Fortinet white logo
Fortinet white logo

Administration Guide

Appendix E - FortiClient (Linux) CLI commands

Appendix E - FortiClient (Linux) CLI commands

FortiClient (Linux) supports an installer targeted towards the headless version of Linux server. FortiClient (Linux) 7.0.0 for servers (forticlient_server_7.0.0xxx) offers a command line interface and is intended to be used with the CLI-only (headless) installation. The same set of CLI commands also work with a FortiClient (Linux) GUI installation.

The following summarizes the CLI commands available for FortiClient (Linux) 7.0.0:

Endpoint control

FortiClient 7.0.0 must establish a Telemetry connection to EMS to receive license information. FortiClient features are only enabled after connecting to EMS.

Usage

You can access endpoint control features through the epctrl CLI command. This command offers the end user the ability to connect or disconnect from EMS and check the connection status. You can access usage information by using the following commands:

jameslee@sunshine:~$ /opt/forticlient/epctrl -h
FortiClient Endpoint Control

Usage:
  /opt/forticlient/epctrl -r|--register <address> [-p|--port ] [-s|--site]
  /opt/forticlient/epctrl -c|--cloud <invitation code>
  /opt/forticlient/epctrl -u|--unregister
  /opt/forticlient/epctrl -d|--details

Options:
  -h --help        Show the help screen
  -r --register    Register to an EMS address
  -p --port        EMS port
  -s --site        EMS site name (when EMS multitenancy is enabled)
  -c --cloud 	   Register to FortiClient Cloud using the invitation code
  -u --unregister  Unregister from the current EMS
  -d --details     Show telemetry details and status

Connecting to on-premise EMS

FortiClient can connect to on-premise EMS using the following commands. If EMS is listening on the default port, 8013, you do not need to specify the port number. If EMS is listening on another port, such as 8444, you must specify the port number with the EMS IP address. The example illustrates both use cases:

jameslee@sunshine:~$ /opt/forticlient/epctrl -r 172.17.60.251
Registering to EMS 172.17.60.251:8013.

jameslee@sunshine:~$ /opt/forticlient/epctrl -r 172.17.60.251 -p 8444
Registering to EMS 172.17.60.251:8444.

If EMS multitenancy is enabled, you can also specify the site name. If connecting to the default site, you do not need to provide a site name. The example illustrates connecting to a site named "headquarters".

jameslee@sunshine:~$ /opt/forticlient/epctrl -r 172.17.60.251 -s headquarters

Connecting to FortiClient Cloud

FortiClient can connect to FortiClient Cloud using the following commands. You must enter the invitation code (ABCDEF123 in the example) that you received from the FortiClient Cloud administrator:

jameslee@sunshine:~$ /opt/forticlient/epctrl -c ABCDEF123

Endpoint control status

You can check FortiClient endpoint control status details with the -d argument. When FortiClient is connected to EMS only, the command output is as follows:

jameslee@sunshine:~$ /opt/forticlient/epctrl -d 
=====================================
FortiClient EMS Details
=====================================
IP: 172.17.60.251:8013
Host: DESKTOP-ID2CVUA
SN: FCTEMS3764894213
Status: Connected

If FortiClient is connected to EMS and notifying FortiGate, the endpoint control status displays the serial numbers and hostnames of the EMS and FortiGates as follows:

jameslee@sunshine:~$ /opt/forticlient/epctrl -d 
===================================== 
FortiClient EMS Details
=====================================
IP: ems.fortinet.net:80
Host: DESKTOP-ID2CVUA
SN: FCTEMS3764894213
Status: Connected
===================================== 
FortiGate Details
=====================================
IP: 172.17.60.40
Host: FGVM02TM18001119
SN: FGVM02TM18001119
Status: Connected

When FortiClient is not connected to EMS, the endpoint control status has no Telemetry data available as shown:

jameslee@sunshine:~$ /opt/forticlient/epctrl -d 
No telemetry data available.

Disconnecting from EMS

FortiClient can disconnect from EMS only if the configuration received from EMS allows it. You can disconnect using the -u argument.

jameslee@sunshine:~$ /opt/forticlient/epctrl -u 
Unregistering from EMS.

AV scanning

You may run an AV scan from the CLI on the entire file system or on a specified directory. You can only run an AV scan as the root user. After completing an AV scan, FortiClient prints the scan results and detailed log file locations. You can run the following command to run an AV scan, where <dir> is the directory to scan. You can perform a full scan by inputting / in place of <dir>.

sudo /opt/forticlient/fmon -s /opt/forticlient/vir_sig/ -o /opt/forticlient/ --unit /opt/forticlient -d <dir>

The following shows an AV scan performed on the /var directory:

jameslee@sunshine:/var$ sudo /opt/forticlient/fmon -s /opt/forticlient/vir_sig/ -o /opt/forticlient/ --unit /opt/forticlient -d /var 
Signature dir : /opt/forticlient/vir_sig/
Log dir : /opt/forticlient/
Fmon on daemon mode.
Dest dir : /var
CPU number : 1
Server port : 40140
AV Engine path : /opt/forticlient/libav.so
AV Signature path : /opt/forticlient/vir_sig/vir_high:/opt/forticlient/vir_sig/vir_sandbox_sig
Load AV signature success.
<=== PID : 13821 Client Hello rc = 2185
Child : 13821 ready
===> Scan : /var/spool/anacron/cron.daily
===> Scan : /var/spool/anacron/cron.weekly
===> Scan : /var/spool/anacron/cron.monthly
===> Scan : /var/crash/_usr_bin_gedit.1001.crash
===> Scan : /var/crash/_opt_forticlient_fmon.1000.crash
===> Scan : /var/backups/apt.extended_states.1.gz
===> Scan : /var/backups/shadow.bak
===> Scan : /var/backups/dpkg.statoverride.2.gz
===> Scan : /var/backups/passwd.bak
===> Scan : /var/backups/dpkg.diversions.1.gz
===> Scan : /var/backups/apt.extended_states.0
===> Scan : /var/backups/dpkg.arch.2.gz
===> Scan : /var/backups/alternatives.tar.1.gz
===> Scan : /var/backups/dpkg.arch.0
===> Scan : /var/backups/dpkg.status.1.gz
===> Scan : /var/backups/dpkg.statoverride.0
===> Scan : /var/backups/dpkg.arch.1.gz
===> Scan : /var/backups/gshadow.bak
===> Scan : /var/backups/dpkg.diversions.2.gz
===> Scan : /var/backups/alternatives.tar.2.gz
................................
................................
................................
-------------- scan_dispatch_worker finished -------------
Scan started at Mon Apr 22 14:43:45 2019 
Found virus : EICAR_TEST_FILE 
In file : /var/eicar.com
Action : Quarantine success
Quarantine file : /opt/forticlient/quarantine/eicar.com.1
--------------- Scan summary --------------------- 
Total scan files : 10947
Found virus : 1
Worker crash : 0
Worker timeout : 0
--------------------------------------------------
Scan ended at Mon Apr 22 14:44:01 2019 
Full results can be found in /opt/forticlient/Daemon - Mon Apr 22 14:43:45 2019.log

Vulnerability scanning

You can run a vulnerability scan from the CLI to check for vulnerable applications on the machine. You can only run a vulnerability scan as the root user. After completing a vulnerability scan, FortiClient prints the number of vulnerabilities present on the machine, their severity levels, and detailed log file locations. You can run a vulnerability scan by running the following command:

jameslee@sunshine:/home/jameslee$ sudo /opt/forticlient/vulscan -v /opt/forticlient/vcm_sig/ -c -o /var/log/forticlient/vcm_log/ 
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig
[INFO] Decryption success!
[INFO] LoadFromDb
[INFO] Total sig : 13163
[INFO] Signature version=1.38
[INFO] Engine version=2.0.0.22
[INFO] Build install list
................................
................................
................................
[INFO] Output directory: /var/log/forticlient/vcm_log/2019-04-18 18-45-42/
--------------- Scan summary ---------------------
Critical : 7
High : 2
Medium : 7
Low : 0
--------------------------------------------------

You can patch existing vulnerabilities using FortiClient. FortiClient runs a vulnerability scan again after patching the vulnerabilities and prints the results. You can patch vulnerabilities as shown:

jameslee@sunshine:/home/jameslee$ sudo /opt/forticlient/vulscan -v /opt/forticlient/vcm_sig/ -c -o /var/log/forticlient/vcm_log/ -p 
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig
[INFO] Decryption success!
[INFO] LoadFromDb
[INFO] Total sig : 13163
[INFO] Signature version=1.38
[INFO] Engine version=2.0.0.22
[INFO] Build install list
...
Patching vid 55441 
Hit:1 http://ca.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://ca.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:4 http://ca.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:5 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main amd64 DEP-11 Metadata [278 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [9,364 B]
Get:7 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 48x48 Icons [66.7 kB]
Get:8 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 64x64 Icons [123 kB]
Get:9 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 DEP-11 Metadata [222 kB]
Get:10 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 48x48 Icons [7,788 B]
Get:11 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [35.7 kB]
Get:12 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 48x48 Icons [194 kB]
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 48x48 Icons [16.4 kB]
Get:14 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 64x64 Icons [92.2 kB]
Get:15 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 64x64 Icons [406 kB]
Get:16 http://ca.archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 DEP-11 Metadata [2,468 B]
Get:17 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2,464 B]
Get:18 http://ca.archive.ubuntu.com/ubuntu bionic-backports/universe amd64 DEP-11 Metadata [7,352 B]
Fetched 1,716 kB in 3s (591 kB/s)
Reading package lists... Done
[INFO] install command is: apt-get -y install --only-upgrade firefox
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
fonts-lyx
The following packages will be upgraded:
firefox
1 upgraded, 0 newly installed, 0 to remove and 315 not upgraded.
Need to get 0 B/48.1 MB of archives.
After this operation, 7,509 kB of additional disk space will be used.
(Reading database ... 162206 files and directories currently installed.)
Preparing to unpack .../firefox_66.0.3+build1-0ubuntu0.18.04.1_amd64.deb ...
Unpacking firefox (66.0.3+build1-0ubuntu0.18.04.1) over (59.0.2+build1-0ubuntu1) ...
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for desktop-file-utils (0.23-1ubuntu3.18.04.1) ...
Setting up firefox (66.0.3+build1-0ubuntu0.18.04.1) ...
Installing new version of config file /etc/apparmor.d/usr.bin.firefox ...
Please restart all running instances of firefox, or you will experience problems.
Processing triggers for man-db (2.8.3-2) ...
Processing triggers for gnome-menus (3.13.3-11ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
[INFO] query command is: dpkg-query --show firefox
Package version found is 66.0.3+build1-0ubuntu0.18.04.1
Patching vid 55442 
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://ca.archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://ca.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://ca.archive.ubuntu.com/ubuntu bionic-backports InRelease
Reading package lists... Done
................................
................................
................................
--------------- Scan summary ---------------------
Critical : 0
High : 0
Medium : 0
Low : 0
--------------------------------------------------

FortiClient updates

You can run a FortiClient update task from the CLI once FortiClient has connected to EMS and is licensed. The update task downloads the latest FortiClient engine and signatures. You can only run an update task as the root user. Following are the command and its output:

root@sunshine:/home/jameslee# /opt/forticlient/update 
****************Update starting*************** 
Sandbox test = 0
Sandbox host to test = (null)
log_level: 6
Enable custom fds server :80 failover port: 8000 failover to fdg: 1 allow sw update: 0
Updating FCTDATA: Update started forced update
[INFO] Engine version=2.0.0.22
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig [INFO] Decryption success!
[INFO] LoadFromDb [INFO] Total sig : 13163
[INFO] Signature version=1.38
Getting current FortiClient Components information
current av engine version: 6.2.126
av engine id: 06002000FVEN04100-00006.00126-9999999999
current av main sig full version: 67.1895
av main sig id: 06002000FVDB04000-00067.01895-9999999999
current av ext sig full version: 67.1892
...
...
user jameslee, type:7, session:0, pid:6913
user = jameslee
sandbox server not configured.
Updating FCTDATA: Update finished
[INFO] Engine version=2.0.0.22
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig
[INFO] Decryption success!
[INFO] LoadFromDb
[INFO] Total sig : 13163
[INFO] Signature version=1.38
Downloading done ret = 0
root@sunshine:/home/jameslee#

Existing signature details

You can check details of the existing FortiClient engine and signatures by running the update task with the -d argument:

jameslee@sunshine:/home/jameslee$ /opt/forticlient/update -d 
=====================================
Engines
=====================================
AntiVirus: 6.2.00126
Vulnerability: 2.00022
=====================================
Signatures
=====================================
AntiVirus: 67.01895
AntiVirus Extended: 67.01892
Vulnerability: 1.00038
Sandbox: 3.00442

Update help

The update help option lists all options available for the update task. You can access this option as shown:

jameslee@sunshine:~$ /opt/forticlient/update -h 
FortiClient Update
Usage: 
/opt/forticlient/update
/opt/forticlient/update -d
Options: 
-h Show the help screen
-d Show engine and signature versions

VPN

You can access VPN features through the fortivpn CLI command. This command offers the end user the ability to connect to or disconnect from VPN and perform other VPN tasks.

Usage:
/opt/forticlient/fortivpn edit <my_vpn_name> /opt/forticlient/fortivpn list /opt/forticlient/fortivpn view <my_vpn_name> /opt/forticlient/fortivpn connect <my_van_name> /opt/forticlient/fortivpn connect <my_vpn_name> --user=<username> /opt/forticlient/fortivpn connect <my_vpn_name> --user=<username> --password /opt/forticlient/fortivpn connect <my_vpn_name> --user=<username> --password --save-password --always-up /opt/forticlient/fortivpn status /opt/forticlient/fortivpn disconnect /opt/forticlient/fortivpn remove <my_vpn_name>

Option

Description

edit <my_vpn_name>

Create or edit a VPN tunnel configuration.

list

List existing VPN tunnel configurations.

view <my_vpn_name>

View a VPN tunnel configuration's details.

connect <my_van_name>

Connect to a configured VPN tunnel. Use the --user=<username>, --password, --save-password, and --always-up options to provide the username and password, save the password, or configure the tunnel to always be up.

status

Show VPN status.

disconnect

Disconnect from VPN.

remove <my_vpn_name>

Remove the VPN tunnel configuration.

Connecting to VPN using the Linux CLI may not function correctly on Ubuntu if gnome-keyring is not configured. See the Ubuntu Manpage.

To configure gnome-keyring:
  1. Install gnome-keyring:

    sudo apt install gnome-keyring

  2. Initialize and unlock the login keyring:

    killall gnome-keyring-daemon

    echo -n “your-login-password" | gnome-keyring-daemon --unlock

Appendix E - FortiClient (Linux) CLI commands

Appendix E - FortiClient (Linux) CLI commands

FortiClient (Linux) supports an installer targeted towards the headless version of Linux server. FortiClient (Linux) 7.0.0 for servers (forticlient_server_7.0.0xxx) offers a command line interface and is intended to be used with the CLI-only (headless) installation. The same set of CLI commands also work with a FortiClient (Linux) GUI installation.

The following summarizes the CLI commands available for FortiClient (Linux) 7.0.0:

Endpoint control

FortiClient 7.0.0 must establish a Telemetry connection to EMS to receive license information. FortiClient features are only enabled after connecting to EMS.

Usage

You can access endpoint control features through the epctrl CLI command. This command offers the end user the ability to connect or disconnect from EMS and check the connection status. You can access usage information by using the following commands:

jameslee@sunshine:~$ /opt/forticlient/epctrl -h
FortiClient Endpoint Control

Usage:
  /opt/forticlient/epctrl -r|--register <address> [-p|--port ] [-s|--site]
  /opt/forticlient/epctrl -c|--cloud <invitation code>
  /opt/forticlient/epctrl -u|--unregister
  /opt/forticlient/epctrl -d|--details

Options:
  -h --help        Show the help screen
  -r --register    Register to an EMS address
  -p --port        EMS port
  -s --site        EMS site name (when EMS multitenancy is enabled)
  -c --cloud 	   Register to FortiClient Cloud using the invitation code
  -u --unregister  Unregister from the current EMS
  -d --details     Show telemetry details and status

Connecting to on-premise EMS

FortiClient can connect to on-premise EMS using the following commands. If EMS is listening on the default port, 8013, you do not need to specify the port number. If EMS is listening on another port, such as 8444, you must specify the port number with the EMS IP address. The example illustrates both use cases:

jameslee@sunshine:~$ /opt/forticlient/epctrl -r 172.17.60.251
Registering to EMS 172.17.60.251:8013.

jameslee@sunshine:~$ /opt/forticlient/epctrl -r 172.17.60.251 -p 8444
Registering to EMS 172.17.60.251:8444.

If EMS multitenancy is enabled, you can also specify the site name. If connecting to the default site, you do not need to provide a site name. The example illustrates connecting to a site named "headquarters".

jameslee@sunshine:~$ /opt/forticlient/epctrl -r 172.17.60.251 -s headquarters

Connecting to FortiClient Cloud

FortiClient can connect to FortiClient Cloud using the following commands. You must enter the invitation code (ABCDEF123 in the example) that you received from the FortiClient Cloud administrator:

jameslee@sunshine:~$ /opt/forticlient/epctrl -c ABCDEF123

Endpoint control status

You can check FortiClient endpoint control status details with the -d argument. When FortiClient is connected to EMS only, the command output is as follows:

jameslee@sunshine:~$ /opt/forticlient/epctrl -d 
=====================================
FortiClient EMS Details
=====================================
IP: 172.17.60.251:8013
Host: DESKTOP-ID2CVUA
SN: FCTEMS3764894213
Status: Connected

If FortiClient is connected to EMS and notifying FortiGate, the endpoint control status displays the serial numbers and hostnames of the EMS and FortiGates as follows:

jameslee@sunshine:~$ /opt/forticlient/epctrl -d 
===================================== 
FortiClient EMS Details
=====================================
IP: ems.fortinet.net:80
Host: DESKTOP-ID2CVUA
SN: FCTEMS3764894213
Status: Connected
===================================== 
FortiGate Details
=====================================
IP: 172.17.60.40
Host: FGVM02TM18001119
SN: FGVM02TM18001119
Status: Connected

When FortiClient is not connected to EMS, the endpoint control status has no Telemetry data available as shown:

jameslee@sunshine:~$ /opt/forticlient/epctrl -d 
No telemetry data available.

Disconnecting from EMS

FortiClient can disconnect from EMS only if the configuration received from EMS allows it. You can disconnect using the -u argument.

jameslee@sunshine:~$ /opt/forticlient/epctrl -u 
Unregistering from EMS.

AV scanning

You may run an AV scan from the CLI on the entire file system or on a specified directory. You can only run an AV scan as the root user. After completing an AV scan, FortiClient prints the scan results and detailed log file locations. You can run the following command to run an AV scan, where <dir> is the directory to scan. You can perform a full scan by inputting / in place of <dir>.

sudo /opt/forticlient/fmon -s /opt/forticlient/vir_sig/ -o /opt/forticlient/ --unit /opt/forticlient -d <dir>

The following shows an AV scan performed on the /var directory:

jameslee@sunshine:/var$ sudo /opt/forticlient/fmon -s /opt/forticlient/vir_sig/ -o /opt/forticlient/ --unit /opt/forticlient -d /var 
Signature dir : /opt/forticlient/vir_sig/
Log dir : /opt/forticlient/
Fmon on daemon mode.
Dest dir : /var
CPU number : 1
Server port : 40140
AV Engine path : /opt/forticlient/libav.so
AV Signature path : /opt/forticlient/vir_sig/vir_high:/opt/forticlient/vir_sig/vir_sandbox_sig
Load AV signature success.
<=== PID : 13821 Client Hello rc = 2185
Child : 13821 ready
===> Scan : /var/spool/anacron/cron.daily
===> Scan : /var/spool/anacron/cron.weekly
===> Scan : /var/spool/anacron/cron.monthly
===> Scan : /var/crash/_usr_bin_gedit.1001.crash
===> Scan : /var/crash/_opt_forticlient_fmon.1000.crash
===> Scan : /var/backups/apt.extended_states.1.gz
===> Scan : /var/backups/shadow.bak
===> Scan : /var/backups/dpkg.statoverride.2.gz
===> Scan : /var/backups/passwd.bak
===> Scan : /var/backups/dpkg.diversions.1.gz
===> Scan : /var/backups/apt.extended_states.0
===> Scan : /var/backups/dpkg.arch.2.gz
===> Scan : /var/backups/alternatives.tar.1.gz
===> Scan : /var/backups/dpkg.arch.0
===> Scan : /var/backups/dpkg.status.1.gz
===> Scan : /var/backups/dpkg.statoverride.0
===> Scan : /var/backups/dpkg.arch.1.gz
===> Scan : /var/backups/gshadow.bak
===> Scan : /var/backups/dpkg.diversions.2.gz
===> Scan : /var/backups/alternatives.tar.2.gz
................................
................................
................................
-------------- scan_dispatch_worker finished -------------
Scan started at Mon Apr 22 14:43:45 2019 
Found virus : EICAR_TEST_FILE 
In file : /var/eicar.com
Action : Quarantine success
Quarantine file : /opt/forticlient/quarantine/eicar.com.1
--------------- Scan summary --------------------- 
Total scan files : 10947
Found virus : 1
Worker crash : 0
Worker timeout : 0
--------------------------------------------------
Scan ended at Mon Apr 22 14:44:01 2019 
Full results can be found in /opt/forticlient/Daemon - Mon Apr 22 14:43:45 2019.log

Vulnerability scanning

You can run a vulnerability scan from the CLI to check for vulnerable applications on the machine. You can only run a vulnerability scan as the root user. After completing a vulnerability scan, FortiClient prints the number of vulnerabilities present on the machine, their severity levels, and detailed log file locations. You can run a vulnerability scan by running the following command:

jameslee@sunshine:/home/jameslee$ sudo /opt/forticlient/vulscan -v /opt/forticlient/vcm_sig/ -c -o /var/log/forticlient/vcm_log/ 
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig
[INFO] Decryption success!
[INFO] LoadFromDb
[INFO] Total sig : 13163
[INFO] Signature version=1.38
[INFO] Engine version=2.0.0.22
[INFO] Build install list
................................
................................
................................
[INFO] Output directory: /var/log/forticlient/vcm_log/2019-04-18 18-45-42/
--------------- Scan summary ---------------------
Critical : 7
High : 2
Medium : 7
Low : 0
--------------------------------------------------

You can patch existing vulnerabilities using FortiClient. FortiClient runs a vulnerability scan again after patching the vulnerabilities and prints the results. You can patch vulnerabilities as shown:

jameslee@sunshine:/home/jameslee$ sudo /opt/forticlient/vulscan -v /opt/forticlient/vcm_sig/ -c -o /var/log/forticlient/vcm_log/ -p 
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig
[INFO] Decryption success!
[INFO] LoadFromDb
[INFO] Total sig : 13163
[INFO] Signature version=1.38
[INFO] Engine version=2.0.0.22
[INFO] Build install list
...
Patching vid 55441 
Hit:1 http://ca.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://ca.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Get:4 http://ca.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:5 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main amd64 DEP-11 Metadata [278 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [9,364 B]
Get:7 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 48x48 Icons [66.7 kB]
Get:8 http://ca.archive.ubuntu.com/ubuntu bionic-updates/main DEP-11 64x64 Icons [123 kB]
Get:9 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 DEP-11 Metadata [222 kB]
Get:10 http://security.ubuntu.com/ubuntu bionic-security/main DEP-11 48x48 Icons [7,788 B]
Get:11 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [35.7 kB]
Get:12 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 48x48 Icons [194 kB]
Get:13 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 48x48 Icons [16.4 kB]
Get:14 http://security.ubuntu.com/ubuntu bionic-security/universe DEP-11 64x64 Icons [92.2 kB]
Get:15 http://ca.archive.ubuntu.com/ubuntu bionic-updates/universe DEP-11 64x64 Icons [406 kB]
Get:16 http://ca.archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 DEP-11 Metadata [2,468 B]
Get:17 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2,464 B]
Get:18 http://ca.archive.ubuntu.com/ubuntu bionic-backports/universe amd64 DEP-11 Metadata [7,352 B]
Fetched 1,716 kB in 3s (591 kB/s)
Reading package lists... Done
[INFO] install command is: apt-get -y install --only-upgrade firefox
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
fonts-lyx
The following packages will be upgraded:
firefox
1 upgraded, 0 newly installed, 0 to remove and 315 not upgraded.
Need to get 0 B/48.1 MB of archives.
After this operation, 7,509 kB of additional disk space will be used.
(Reading database ... 162206 files and directories currently installed.)
Preparing to unpack .../firefox_66.0.3+build1-0ubuntu0.18.04.1_amd64.deb ...
Unpacking firefox (66.0.3+build1-0ubuntu0.18.04.1) over (59.0.2+build1-0ubuntu1) ...
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for desktop-file-utils (0.23-1ubuntu3.18.04.1) ...
Setting up firefox (66.0.3+build1-0ubuntu0.18.04.1) ...
Installing new version of config file /etc/apparmor.d/usr.bin.firefox ...
Please restart all running instances of firefox, or you will experience problems.
Processing triggers for man-db (2.8.3-2) ...
Processing triggers for gnome-menus (3.13.3-11ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
[INFO] query command is: dpkg-query --show firefox
Package version found is 66.0.3+build1-0ubuntu0.18.04.1
Patching vid 55442 
Hit:1 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:2 http://ca.archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://ca.archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:4 http://ca.archive.ubuntu.com/ubuntu bionic-backports InRelease
Reading package lists... Done
................................
................................
................................
--------------- Scan summary ---------------------
Critical : 0
High : 0
Medium : 0
Low : 0
--------------------------------------------------

FortiClient updates

You can run a FortiClient update task from the CLI once FortiClient has connected to EMS and is licensed. The update task downloads the latest FortiClient engine and signatures. You can only run an update task as the root user. Following are the command and its output:

root@sunshine:/home/jameslee# /opt/forticlient/update 
****************Update starting*************** 
Sandbox test = 0
Sandbox host to test = (null)
log_level: 6
Enable custom fds server :80 failover port: 8000 failover to fdg: 1 allow sw update: 0
Updating FCTDATA: Update started forced update
[INFO] Engine version=2.0.0.22
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig [INFO] Decryption success!
[INFO] LoadFromDb [INFO] Total sig : 13163
[INFO] Signature version=1.38
Getting current FortiClient Components information
current av engine version: 6.2.126
av engine id: 06002000FVEN04100-00006.00126-9999999999
current av main sig full version: 67.1895
av main sig id: 06002000FVDB04000-00067.01895-9999999999
current av ext sig full version: 67.1892
...
...
user jameslee, type:7, session:0, pid:6913
user = jameslee
sandbox server not configured.
Updating FCTDATA: Update finished
[INFO] Engine version=2.0.0.22
[INFo} Distribution name is Ubuntu
[INFO] Distribution version is 18.04.1 LTS (Bionic Beaver)
[INFO] LoadVulSig
[INFO] Decryption success!
[INFO] LoadFromDb
[INFO] Total sig : 13163
[INFO] Signature version=1.38
Downloading done ret = 0
root@sunshine:/home/jameslee#

Existing signature details

You can check details of the existing FortiClient engine and signatures by running the update task with the -d argument:

jameslee@sunshine:/home/jameslee$ /opt/forticlient/update -d 
=====================================
Engines
=====================================
AntiVirus: 6.2.00126
Vulnerability: 2.00022
=====================================
Signatures
=====================================
AntiVirus: 67.01895
AntiVirus Extended: 67.01892
Vulnerability: 1.00038
Sandbox: 3.00442

Update help

The update help option lists all options available for the update task. You can access this option as shown:

jameslee@sunshine:~$ /opt/forticlient/update -h 
FortiClient Update
Usage: 
/opt/forticlient/update
/opt/forticlient/update -d
Options: 
-h Show the help screen
-d Show engine and signature versions

VPN

You can access VPN features through the fortivpn CLI command. This command offers the end user the ability to connect to or disconnect from VPN and perform other VPN tasks.

Usage:
/opt/forticlient/fortivpn edit <my_vpn_name> /opt/forticlient/fortivpn list /opt/forticlient/fortivpn view <my_vpn_name> /opt/forticlient/fortivpn connect <my_van_name> /opt/forticlient/fortivpn connect <my_vpn_name> --user=<username> /opt/forticlient/fortivpn connect <my_vpn_name> --user=<username> --password /opt/forticlient/fortivpn connect <my_vpn_name> --user=<username> --password --save-password --always-up /opt/forticlient/fortivpn status /opt/forticlient/fortivpn disconnect /opt/forticlient/fortivpn remove <my_vpn_name>

Option

Description

edit <my_vpn_name>

Create or edit a VPN tunnel configuration.

list

List existing VPN tunnel configurations.

view <my_vpn_name>

View a VPN tunnel configuration's details.

connect <my_van_name>

Connect to a configured VPN tunnel. Use the --user=<username>, --password, --save-password, and --always-up options to provide the username and password, save the password, or configure the tunnel to always be up.

status

Show VPN status.

disconnect

Disconnect from VPN.

remove <my_vpn_name>

Remove the VPN tunnel configuration.

Connecting to VPN using the Linux CLI may not function correctly on Ubuntu if gnome-keyring is not configured. See the Ubuntu Manpage.

To configure gnome-keyring:
  1. Install gnome-keyring:

    sudo apt install gnome-keyring

  2. Initialize and unlock the login keyring:

    killall gnome-keyring-daemon

    echo -n “your-login-password" | gnome-keyring-daemon --unlock