Fortinet black logo

EMS Administration Guide

System Settings

System Settings

The majority of these configuration options are only available for Windows, macOS, and Linux profiles. The table indicates which options are available for Chromebook profiles, such as Upload Logs to FortiAnalyzer/FortiManager.

Some options are only available when Advanced view is enabled.

Configuration

Description

UI

Specify how the FortiClient user interface appears when installed on endpoints.

Require Password to Disconnect from EMS

Turn on password lock for FortiClient.

Password

Enter a password. The endpoint user must enter this password to disconnect FortiClient from FortiClient EMS.

Allow endpoint admin to disconnect without a password

This setting is only available if you enable System Setting > UI > Require Password to Disconnect from EMS and provides a password. This allows the FortiClient endpoint administrator to uninstall FortiClient using the msiexec command line without needing to use the configured EMS disconnection password. This feature is especially useful if you are using a mobile device management solution to deploy FortiClient. Because FortiClient endpoint users have no administrative privileges, so there is no risk that an endpoint user could intentionally or accidentally uninstall FortiClient.

Do Not Allow User to Back Up Configuration

Disallow users from backing up the FortiClient configuration.

Allow User to Shutdown When Registered to EMS

Allows user to shut down FortiClient while registered to EMS. This feature is only available for FortiClient (Windows).

Hide User Information

Hide the User Details panel where the user can provide user details (avatar, name, phone number, email address), and link to a social media (LinkedIn, Google, Salesforce) account.

Hide System Tray Icon

Hide the FortiClient system tray icon.

Show Host Tag on FortiClient GUI

Show the applied host tag on the FortiClient GUI. See Zero Trust Tags.

Language

Configure the language that FortiClient uses. By default, FortiClient uses the system operating language. Select one of the following:

  • os-default (System operating language, selected by default)
  • zh-tw (Taiwanese Mandarin)
  • cs-cz (Czech)
  • de-de (German)
  • en-us (United States English)
  • fr-fr (French)
  • hu-hu (Hungarian)
  • ru-ru (Russian)
  • ja-jp (Japanese)
  • ko-kr (Korean)
  • pt-br (Brazilian Portuguese)
  • sk-sk (Slovak)
  • es-es (Spanish)
  • zh-cn (Chinese (Simplified))
  • et-ee (Estonian)
  • lv-lv (Latvian)
  • lt-lt (Lithuanian)
  • fi-fi (Finnish)
  • sv-se (Swedish)
  • da-dk (Danish)
  • pl-pl (Portuguese (Portugal))
  • nb-no (Norwegian)
  • fr-ca (Canadian French)

Default Tab

From the dropdown list, select the tab for FortiClient to display by default when the user opens the console.

Log

Specify FortiClient log settings.

Level

This option is available for Chromebook profiles. Generates logs equal to and more critical than the selected level. Select one of the following:

  • Emergency: The system becomes unstable.
  • Alert: Immediate action is required.
  • Critical: Functionality is affected.
  • Error: An error condition exists and may affect functionality.
  • Warning: Functionality could be affected.
  • Notice: Information about normal events.
  • Info: General information about system operations.
  • Debug: Debug FortiClient. Detailed debug logs for the selected features are generated on the endpoint. You can request the creation and download of the diagnostic tool output, which includes these logs.

Features

Select features to generate logs for:

  • AntiVirus
  • Application Firewall
  • Telemetry
  • FSSOMA
  • Proxy
  • IPsec VPN
  • AntiExploit
  • SSL VPN
  • Update
  • Vulnerability
  • Web Filter
  • Sandbox

Client-Based Logging When On-Fabric

Include local log messages when FortiClient is on-fabric. FortiClient hides the Export log and Clear log options from the GUI when the endpoint is off-fabric. FortiClient still sends logs to FortiAnalyzer, if one is configured. If the FortiAnalyzer is unreachable because endpoint is off-fabric, FortiClient retains the logs until it can reach FortiAnalyzer and forward the logs. See On-fabric Detection Rules.

Upload Logs to FortiAnalyzer/FortiManager

This option and all nested options are available for Chromebook profiles. Configure endpoints to sends logs to the FortiAnalyzer or FortiManager at the specified address or hostname.

The Upload UTM Logs, Upload System Event, and Upload Security Event fields only apply to FortiClient 6.4.3 and later versions.

The Upload Vulnerability Logs and Upload Event Log fields only apply to FortiClient 6.4.2 and earlier versions.

Upload UTM Logs

Upload unified threat management (traffic) logs to FortiAnalyzer or FortiManager.

Upload System Event

Upload system events to FortiAnalyzer or FortiManager. This includes logs for endpoint control, update, and FortiClient events.

Upload Security Event

Upload security events to FortiAnalyzer or FortiManager. This includes logs for Malware Protection, Web Filter, Vulnerability Scan, and Application Firewall events.

Upload Vulnerability Logs

Upload vulnerability logs to FortiAnalyzer or FortiManager.

Upload Event Logs

Upload event logs to FortiAnalyzer or FortiManager.

Send Software Inventory

EMS sends FortiClient software inventory to FortiAnalyzer or FortiManager.

This feature requires the EPP license. See FortiClient EMS.

Send OS Events

EMS sends endpoint host events to FortiAnalyzer or FortiManager. EMS supports this feature for Windows and macOS endpoints. For Windows endpoints, FortiClient sends all events found in the Windows Events Viewer under the System, Security, and Applications categories, including user login and logout. For macOS endpoints, OS event logs are stored at /var/log/system.log. For details on what events are sent to FortiAnalyzer or FortiManager, see FortiAnalyzer documentation, such as Windows Events logs or Threat Hunting.

Event telemetry interval

Enter the interval in seconds for FortiClient to upload OS events to FortiAnalyzer or FortiManager.

IP Address/Hostname

Enter the FortiAnalyzer IP address or hostname/FQDN. With Chromebook profiles, use the format https://FAZ-IP:port/logging.

If using a port other than the default, use <address>:<port>.

For FortiAnalyzer Cloud, you must enter an FQDN. You cannot enter an IP address. For FortiAnalyzer Cloud, the FQDN is the URL that you use to access the FortiAnalyzer Cloud instance. For example, the FQDN may be 1208151.ca-west-1.fortianalyzer.forticloud.com. You may also need to configure the server name indication. See Log settings.

SSL Enabled

Enable SSL.

Upload Schedule

Configure the interval in minutes for FortiClient to upload logs to FortiAnalyzer or FortiManager. If there are no logs, no upload takes place.

Log Generation Timeout

Configure the maximum time in seconds for FortiClient to gather logs before sending them to FortiAnalyzer or FortiManager.

Log Retention

Configure the amount of time in days that logs are kept locally on the endpoint before starting to rewrite them.

Proxy

Use Proxy for Updates

Access FortiGuard using the configured proxy. FortiClient (macOS) does not support signature update via proxy.

Connect to FDN Directly If Proxy Is Offline

Connect to FDN directly if proxy is offline.

Use Proxy for Virus Submission

Use the configured proxy to submit viruses to FortiGuard.

Type

Configure the type. Options include:

  • http
  • socks4
  • socks5

IP Address/Hostname

Enter the proxy server's IP address/hostname.

Port

Enter the proxy server's port number. The port range is from 1 to 65535.

Username

If the proxy requires authentication, enter the username. Enter the encrypted or non-encrypted username.

Password

If the proxy requires authentication, enter the password. Enter the encrypted or non-encrypted username. Enable Show Password to show the password in plain text.

Update

Specify whether to use FortiManager to update FortiClient on endpoints.

Use FortiManager for Client Signature Update

Enable FortiClient EMS to obtain antivirus (AV) signatures from the FortiManager at the specified IP address or hostname.

IP Address/Hostname

Enter the FortiManager IP address/hostname.

Port

Enter the port number.

Failover Port

Enter the failover port.

Timeout

Enter the timeout interval.

Failover to FDN When FortiManager Is Not Available

Fail over to FDN when FortiManager is not available.

FortiGuard Server Location

Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server.

FortiClient connects to FortiGuard to query for AV and vulnerability scan engine and signature updates.

The URLs connected to for each server location are as follows:

  • FortiGuard:

    • Global: forticlient.fortinet.net

    • U.S.: usforticlient.fortinet.net

  • FortiGuard Anycast:

    • Global: fctupdate.fortinet.net

    • U.S.: fctusupdate.fortinet.net

    • Europe: fcteuupdate.fortinet.net

Server

Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.

Endpoint Control

Show Bubble Notifications

Show bubble notifications when FortiClient installs new policies on endpoints.

Log off When User Logs Out of Windows

Log off FortiClient when the endpoint user logs out of Windows. Turn off to remain logged in.

Disable Disconnect

Forbid users from disconnecting FortiClient from FortiClient EMS.

On-Fabric Subnets

Turn on to enable on-fabric subnets.

This option only applies for endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.2 and later versions, see On-fabric Detection Rules.

IP Addresses/Subnet Masks

Enter IP addresses/subnet mask to connect to on-fabric subnets.

Gateway MAC Address

Enable gateway MAC address.

MAC Addresses

Enter MAC addresses.

Send Software Inventory

Send installed application information to FortiClient EMS. If the Upload Logs to FortiAnalyzer/FortiManager option is enabled, the endpoint also sends the software inventory information to FortiAnalyzer. See Software Inventory.

This feature requires the EPP license. See FortiClient EMS.

Invalid Certificate Action

Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

  • Allow: allows FortiClient to connect to EMS with an invalid certificate.
  • Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
  • Deny: block FortiClient from connecting to EMS with an invalid certificate.

Enable Forensics Feature

Enable the forensic analysis feature. You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS. See Requesting forensic analysis on an endpoint.

User Identity Settings

Allow Users to Specify Identity Using

Enable users to specify their identity in FortiClient using the following methods:

  • Manually entering their details in FortiClient
  • Logging in to their account for the following social media services:
    • LinkedIn
    • Google
    • Salesforce

By default, EMS obtains user details from the endpoint OS. If the user provides their details using one of the methods above, EMS obtains the user-specified details instead.

If this option is disabled, EMS obtains and displays user details from the endpoint OS.

Notify Users to Submit User Identity Information

Displays a notification on the endpoint for the user to specify their identity. If the user closes the notification without specifying their identity, the notification displays every ten minutes until the user submits their identity information.

Other

Install CA Certificate on Client

Turn on to select and install a CA certificate on the FortiClient endpoint.

You can add certificates by going to Endpoint Policy & Components > CA Certificates.

FortiClient Single Sign-On Mobility Agent

Enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator.

IP Address/Hostname

Enter the FortiAuthenticator IP address or hostname.

Port

Enter the port number.

Pre-Shared Key

Enter the preshared key. The preshared key should match the key configured on your FortiAuthenticator.

iOS

Distribute Configuration Profile

Enable and browse for your .mobileconfig file to distribute the configuration profile.

Privacy

Send Usage Statistics to Fortinet

Submit virus information to FDS. Fortinet uses this information to improve product quality and user experience.

Privilege Access Management

Enable privilege access management (PAM). This enables FortiClient to communicate with FortiPAM.

Port

Enter the port for FortiClient to use to communicate with FortiPAM. The default port for this communication is 9191. If you change this value, ensure that you also change it in FortiPAM.

System Settings

The majority of these configuration options are only available for Windows, macOS, and Linux profiles. The table indicates which options are available for Chromebook profiles, such as Upload Logs to FortiAnalyzer/FortiManager.

Some options are only available when Advanced view is enabled.

Configuration

Description

UI

Specify how the FortiClient user interface appears when installed on endpoints.

Require Password to Disconnect from EMS

Turn on password lock for FortiClient.

Password

Enter a password. The endpoint user must enter this password to disconnect FortiClient from FortiClient EMS.

Allow endpoint admin to disconnect without a password

This setting is only available if you enable System Setting > UI > Require Password to Disconnect from EMS and provides a password. This allows the FortiClient endpoint administrator to uninstall FortiClient using the msiexec command line without needing to use the configured EMS disconnection password. This feature is especially useful if you are using a mobile device management solution to deploy FortiClient. Because FortiClient endpoint users have no administrative privileges, so there is no risk that an endpoint user could intentionally or accidentally uninstall FortiClient.

Do Not Allow User to Back Up Configuration

Disallow users from backing up the FortiClient configuration.

Allow User to Shutdown When Registered to EMS

Allows user to shut down FortiClient while registered to EMS. This feature is only available for FortiClient (Windows).

Hide User Information

Hide the User Details panel where the user can provide user details (avatar, name, phone number, email address), and link to a social media (LinkedIn, Google, Salesforce) account.

Hide System Tray Icon

Hide the FortiClient system tray icon.

Show Host Tag on FortiClient GUI

Show the applied host tag on the FortiClient GUI. See Zero Trust Tags.

Language

Configure the language that FortiClient uses. By default, FortiClient uses the system operating language. Select one of the following:

  • os-default (System operating language, selected by default)
  • zh-tw (Taiwanese Mandarin)
  • cs-cz (Czech)
  • de-de (German)
  • en-us (United States English)
  • fr-fr (French)
  • hu-hu (Hungarian)
  • ru-ru (Russian)
  • ja-jp (Japanese)
  • ko-kr (Korean)
  • pt-br (Brazilian Portuguese)
  • sk-sk (Slovak)
  • es-es (Spanish)
  • zh-cn (Chinese (Simplified))
  • et-ee (Estonian)
  • lv-lv (Latvian)
  • lt-lt (Lithuanian)
  • fi-fi (Finnish)
  • sv-se (Swedish)
  • da-dk (Danish)
  • pl-pl (Portuguese (Portugal))
  • nb-no (Norwegian)
  • fr-ca (Canadian French)

Default Tab

From the dropdown list, select the tab for FortiClient to display by default when the user opens the console.

Log

Specify FortiClient log settings.

Level

This option is available for Chromebook profiles. Generates logs equal to and more critical than the selected level. Select one of the following:

  • Emergency: The system becomes unstable.
  • Alert: Immediate action is required.
  • Critical: Functionality is affected.
  • Error: An error condition exists and may affect functionality.
  • Warning: Functionality could be affected.
  • Notice: Information about normal events.
  • Info: General information about system operations.
  • Debug: Debug FortiClient. Detailed debug logs for the selected features are generated on the endpoint. You can request the creation and download of the diagnostic tool output, which includes these logs.

Features

Select features to generate logs for:

  • AntiVirus
  • Application Firewall
  • Telemetry
  • FSSOMA
  • Proxy
  • IPsec VPN
  • AntiExploit
  • SSL VPN
  • Update
  • Vulnerability
  • Web Filter
  • Sandbox

Client-Based Logging When On-Fabric

Include local log messages when FortiClient is on-fabric. FortiClient hides the Export log and Clear log options from the GUI when the endpoint is off-fabric. FortiClient still sends logs to FortiAnalyzer, if one is configured. If the FortiAnalyzer is unreachable because endpoint is off-fabric, FortiClient retains the logs until it can reach FortiAnalyzer and forward the logs. See On-fabric Detection Rules.

Upload Logs to FortiAnalyzer/FortiManager

This option and all nested options are available for Chromebook profiles. Configure endpoints to sends logs to the FortiAnalyzer or FortiManager at the specified address or hostname.

The Upload UTM Logs, Upload System Event, and Upload Security Event fields only apply to FortiClient 6.4.3 and later versions.

The Upload Vulnerability Logs and Upload Event Log fields only apply to FortiClient 6.4.2 and earlier versions.

Upload UTM Logs

Upload unified threat management (traffic) logs to FortiAnalyzer or FortiManager.

Upload System Event

Upload system events to FortiAnalyzer or FortiManager. This includes logs for endpoint control, update, and FortiClient events.

Upload Security Event

Upload security events to FortiAnalyzer or FortiManager. This includes logs for Malware Protection, Web Filter, Vulnerability Scan, and Application Firewall events.

Upload Vulnerability Logs

Upload vulnerability logs to FortiAnalyzer or FortiManager.

Upload Event Logs

Upload event logs to FortiAnalyzer or FortiManager.

Send Software Inventory

EMS sends FortiClient software inventory to FortiAnalyzer or FortiManager.

This feature requires the EPP license. See FortiClient EMS.

Send OS Events

EMS sends endpoint host events to FortiAnalyzer or FortiManager. EMS supports this feature for Windows and macOS endpoints. For Windows endpoints, FortiClient sends all events found in the Windows Events Viewer under the System, Security, and Applications categories, including user login and logout. For macOS endpoints, OS event logs are stored at /var/log/system.log. For details on what events are sent to FortiAnalyzer or FortiManager, see FortiAnalyzer documentation, such as Windows Events logs or Threat Hunting.

Event telemetry interval

Enter the interval in seconds for FortiClient to upload OS events to FortiAnalyzer or FortiManager.

IP Address/Hostname

Enter the FortiAnalyzer IP address or hostname/FQDN. With Chromebook profiles, use the format https://FAZ-IP:port/logging.

If using a port other than the default, use <address>:<port>.

For FortiAnalyzer Cloud, you must enter an FQDN. You cannot enter an IP address. For FortiAnalyzer Cloud, the FQDN is the URL that you use to access the FortiAnalyzer Cloud instance. For example, the FQDN may be 1208151.ca-west-1.fortianalyzer.forticloud.com. You may also need to configure the server name indication. See Log settings.

SSL Enabled

Enable SSL.

Upload Schedule

Configure the interval in minutes for FortiClient to upload logs to FortiAnalyzer or FortiManager. If there are no logs, no upload takes place.

Log Generation Timeout

Configure the maximum time in seconds for FortiClient to gather logs before sending them to FortiAnalyzer or FortiManager.

Log Retention

Configure the amount of time in days that logs are kept locally on the endpoint before starting to rewrite them.

Proxy

Use Proxy for Updates

Access FortiGuard using the configured proxy. FortiClient (macOS) does not support signature update via proxy.

Connect to FDN Directly If Proxy Is Offline

Connect to FDN directly if proxy is offline.

Use Proxy for Virus Submission

Use the configured proxy to submit viruses to FortiGuard.

Type

Configure the type. Options include:

  • http
  • socks4
  • socks5

IP Address/Hostname

Enter the proxy server's IP address/hostname.

Port

Enter the proxy server's port number. The port range is from 1 to 65535.

Username

If the proxy requires authentication, enter the username. Enter the encrypted or non-encrypted username.

Password

If the proxy requires authentication, enter the password. Enter the encrypted or non-encrypted username. Enable Show Password to show the password in plain text.

Update

Specify whether to use FortiManager to update FortiClient on endpoints.

Use FortiManager for Client Signature Update

Enable FortiClient EMS to obtain antivirus (AV) signatures from the FortiManager at the specified IP address or hostname.

IP Address/Hostname

Enter the FortiManager IP address/hostname.

Port

Enter the port number.

Failover Port

Enter the failover port.

Timeout

Enter the timeout interval.

Failover to FDN When FortiManager Is Not Available

Fail over to FDN when FortiManager is not available.

FortiGuard Server Location

Configure the FortiGuard server location. If FortiGuard Anycast is selected for the Server field, you can select from global, U.S., or Europe. If FortiGuard is selected for the Server field, you can select from global or U.S. When Global is selected, FortiClient uses the closest FortiGuard server.

FortiClient connects to FortiGuard to query for AV and vulnerability scan engine and signature updates.

The URLs connected to for each server location are as follows:

  • FortiGuard:

    • Global: forticlient.fortinet.net

    • U.S.: usforticlient.fortinet.net

  • FortiGuard Anycast:

    • Global: fctupdate.fortinet.net

    • U.S.: fctusupdate.fortinet.net

    • Europe: fcteuupdate.fortinet.net

Server

Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.

Endpoint Control

Show Bubble Notifications

Show bubble notifications when FortiClient installs new policies on endpoints.

Log off When User Logs Out of Windows

Log off FortiClient when the endpoint user logs out of Windows. Turn off to remain logged in.

Disable Disconnect

Forbid users from disconnecting FortiClient from FortiClient EMS.

On-Fabric Subnets

Turn on to enable on-fabric subnets.

This option only applies for endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.2 and later versions, see On-fabric Detection Rules.

IP Addresses/Subnet Masks

Enter IP addresses/subnet mask to connect to on-fabric subnets.

Gateway MAC Address

Enable gateway MAC address.

MAC Addresses

Enter MAC addresses.

Send Software Inventory

Send installed application information to FortiClient EMS. If the Upload Logs to FortiAnalyzer/FortiManager option is enabled, the endpoint also sends the software inventory information to FortiAnalyzer. See Software Inventory.

This feature requires the EPP license. See FortiClient EMS.

Invalid Certificate Action

Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

  • Allow: allows FortiClient to connect to EMS with an invalid certificate.
  • Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
  • Deny: block FortiClient from connecting to EMS with an invalid certificate.

Enable Forensics Feature

Enable the forensic analysis feature. You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS. See Requesting forensic analysis on an endpoint.

User Identity Settings

Allow Users to Specify Identity Using

Enable users to specify their identity in FortiClient using the following methods:

  • Manually entering their details in FortiClient
  • Logging in to their account for the following social media services:
    • LinkedIn
    • Google
    • Salesforce

By default, EMS obtains user details from the endpoint OS. If the user provides their details using one of the methods above, EMS obtains the user-specified details instead.

If this option is disabled, EMS obtains and displays user details from the endpoint OS.

Notify Users to Submit User Identity Information

Displays a notification on the endpoint for the user to specify their identity. If the user closes the notification without specifying their identity, the notification displays every ten minutes until the user submits their identity information.

Other

Install CA Certificate on Client

Turn on to select and install a CA certificate on the FortiClient endpoint.

You can add certificates by going to Endpoint Policy & Components > CA Certificates.

FortiClient Single Sign-On Mobility Agent

Enable Single Sign-On Mobility Agent for FortiAuthenticator. To use this feature you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator.

IP Address/Hostname

Enter the FortiAuthenticator IP address or hostname.

Port

Enter the port number.

Pre-Shared Key

Enter the preshared key. The preshared key should match the key configured on your FortiAuthenticator.

iOS

Distribute Configuration Profile

Enable and browse for your .mobileconfig file to distribute the configuration profile.

Privacy

Send Usage Statistics to Fortinet

Submit virus information to FDS. Fortinet uses this information to improve product quality and user experience.

Privilege Access Management

Enable privilege access management (PAM). This enables FortiClient to communicate with FortiPAM.

Port

Enter the port for FortiClient to use to communicate with FortiPAM. The default port for this communication is 9191. If you change this value, ensure that you also change it in FortiPAM.