<checksum>

Configuration checksum that FortiGate and EMS calculate and enforce.

<enabled>

Enable endpoint control.

<system_data>

Endpoint control system information. This element is protected and not intended to be changed.

<socket_connect_timeouts>

Probe timeout for endpoint control registration and keep-alive message timeout in seconds.

probe_timeout:keep_alive_timeout

Changing socket connect time outs may affect performance.

<ping_server>

Ping server's IP address or FQDN.

FortiClient updates this tag when it connects to FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_name>

The FortiGate hostname or EMS that FortiClient is currently connected to, if any.

FortiClient updates this tag when it connects to the FortiGate or EMS. FortiClient overwrites edits to this tag.

You can safely delete this field.

<fgt_sn>

The connected FortiGate or EMS's encrypted serial number, if any. Do not edit this field.

You can safely delete this field.

<offnet_update>

Enable synchronization of configuration updates from the FortiGate or EMS.

Boolean value: [0 | 1]

<user>

Encrypted username.

<skip_confirmation>

Skip prompting the user before proceeding to complete connection with FortiGate or EMS.

Boolean value: [0 | 1]

<disable_unregister>

Prevent a connected client from being able to disconnect after successfully connecting to FortiGate or EMS.

When this setting is configured as 1, the FortiClient user is unable to disconnect from the FortiGate or EMS after initial registration. This XML setting is intended to be used with <silent_registration>. If Enable Registration Key for FortiClient is enabled on FortiGate or EMS, configure this password in the <registration_password> XML tag, and enter the IP address or addresses of the FortiGate or EMS in the <addresses> XML tag.

Boolean value: [0 | 1]

<invalid_cert_action>

Configure the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

• allow: allows FortiClient to connect to EMS with an invalid certificate.
• warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
• deny: block FortiClient from connecting to EMS with an invalid certificate.

When creating a new FortiClient installer on EMS, if EMS considers the certificate used for endpoint control invalid, the default action in the new installer is allow. The EMS administrator can modify this setting as desired.

Boolean value: [0 | 1]

<edr_collector>

Enable the Endpoint Detection & Response (EDR) feature. This feature is only available for endpoints connected to FortiClient Cloud with an EDR or extended detection & response license. See Creating a unified installer with EDR feature.

Boolean value: [0 | 1]

<disable_fgt_switch>

Disable the FortiGate switch.

Boolean value: [0 | 1]

This XML setting is intended for use with <silent_registration> and <disable_unregister>. If Enable Registration Key for FortiClient is enabled on the FortiGate, configure this password in the <registration_password> XML tag and enter the IP address or addresses of the FortiGate in the <addresses> XML tag.

When <disable_fgt_switch> is configured as 1, the FortiGate switch is disabled. As a result:

• FortiClient does not probe the default gateway.
• FortiClient does not automatically connect to the default gateway.
• FortiClient ignores FortiGate broadcasts.
• The discovered list displays only predefined FortiGate devices, if discovered.

<fgt_logoff_on_fct_shutdown>

Notify FortiGate or EMS when FortiClient is shut down.

Boolean value: [0 | 1]

<show_bubble_notification>

Show notifications in the system tray when a configuration update is received from the FortiGate or EMS.

Boolean value: [0 | 1]

<avatar_enabled>

Control whether FortiClient sends the user avatar to EMS and the FortiGate.

Boolean value: [0 | 1]

<silent_registration>

Connect to the FortiGate or EMS without prompting the user to accept connection. When enabled, no end user interaction is required to get the client to connect to FortiGate or EMS.

Boolean value: [0 | 1]

This XML setting is intended to be used with <disable_unregister>.

<notify_fgt_on_logoff>

Notify FortiGate or EMS when the FortiClient endpoint detects that a user logs off. When this setting is configured as 0, no message is sent to FortiGate or EMS. When this setting is configured as 1, a message is sent to FortiGate or EMS.

Boolean value: [0 | 1]

<forensics_license>

Enable the forensic analysis feature. You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS.

Boolean value: [0 | 1]

<fgt_list>

Encrypted list of remembered FortiGate or EMS units. Do not edit this field.

You can safely delete this field.

<send_software_inventory>

Enable sending software inventory reports to EMS.

Boolean value: [0 | 1]

<onnet_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's IP address matches the specified IP address, it is considered on-fabric.

<onnet_mac_addresses>

Use the <address> subelement to configure IP addresses. If the endpoint's MAC address matches the specified MAC address, it is considered on-fabric.

<override_invitation_code>

FortiClient installer/ESNAC uses the <standalone_invitation_code> value bundled in the deployment package to connect to EMS.

Boolean value: [0 | 1]

<confirm_migration>

FortiClient prompts user for confirmation when the EMS administrator has initiated migration to another EMS instance for the endpoint.

• If the user confirms the migration, the endpoint attempts to migrate to the new EMS. If migration fails, the endpoint rolls back to connect to the previous EMS.
• If the user does not confirm the migration, FortiClient attempts to retain connection to the original EMS instance.

Boolean value: [0 | 1]

<onnet_rules> elements

<dhcp_server>

EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. Use the following subelements:

• <dhcp_code>
• <ip_address>
• <mac_address>

<dns_server>

EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. Use the following subelements:

• <ip_address>
• <mac_address>

<ems_connection>

EMS considers the endpoint as satisfying the rule if it is online with EMS. Configure this element as follows:

<ems_connection>

<online_status>Online with EMS</online_status>

</ems_connection>

<local_ip>

EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if configured. Configuring the MAC address is optional. Use the following subelements:

• <ip_address>
• <mac_address>

<gateway>

EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if configured. Configuring the MAC address is optional. Use the following subelements:

• <ip_address>
• <mac_address>

<ping_server>

EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. Use the <ip_address> subelement.

<public_ip>

EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. Use the <ip_address> subelement.

<connection_media>

EMS considers the endpoint as satisfying the rule if its network settings match all configured fields. Use the <wifi_ssid> and <ethernet> subelements as the sample code shows. When using the Ethernet rule, you must add at least one network identification rule.

<vpn>

EMS considers the endpoint as satisfying the rule if its VPN settings match all configured fields. Use the <tunnel_name> subelement as the sample code shows.

<display_antivirus>

Display the Malware Protection tab in FortiClient.

When this setting is configured as 0, this feature does not display in the FortiClient console.

Boolean value: [0 | 1]

<display_sandbox>

Display the Sandbox Detection tab in FortiClient.

When this setting is configured as 0, this feature does not display in the FortiClient console.

Boolean value: [0 | 1]

<display_webfilter>

Display the Web Filter tab in FortiClient.

When this setting is configured as 0, this feature does not display in the FortiClient console.

Boolean value: [0 | 1]

<display_firewall>

Display the Application Firewall tab in FortiClient.

When this setting is configured as 0, this feature does not display in the FortiClient console.

Boolean value: [0 | 1]

<display_vpn>

Display the Remote Access tab in FortiClient.

Boolean value: [0 | 1]

When this setting is configured as 0, this feature does not display in the FortiClient console.

<display_vulnerability_scan>

Display the Vulnerability Scan tab in FortiClient.

When this setting is configured as 0, this feature does not display in the FortiClient console.

Boolean value: [0 | 1]

<display_ztna>

Display the ZTNA Connection Rules tab in FortiClient.

When this setting is configured as 0, this feature does not display in the FortiClient console.

Boolean value: [0 | 1]

<hide_compliance_warning>

Hide the compliance enforcement feature message from the Zero Trust Telemetry tab. This option is only enforced on FortiClient endpoints connected to EMS. This option does not apply to monitored clients.

Boolean value: [0 | 1]

<notify_server>

Enable FortiClient to send alerts to FortiClient EMS. The priority of alerts that FortiClient sends depends on <alert_threshold>.

Boolean value: [0 | 1]

<alert_threshold>

Configures the threshold of alerts FortiClient sends to EMS. Enter one of the following:

• 1: High priority alerts
• 3: Medium priority alerts
• 5: Low priority alerts

<processes>

(Optional) Create a policy for an application and its signature.

<process>

Identify an application name and its signature. This element should be repeated for each unique application name.

<process id="" name="" rule="">

ID of this process entry and name of the application that is associated with the signatures, for example, <process id="1" name="MS Word">. Also shows whether FortiGate compliance rules require this process to be present or absent on the endpoint.

<signature name="" />

Identify the application name and signature. Repeat this element for different versions of the same application.

<files>

(Optional) Create a policy for a file and path. The policy is compliant when the file can be found.

<path id=""/>

ID of this path entry. Identify the path of the file for the policy. Repeat this element for each unique file path.

<registry>

(Optional) Create a policy for a registry key or value.