Administration Guide

Introduction
- FortiClient, FortiClient EMS, and FortiGate
- Fortinet product support for FortiClient
- FortiClient standalone and licensed version feature comparison
- Endpoint communication security
  - Recommended upgrade path
Getting started
- Getting started with FortiClient
- EMS and endpoint profiles
- Telemetry connection options
- EMS and automatic upgrade of FortiClient
Provisioning preparation
- Installation requirements
- Licensing
- Required services and ports
- Firmware images and tools
- Obtaining FortiClient installation files
Provisioning
- Manually installing FortiClient on computers
- Centralized FortiClient deployment
  - FortiClient EMS
  - Deploying FortiClient using Microsoft AD servers
    - Deploying FortiClient with Microsoft AD
    - Uninstalling FortiClient with Microsoft AD
- Uninstalling FortiClient
- Upgrading FortiClient
- Verifying ports and services and connection between EMS and FortiClient
User details
- Viewing user details
- Retrieving user details from cloud applications
- Adding your phone number and email address manually
- Specifying the user avatar manually
- User Profile notification
Zero Trust Telemetry
- FortiClient Telemetry
- Compliance with EMS and FortiOS
- On-/off-fabric status with EMS
  - Logging to FortiAnalyzer
- Quarantined endpoints
Remote Access
- Configuring VPN connections
  - Configuring an SSL VPN connection
  - Configuring an IPsec VPN connection
- Connecting VPNs
- SAML support for SSL VPN
- Advanced features (Windows)
- Advanced features (macOS)
  - Creating redundant IPsec VPNs
  - Creating priority-based SSL VPN connections
- VPN tunnel and script
  - Windows
  - macOS
- Internal resource lookup with IPv6 enabled on NIC interface
- Standalone VPN client
ZTNA Destination
Malware Protection
- Antivirus
- Cloud Based Malware Protection
- AntiExploit
  - Viewing detected exploit attempts
  - Evaluating the anti-exploit detection feature
- Removable media access
- Antiransomware
- Quarantined files
  - Viewing quarantined files
  - Submitting quarantined files for scanning
Sandbox Detection
- Scanning with FortiSandbox on-demand
- Viewing FortiSandbox scan results
- Using the popup window
Web & Video Filter
- Web browser plugin for HTTPS web filtering
- Viewing violations
- Troubleshooting Web Filter
Application Firewall
Vulnerability Scan
- Scanning on-demand
- Automatically fixing detected vulnerabilities
- Reviewing detected vulnerabilities before fixing
- Manually fixing detected vulnerabilities
- Viewing details about vulnerabilities
- Viewing vulnerability scan history
Notifications
Settings
- System
- Logging
  - Sending logs and Windows host events to FortiAnalyzer or FortiManager
  - Exporting the log file
- VPN options
- Advanced options
- FortiPAM agent client executable integrity check
- FortiTray
Diagnostic Tool
Forensic analysis
Appendix A - API
- Overview
- API reference
Appendix B - Vulnerability patches
Appendix C - Processes
- FortiClient (Windows) processes
- FortiClient (macOS) processes
Appendix D - CLI commands
- FortiClient (Windows) CLI commands
- FortiClient (macOS) CLI commands
- FortiClient (Linux) CLI commands
Appendix E - VPN autoconnect
- Configuring autoconnect with username and password authentication
- Configuring autoconnect with certificate authentication
Appendix F - SSL VPN prelogon
- SSL VPN prelogon using AD machine certificate
- FortiGate authentication configuration
- FortiGate SSL VPN configuration
- Enabling VPN prelogon in EMS
- Enabling automatic VPN prelogon in EMS
  - Configuring VPN to automatically connect before logon
  - Verifying and troubleshooting
- Troubleshooting the prelogon SSL VPN connection

Home FortiClient 7.2.4 Administration Guide

7.2.4

FortiClient (macOS) CLI commands

The following summarizes the CLI commands available for FortiClient (macOS) 7.2.4:

Endpoint control

FortiClient 7.2.4 must establish a Telemetry connection to EMS to receive license information. FortiClient features are only enabled after connecting to EMS.

Usage

You can access endpoint control features through the epctrl CLI command. This command offers the end user the ability to connect or disconnect from EMS and check the connection status. You can access usage information by using the following commands:

➜  ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -h
FortiClient Endpoint Control

Usage:

  /Library/Application Support/Fortinet/FortiClient/bin/epctrl -r|--register <address/invitation> [-p|--port <port>] [-s|--site <site>] [-k|--key <key>] [-m|--remember]
  /Library/Application Support/Fortinet/FortiClient/bin/epctrl -u|--unregister [-k|--key <key>]
  /Library/Application Support/Fortinet/FortiClient/bin/epctrl -d|--details
  /Library/Application Support/Fortinet/FortiClient/bin/epctrl -t|--trust accept|deny
  /Library/Application Support/Fortinet/FortiClient/bin/epctrl -a|--auth

Options:
  -h --help        Show the help screen
  -r --register    Register using an EMS address or an invitation code
  -p --port        EMS port, ignored if registering by invitation code (Optional, 8013 by default)
  -s --site        EMS site, ignored if registering by invitation code (Optional, "Default" by default)
  -u --deregister  Deregister from the current EMS
  -k --key         Key for registering/deregistering from EMS if required. Will prompt for user input if key verification fails or no key is given
  -m --remember    Remember the given connection key specified by -k|--key when registering to EMS (Optional, will not remember the key by default)
  -t --trust       Trust or deny a pending invalid EMS certificate
  -a --auth        Initializes the authentication process if user authentication is enabled on EMS
  -d --details     Show telemetry details and status

Connecting to on-premise EMS

FortiClient can connect to on-premise EMS using the following commands. If EMS is listening on the default port, 8013, you do not need to specify the port number. If EMS is listening on another port, such as 8444, you must specify the port number with the EMS IP address. The example illustrates both use cases.

Connecting to on-premise EMS using an invitation code (SAML configured)

➜ ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -r <invitation_code>

SAML URL: {SAML_url}

Username: Connected!

Connecting to on-premise EMS using IP address and default port

➜ ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -r 172.18.60.251

Registering to EMS 172.17.60.251:8013.

Connecting to on-premise EMS using IP address and non-default port

➜ ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -r 172.18.60.251 -p 8444

Registering to EMS 172.17.60.251:8444.

Connecting to on-premise EMS with multitenancy enabled

If EMS multitenancy is enabled, you can also specify the site name. If connecting to the default site, you do not need to provide a site name. The example illustrates connecting to a site named "headquarters".

➜ ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -r 172.18.60.251 -s headquarters

Disconnecting from EMS

➜  ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -u     
Deregistered

Specifying and remembering required connection key

EMS may require a connection key for FortiClient to connect.

➜ ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -r 172.18.60.251 -k <connection_key> -m

➜ ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -u -k <connection_key>

Trusting or denying pending invalid EMS certificate

➜ ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -t accept|deny

Initializing authentication process if EMS has enabled user authentication

➜ ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -a

Showing telemetry details and status

The following example shows output when FortiClient is not connected to EMS:

➜  ~ /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -d       

=====================================
 FortiClient License Details
=====================================
Last EMS Access Time:  Never Accessed
License Expiry:       Unlicensed
VPN Expiry:           Wed Feb 14 11:14:58 2024 PST

=====================================
 FortiClient EMS Details
=====================================
No telemetry data available.