Document
Library

Administration Guide

Introduction
- FortiClient, FortiClient EMS, and FortiGate
- Fortinet product support for FortiClient
- FortiClient standalone and licensed version feature comparison
- Endpoint communication security
  - Recommended upgrade path
Getting started
- Getting started with FortiClient
- EMS and endpoint profiles
- Telemetry connection options
- EMS and automatic upgrade of FortiClient
Provisioning preparation
- Installation requirements
- Licensing
- Required services and ports
- Firmware images and tools
- Obtaining FortiClient installation files
Provisioning
- Manually installing FortiClient on computers
- Centralized FortiClient deployment
  - FortiClient EMS
  - Deploying FortiClient using Microsoft AD servers
    - Deploying FortiClient with Microsoft AD
    - Uninstalling FortiClient with Microsoft AD
- Uninstalling FortiClient
- Upgrading FortiClient
- Verifying ports and services and connection between EMS and FortiClient
User details
- Viewing user details
- Retrieving user details from cloud applications
- Adding your phone number and email address manually
- Specifying the user avatar manually
- User Profile notification
Zero Trust Telemetry
- FortiClient Telemetry
- Compliance with EMS and FortiOS
- On-/off-fabric status with EMS
  - Logging to FortiAnalyzer
- Quarantined endpoints
Remote Access
- Configuring VPN connections
  - Configuring an SSL VPN connection
  - Configuring an IPsec VPN connection
- Connecting VPNs
- SAML support for SSL VPN
- Advanced features (Windows)
- Advanced features (macOS)
  - Creating redundant IPsec VPNs
  - Creating priority-based SSL VPN connections
- VPN tunnel and script
  - Windows
  - macOS
- Internal resource lookup with IPv6 enabled on NIC interface
- Standalone VPN client
ZTNA Destination
Malware Protection
- Antivirus
- Cloud Based Malware Protection
- AntiExploit
  - Viewing detected exploit attempts
  - Evaluating the anti-exploit detection feature
- Removable media access
- Antiransomware
- Quarantined files
  - Viewing quarantined files
  - Submitting quarantined files for scanning
Sandbox Detection
- Scanning with FortiSandbox on-demand
- Viewing FortiSandbox scan results
- Using the popup window
Web & Video Filter
- Web browser plugin for HTTPS web filtering
- Viewing violations
- Troubleshooting Web Filter
Application Firewall
Vulnerability Scan
- Scanning on-demand
- Automatically fixing detected vulnerabilities
- Reviewing detected vulnerabilities before fixing
- Manually fixing detected vulnerabilities
- Viewing details about vulnerabilities
- Viewing vulnerability scan history
Notifications
Settings
- System
- Logging
  - Sending logs and Windows host events to FortiAnalyzer or FortiManager
  - Exporting the log file
- VPN options
- Advanced options
- FortiPAM agent client executable integrity check
- FortiTray
Diagnostic Tool
Forensic analysis
Appendix A - API
- Overview
- API reference
Appendix B - Vulnerability patches
Appendix C - Processes
- FortiClient (Windows) processes
- FortiClient (macOS) processes
Appendix D - CLI commands
- FortiClient (Windows) CLI commands
- FortiClient (macOS) CLI commands
- FortiClient (Linux) CLI commands
Appendix E - VPN autoconnect
- Configuring autoconnect with username and password authentication
- Configuring autoconnect with certificate authentication
Appendix F - SSL VPN prelogon
- SSL VPN prelogon using AD machine certificate
- FortiGate authentication configuration
- FortiGate SSL VPN configuration
- Enabling VPN prelogon in EMS
- Enabling automatic VPN prelogon in EMS
  - Configuring VPN to automatically connect before logon
  - Verifying and troubleshooting
- Troubleshooting the prelogon SSL VPN connection

Home FortiClient 7.2.4 Administration Guide

7.2.4

Connecting VPNs before logging on (AD environments)

Connecting VPNs before logging on (AD environments)

The VPN <options> tag holds global information controlling VPN states. The VPN connects first, then logs on to Active Directory (AD)/domain.

<forticlient_configuration>
  <vpn>
    <ipsecvpn>
      <options>
        <show_vpn_before_logon>1</show_vpn_before_logon>
        <use_windows_credentials>1</use_windows_credentials>
      </options>
      <connections>
        <connection>
          <name>psk_90_1</name>
          <type>manual</type>
          <ike_settings>
            <prompt_certificate>0</prompt_certificate>
            <server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server>
            <redundantsortmethod>1</redundantsortmethod>
            <auth_data>
              <certificate>
                <common_name>
                  <match_type>
                    <![CDATA[wildcard]]>
                  </match_type>
                  <pattern>
                    <![CDATA[*]]>
                  </pattern>
                </common_name>
                <issuer>
                  <match_type>
                    <![CDATA[simple]]>
                  </match_type>
                  <pattern>
                    <![CDATA[Certificate  Authority]]>
                  </pattern>
                </issuer>
              </certificate>
            </auth_data>
            ...
          </ike_settings>
        </connection>
      </connections>
    </ipsecvpn>
  </vpn>
</forticlient_configuration>

This is a balanced but incomplete XML configuration fragment. It includes all closing tags but omits some important elements to complete the IPsec VPN configuration.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response-based. The VPN connects to the FortiGate which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority-based. Priority-based configurations try to connect to the FortiGate starting with the first in the list.

Previous

Next

Connecting VPNs before logging on (AD environments)

The VPN <options> tag holds global information controlling VPN states. The VPN connects first, then logs on to Active Directory (AD)/domain.

<forticlient_configuration>
  <vpn>
    <ipsecvpn>
      <options>
        <show_vpn_before_logon>1</show_vpn_before_logon>
        <use_windows_credentials>1</use_windows_credentials>
      </options>
      <connections>
        <connection>
          <name>psk_90_1</name>
          <type>manual</type>
          <ike_settings>
            <prompt_certificate>0</prompt_certificate>
            <server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server>
            <redundantsortmethod>1</redundantsortmethod>
            <auth_data>
              <certificate>
                <common_name>
                  <match_type>
                    <![CDATA[wildcard]]>
                  </match_type>
                  <pattern>
                    <![CDATA[*]]>
                  </pattern>
                </common_name>
                <issuer>
                  <match_type>
                    <![CDATA[simple]]>
                  </match_type>
                  <pattern>
                    <![CDATA[Certificate  Authority]]>
                  </pattern>
                </issuer>
              </certificate>
            </auth_data>
            ...
          </ike_settings>
        </connection>
      </connections>
    </ipsecvpn>
  </vpn>
</forticlient_configuration>

This is a balanced but incomplete XML configuration fragment. It includes all closing tags but omits some important elements to complete the IPsec VPN configuration.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response-based. The VPN connects to the FortiGate which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority-based. Priority-based configurations try to connect to the FortiGate starting with the first in the list.

Previous

Next