Update settings
The <update></update>
XML tags contain update-related information. Use this field to specify how FortiClient performs updates from FDN servers.
<forticlient_configuration>
<system>
<update>
<use_custom_server>0</use_custom_server>
<restrict_services_to_regions/>
<use_legacy_fdn>1</use_legacy_fdn>
<server></server>
<port>80</port>
<fail_over_servers>server1.fortinet.com:8008;172.81.30.6:80;server2.fortinet.com:80</fail_over_servers>
<timeout>60</timeout>
<failoverport>8000</failoverport>
<fail_over_to_fdn>1</fail_over_to_fdn>
<use_proxy_when_fail_over_to_fdn>1</use_proxy_when_fail_over_to_fdn>
<auto_patch>1</auto_patch>
<update_action>notify_only</update_action>
<scheduled_update>
<enabled>1</enabled>
<type>interval</type>
<daily_at>03:00</daily_at>
<update_interval_in_hours>3</update_interval_in_hours>
</scheduled_update>
<submit_virus_info_to_fds>0</submit_virus_info_to_fds>
<submit_vuln_info_to_fds>1<submit_vuln_info_to_fds>
</update>
</system>
</forticlient_configuration>
The following table provides the XML tags for update settings, as well as the descriptions and default values where applicable.
<use_custom_server>
|
Define a custom server for updates. When the Boolean value is set to 0 , FortiClient uses the default FDN server address. When the Boolean value is set to 1 , you must specify the address in <update><server> . This setting is typically used when specifying a FortiManager as your update server.
Boolean value: [0 | 1]
|
0
|
<restrict_services_to_regions>
|
Define whether to restrict the FDN server location to U.S.-only, or to use the nearest FDN server.
To restrict to U.S.-only FDN server locations, set to USA , as follows: <restrict_services_to_regions>USA</restrict_services_to_regions> .
Otherwise, leave blank. This is the default configuration.
|
|
<use_legacy_fdn>
|
When enabled, update tasks use HTTP to connect to myforticlient.fortinet.net.
When disabled, the following occurs:
- Update tasks use HTTPS to connect to:
- fctupdate.fortinet.net (global region)
- fctusupdate.fortinet.net (US region)
- fcteuupdate.fortinet.net (EU region)
-
FortiClient checks the FortiGuard certificate validity:
- Expires in the future
- Has a valid domain name
- Is signed by one of the three CAs: Verisign, Digicert, and Comodo
-
FortiClient checks that the certificate is not revoked. By default, FortiClient connects to FDS via HTTPS. You can configure strict mode to check the certificate before connecting to FDS servers.
|
1
|
<server>
|
Enter the update server's IP address or FQDN. Use when <use_custom_server> is set to 1 .
Optionally, you can specify the port number. You can specify multiple addresses using a semicolon delimited list.
For example, 10.10.10.1:80;10.10.10.2:8080;172.16.10.80;www.myfortimanager.net . In this example, FortiClient tries each server specified in order until one works or they all fail.
|
|
<port>
|
Enter the update server's port number. If a port number is not specified in <update><server> , FortiClient uses this port.
Port range: 1 to 65535
|
80
|
<fail_over_servers>
|
Enter the update servers to try if FortiClient cannot reach the primary server. Separate multiple servers with a semicolon. IP address or FQDN, followed by a colon and the port number if applicable.
|
|
<timeout>
|
Enter the connection timeout, in seconds, when attempting to reach a custom update server. If a server is reachable but not responding to update requests, the actual timeout is longer.
The timeout specified is applied three times to one <server>:<port> pair before FortiClient gives up on this pair. If <failoverport> is specified, and greater than 0 , there are a total of six attempts (three attempts for <server>:<port> , three attempts for <server>:<failoverport> ).
|
60
|
<failoverport>
|
Failover port number. If FortiClient cannot reach the update server via the port specified in <server> or <port> , FortiClient tries the same address with this port.
Port range: 1 to 65535
|
8000
|
<fail_over_to_fdn>
|
Determines whether or not to use FDN servers if communication with custom <server> fails. If the Boolean value is set to 1 , <use_custom_server> is set to 1 , and the update server specified by <server> cannot be reached, then FortiClient tries the default public FDN server. This is tried only if FortiClient has exhausted all other custom update server options.
Boolean value: [0 | 1]
|
1
|
<use_proxy_when_fail_over_to_fdn>
|
Supports failover to FDN servers if FortiClient uses a proxy server defined with <forticlient_configuration><system><proxy> and <fail_over_to_fndn> is set to 1 . Set <use_proxy_when_fail_over_to_fdn> to 1 to fail over to FDN servers. This element is ignored when no proxy server is defined with <forticlient_configuration><system><proxy> .
Boolean value: [0 | 1]
|
1
|
<auto_patch>
|
Determines whether to automatically check for software updates. This setting is used with <update_action> . If enabled, FortiClient automatically checks for updates and takes the action specified by <update_action> .
Boolean value: [0 | 1]
|
0
|
<update_action>
|
This setting applies to software updates only. FortiClient (macOS) supports only the notify_only and disable options. Enter one of the following:
-
download_and_install : Automatically downloads and installs software updates with no user intervention. The computer reboots automatically if needed.
-
download_only : Automatically downloads software updates, but does not install them. The user can install the software update by following the message prompt.
-
notify_only : Displays a message when a software update becomes available. The user triggers the update by following the message prompt.
-
disable : Disables online software updates. You can only achieve software updates by manually downloading and installing newer installation packages.
|
notify_only
|
<submit_virus_info_to_fds>
|
Enable submitting virus information to FDN.
Boolean value: [0 | 1]
|
1
|
<submit_vuln_info_to_fds>
|
Enable submitting vulnerability statistics to FDN. When set to 1 , send vulnerability detection statistics from the vulnerability scanner to FDN. When set to 0 , do not send vulnerability statistics to FDN.
Boolean value: [0 | 1]
|
1
|
<scheduled_update> elements
Use these elements to define when FortiClient should look for engine, signature, and software updates, if enabled.
|
<enabled>
|
Enable scheduled updates.
Boolean value: [0 | 1]
|
1
|
<type>
|
Update frequency: daily or at regular hourly intervals. Enter one of the following:
|
interval
|
<daily_at>
|
Time of the day, in the format HH:MM (24-hour clock), this field is mandatory if the <type> tag is set to daily. This field specifies the time that FortiClient should check for updates.
|
|
<update_interval_in_hours>
|
Update interval in hours if the <type> tag is set to interval. This field specifies the frequency that FortiClient should check for updates. The minimum value is 1, the maximum value is 24.
|
3
|
When <use_custom_server>
is 0
or both <server>
and <fail_over_servers>
are each an empty (null) string, FortiClient only uses the default FDN server for software updates. If a string is specified in <server>
and communication fails with that server, each of the servers specified in <fail_over_servers>
are tried until one succeeds. If that also fails, then software updates are not possible unless <fail_over_to_fdn>
is set to 1
.
If communication fails with the server(s) specified in both <server>
and <fail_over_servers>
, <fail_over_to_fdn>
determines the next course of action as listed below:
“” (empty strings)
|
0
|
FortiClient only uses the FDN server.
|
“” (empty strings)
|
1
|
FortiClient only uses the FDN server.
|
“xyz” (valid IP address)
|
0
|
FortiClient never uses the FDN server.
|
“xyz” (valid IP address)
|
1
|
FortiClient only uses the FDN server as failover.
|