whether to use FortiManager or Micro-FortiGuard Server for FortiClient to update FortiClient on endpoints.

Use FortiManager for Client Signature Update

Enable FortiClient EMS to obtain AV signatures from the FortiManager or Micro-FortiGuard Server for FortiClient at the specified IP address or hostname.

 

IP Address/Hostname

Enter the FortiManager IP address/hostname.

 

Port

Enter the port number.

 

Failover Port

Enter the failover port.

 

Timeout

Enter the timeout interval.

 

Failover to FDN When FortiManager Is Not Available

Fail over to FDN when FortiManager or Micro-FortiGuard Server for FortiClient is not available.

Software Update

 

Automatically update FortiClient software on endpoints.

 

Update Action

Select the option to implement when new software updates are available:

  • Notify Only

    The Update Action is set to Disabled. The Advanced XML configuration should be:

    <update_action>disable</update_action>

  • Download And Install

Scheduled Updates

 

Configure the schedule to check for new software updates and signatures.

 

Schedule Type

Select Interval or Daily for your schedule time.

 

Update Every

Configure the interval to check for new software updates and signatures.

FortiGuard Server Location

Configure FortiGuard server location to Nearest or US.

If Nearest is selected, the endpoint connects to the FortiGuard server whose IP address is provided by the DNS server.

If US is selected, the endpoint can only connect to FortiGuard servers available in the United States and does not attempt to access a FortiGuard server outside the U.S.

FortiProxy

Enable FortiProxy (disable only when troubleshooting). You must enable FortiProxy to use Web Filter and some AV options.

HTTPS Proxy

Enable HTTPS proxy. If disabled, FortiProxy no longer inspects HTTPS traffic.

 

HTTP Timeout

Enter the HTTP connection timeout interval in seconds. FortiProxy determines if the remote server is available based on this timeout value. Lower this timeout value if your client requires a faster fail response.

POP3 Client Comforting

Enable POP3 client comforting. Client comforting helps to prevent POP3 clients from complaining that the server has not responded in time.

POP3 Server Comforting

Enable POP3 server comforting. Server comforting helps to prevent POP3 servers from complaining that the client has not responded in time. This may be used in a situation where FortiClient is installed on a mail server.

SMTP Client Comforting

Enable SMTP client comforting. SMTP comforting helps to prevent SMTP clients from complaining that the server has not responded in time.

Self Test

FortiProxy can detect if other software is disrupting internal traffic between FortiProxy's internal modules. It does this by sending packets periodically to 1.1.1.1, which are intercepted by FortiClient and dropped (they never leave the computer). If the packets are not detected, then it is deemed highly likely that third party software is intercepting the packets, signaling that FortiProxy cannot perform regular traffic filtering.

Enable self tests. FortiProxy periodically checks its own connectivity to determine if it is able to proxy other applications' traffic.

 

Notify

Display a bubble notification when self-testing detects that a third party program has blocked HTTP/HTTPS filtering and SMTP/POP3 AV scanning.

 

Last Port

Enter the last port number used. This is the highest port number you want to allow FortiProxy to listen on. Use to prevent FortiProxy from binding to another port that another service normally uses.

The available port range is 65535 to 10000.

Endpoint Control

Show Bubble Notifications

Show bubble notifications when FortiClient installs new policies on endpoints.

Silent Registration

Enable silent connection of endpoints, which means that endpoints are connected to FortiGate or EMS without user interaction. Turn off to require user interaction to connect endpoints.

Log off When User Logs Out of Windows

Log off FortiClient when the endpoint user logs out of Windows. Turn off to remain logged in.

Disable Unregister

Forbid users from disconnecting FortiClient from FortiClient EMS.

Disable FortiGate Switch

Disable FortiGate switch. When the FortiGate switch is disabled, the following occurs:

  • FortiClient does not probe the default gateway.
  • FortiClient does not automatically connect to the default gateway.
  • FortiClient ignores FortiGate broadcasts.
  • The discovered list displays only predefined FortiGates, if discovered.

Hide Compliance Enforcement Feature Message from Compliance Tab

Hide the compliance enforcement feature message from the Compliance & Telemetry tab. This option is only enforced on FortiClients connected to FortiClient EMS. This option does not apply to monitored clients.

This option only applies for endpoints running FortiClient versions earlier than 6.2.0.

On-Net Subnets

Turn on to enable onnet subnets.

For details on how FortiClient determines onnet/offnet status, see the FortiClient Administration Guide.

 

IP Addresses/Subnet Masks

Enter IP addresses/subnet mask to connect to onnet subnets.

 

Gateway MAC Address

Enable gateway MAC address.

 

MAC Addresses

Enter MAC addresses.

Send Software Inventory

Send installed application information to FortiClient EMS. If the Upload Logs to FortiAnalyzer/FortiManager option is enabled, the endpoint also sends the software inventory information to FortiAnalyzer. See Software Inventory.

Other

 

Install CA Certificate on Client

Turn on to select and install a CA certificate on the FortiClient endpoint.

You can add certificates by going to Profile Components > Manage CA Certificates.

FortiClient Single Sign-On Mobility Agent

Select to enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator.

 

IP Address/Hostname

Enter the FortiAuthenticator IP address or hostname.

 

Port

Enter the port number.

 

Pre-Shared Key

Enter the preshared key. The preshared key should match the key configured on your FortiAuthenticator.

iOS

 

Distribute Configuration Profile

Enable and browse for your .mobileconfig file to distribute the configuration profile.

Privacy

 

 

Send Usage Statistics to Fortinet

 

Submit virus information to FDS. This information is used to improve Fortinet's product quality and user experience.