System Settings
The majority of these configuration options are only available for Windows, macOS, and Linux profiles. The table indicates which options are available for Chromebook profiles, such as Upload Logs to FortiAnalyzer/FortiManager.
Some options are only available when Advanced view is enabled.
Configuration |
Description |
|
---|---|---|
UI |
Specify how the FortiClient user interface appears when installed on endpoints. |
|
Turn on password lock for FortiClient. |
||
|
Password |
Enter a password. The endpoint user must enter this password to disconnect FortiClient from FortiClient EMS. |
Do Not Allow User to Back Up Configuration |
Disallow users from backing up the FortiClient configuration. |
|
Allow User to Shutdown When Registered to EMS |
Allows user to shut down FortiClient while registered to EMS. This feature is only available for FortiClient (Windows) endpoints. |
|
Hide User Information |
Hide the User Details panel where the user can provide user details (avatar, name, phone number, email address), and link to a social media (LinkedIn, Google, Salesforce) account. |
|
Hide System Tray Icon |
Hide the FortiClient system tray icon. |
|
Show Host Tag on FortiClient GUI |
Show the applied host tag on the FortiClient GUI. See Zero Trust Tags. |
|
Language |
Configure the language that FortiClient uses. By default, FortiClient uses the system operating language. Select one of the following:
|
|
Log |
Specify FortiClient log settings. |
|
Level |
This option is available for Chromebook profiles. Generates logs equal to and more critical than the selected level. Select one of the following:
|
|
Features |
Select features to generate logs for:
|
|
Client-Based Logging When On-Fabric |
Include local log messages when FortiClient is on-fabric. FortiClient hides the Export log and Clear log options from the GUI when the endpoint is off-fabric. FortiClient still sends logs to FortiAnalyzer, if one is configured. If the FortiAnalyzer is unreachable because endpoint is off-fabric, FortiClient retains the logs until it can reach FortiAnalyzer and forward the logs. See On-fabric Detection Rules. |
|
Upload Logs to FortiAnalyzer/FortiManager |
This option and all nested options are available for Chromebook profiles. Configure endpoints to sends logs to the FortiAnalyzer or FortiManager at the specified address or hostname. The Upload UTM Logs, Upload System Event, and Upload Security Event fields only apply to FortiClient 6.4.3 and later versions. The Upload Vulnerability Logs and Upload Event Log fields only apply to FortiClient 6.4.2 and earlier versions. |
|
|
Upload UTM Logs |
Upload unified threat management (traffic) logs to FortiAnalyzer or FortiManager. |
|
Upload System Event |
Upload system events to FortiAnalyzer or FortiManager. This includes logs for endpoint control, update, and FortiClient events. |
|
Upload Security Event |
Upload security events to FortiAnalyzer or FortiManager. This includes logs for Malware Protection, Web Filter, Vulnerability Scan, and Application Firewall events. |
|
Upload Vulnerability Logs |
Upload vulnerability logs to FortiAnalyzer or FortiManager. |
|
Upload Event Logs |
Upload event logs to FortiAnalyzer or FortiManager. |
|
Send Software Inventory |
EMS sends FortiClient software inventory to FortiAnalyzer or FortiManager. This feature requires the EPP license. See FortiClient EMS. |
|
Send OS Events |
EMS sends endpoint host events to FortiAnalyzer or FortiManager. EMS supports this feature for Windows and macOS endpoints. For macOS endpoints, OS event logs are stored at |
|
Event telemetry interval |
Enter the interval in seconds for FortiClient to upload OS events to FortiAnalyzer or FortiManager. |
|
IP Address/Hostname |
Enter the FortiAnalyzer IP address or hostname/FQDN. With Chromebook profiles, use the format https://FAZ-IP:port/logging. If using a port other than the default, use <address>:<port>. For FortiAnalyzer Cloud, you must enter an FQDN. You cannot enter an IP address. See the FortiAnalyzer Cloud documentation. |
|
SSL Enabled |
Enable SSL. |
|
Upload Schedule |
Configure the interval in minutes for FortiClient to upload logs to FortiAnalyzer or FortiManager. If there are no logs, no upload takes place. |
|
Log Generation Timeout |
Configure the maximum time in seconds for FortiClient to gather logs before sending them to FortiAnalyzer or FortiManager. |
|
Log Retention |
Configure the amount of time in days that logs are kept locally on the endpoint before starting to rewrite them. |
Proxy |
|
|
Use Proxy for Updates |
Access FortiGuard using the configured proxy. |
|
|
Connect to FDN Directly If Proxy Is Offline |
Connect to FDN directly if proxy is offline. |
Use Proxy for Virus Submission |
Use the configured proxy to submit viruses to FortiGuard. |
|
|
Type |
Configure the type. Options include:
|
|
IP Address/Hostname |
Enter the proxy server's IP address/hostname. |
|
Port |
Enter the proxy server's port number. The port range is from 1 to 65535. |
|
Username |
If the proxy requires authentication, enter the username. Enter the encrypted or non-encrypted username. |
|
Password |
If the proxy requires authentication, enter the password. Enter the encrypted or non-encrypted username. Enable Show Password to show the password in plain text. |
Update |
Specify whether to use FortiManager to update FortiClient on endpoints. |
|
Use FortiManager for Client Signature Update |
Enable FortiClient EMS to obtain AV signatures from the FortiManager at the specified IP address or hostname. |
|
|
IP Address/Hostname |
Enter the FortiManager IP address/hostname. |
|
Port |
Enter the port number. |
|
Failover Port |
Enter the failover port. |
|
Timeout |
Enter the timeout interval. |
|
Failover to FDN When FortiManager Is Not Available |
Fail over to FDN when FortiManager is unavailable. |
FortiGuard Server Location |
Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server. FortiClient connects to FortiGuard to query for AV and vulnerability scan engine and signature updates. The URLs connected to for each server location are as follows:
|
|
Server |
Configure the FortiGuard server to FortiGuard or FortiGuard Anycast. |
|
FortiProxy |
Enable FortiProxy (disable only when troubleshooting). You must enable FortiProxy to use Web Filter and some AV options. |
|
HTTPS Proxy |
Enable HTTPS proxy. If disabled, FortiProxy no longer inspects HTTPS traffic. |
|
|
HTTP Timeout |
Enter the HTTP connection timeout interval in seconds. FortiProxy determines if the remote server is available based on this timeout value. Lower this timeout value if your client requires a faster fail response. |
POP3 Client Comforting |
Enable POP3 client comforting. Client comforting helps to prevent POP3 clients from complaining that the server has not responded in time. |
|
POP3 Server Comforting |
Enable POP3 server comforting. Server comforting helps to prevent POP3 servers from complaining that the client has not responded in time. You may use this in a situation where FortiClient is installed on a mail server. |
|
SMTP Client Comforting |
Enable SMTP client comforting. SMTP comforting helps to prevent SMTP clients from complaining that the server has not responded in time. |
|
Self Test |
FortiProxy can detect if other software is disrupting internal traffic between FortiProxy's internal modules. It does this by sending packets periodically to 1.1.1.1, which are intercepted by FortiClient and dropped (they never leave the computer). If the packets are not detected, then it is deemed highly likely that third party software is intercepting the packets, signaling that FortiProxy cannot perform regular traffic filtering. Enable self tests. FortiProxy periodically checks its own connectivity to determine if it is able to proxy other applications' traffic. |
|
|
Notify |
Display a bubble notification when self-testing detects that a third party program has blocked HTTP/HTTPS filtering and SMTP/POP3 AV scanning. |
|
Last Port |
Enter the last port number used. This is the highest port number you want to allow FortiProxy to listen on. Use to prevent FortiProxy from binding to another port that another service normally uses. The available port range is 65535 to 10000. |
Endpoint Control |
||
Show Bubble Notifications |
Show bubble notifications when FortiClient installs new policies on endpoints. |
|
Log off When User Logs Out of Windows |
Log off FortiClient when the endpoint user logs out of Windows. Turn off to remain logged in. |
|
Disable Disconnect |
Forbid users from disconnecting FortiClient from FortiClient EMS. |
|
On-Fabric Subnets |
Turn on to enable on-fabric subnets. FortiClient determines on-/off-fabric status using Determining on-fabric/off-fabric status. This option only applies for endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.2 and later versions, see On-fabric Detection Rules. |
|
|
IP Addresses/Subnet Masks |
Enter IP addresses/subnet mask to connect to on-fabric subnets. |
|
Enable gateway MAC address. |
|
|
MAC Addresses |
Enter MAC addresses. |
Send Software Inventory |
Send installed application information to FortiClient EMS. If the Upload Logs to FortiAnalyzer/FortiManager option is enabled, the endpoint also sends the software inventory information to FortiAnalyzer. See Software Inventory. This feature requires the EPP license. See FortiClient EMS. |
|
Invalid Certificate Action |
Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate:
|
|
User Identity Settings |
||
Allow Users to Specify Identity Using |
Enable users to specify their identity in FortiClient using the following methods:
By default, EMS obtains user details from the endpoint OS. If the user provides their details using one of the methods above, EMS obtains the user-specified details instead. If this option is disabled, EMS obtains and displays user details from the endpoint OS. |
|
Notify Users to Submit User Identity Information |
Displays a notification on the endpoint for the user to specify their identity. If the user closes the notification without specifying their identity, the notification displays every ten minutes until the user submits their identity information. |
|
Zero Trust Network Access (ZTNA) Settings |
|
|
Use ZTNA
|
Enable ZTNA. When ZTNA is enabled, FortiClient can create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. For TCP forwarding to non-web-based applications, the endpoint user can define ZTNA connection rules in the FortiClient console. |
|
Other |
|
|
Install CA Certificate on Client |
Turn on to select and install a CA certificate on the FortiClient endpoint. You can add certificates by going to Endpoint Policy & Components > CA Certificates. |
|
FortiClient Single Sign-On Mobility Agent |
Enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator. |
|
|
IP Address/Hostname |
Enter the FortiAuthenticator IP address or hostname. |
|
Port |
Enter the port number. |
|
Pre-Shared Key |
Enter the preshared key. The preshared key should match the key configured on your FortiAuthenticator. |
iOS |
|
|
Distribute Configuration Profile |
Enable and browse for your |
|
Privacy |
|
|
Send Usage Statistics to Fortinet
|
Submit virus information to FDS. Fortinet uses this information to improve product quality and user experience. |