Fortinet black logo

Cookbook

Home FortiGate / FortiOS 5.4.0 Cookbook

Adding Endpoint Control to the Security Fabric

5.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.0
6.0.0
5.6.0
5.4.0
Copy Link
Copy Doc ID 598118ae-ea1f-11e9-8977-00505692583a:728878
Download PDF

Adding Endpoint Control to the Security Fabric

In this example, you will use endpoint control on an ISFW FortiGate that is part of a Cooperative Security Fabric (CSF). To do this, you will create a FortiClient Profile that only allows traffic from compliant devices to flow through the FortiGate. The FortiClient Profile will also enforce the use of AntiVirus, Web Filtering, and Application Control, and make sure that a current version of FortiClient is used.

In the example, the ISFW FortiGate has the host name Marketing. The FortiClient Profile is applied on the Marketing FortiGate, rather than External, because the internal network connects directly to this FortiGate.

This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.

This recipe requires both FortiOS 5.4.1 (or higher) and FortiClient 5.4.1 (or higher). If you need to upgrade, make sure to upgrade registered FortiClient endpoints to FortiClient 5.4.1 before you upgrade FortiGate.

1. Enabling endpoint control on the FortiGate

On the Marketing FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled.

2. Enforcing FortiClient registration on the internal interface

Go to Network > Interfaces and edit the interface used for the internal network.

Under Administrative Access, enable FortiTelemetry.

UnderAdmission Control, enable Enforce FortiTelemetry for all FortiClients. You can also Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.

3. Configuring the FortiClient Profile

Configuring a FortiClient Profile allows you to control the security features enabled on the registered endpoint. The profile is automatically downloaded by FortiClient when it connects to the FortiGate. You can add additional FortiClient Profiles to define exceptions to the default profile. The configuration of the exception profiles includes devices, users, or addresses to which the exception applies.

Go to Security Profiles > FortiClient Profiles and edit the default profile.

Set Non-compliance action to Auto-update, to make sure any non-compliant endpoints will have their configurations updated to become compliant.

Enable AntiVirus, then enable both Realtime Protection and Up-do-date signatures.

Enable both Web Filter and Application Firewall and select the default filters.

Enable System compliance, then enable Minimum FortiClient version. Set both Windows endpoints and Mac endpoints to FortiClient 5.4.1 (or higher).

4. Setting up a compliant FortiClient device

Use a PC on the internal network that does not have FortiClient installed and attempt to connect to the Internet. A message appears stating that endpoint compliance has failed. The message also contains instructions about how to become compliant.

Install FortiClient on the PC, then go to the Compliance screen. Set up a FortiTelemetry connection to the Marketing FortiGate.

After the connection is made, the device may still appear as Non-compliant because it has to receive and apply updates from the Marketing FortiGate.

5. Results

Once FortiClient shows that your device is Compliant, you are able to connect to the Internet.

On the Marketing FortiGate, go to Monitor > FortiClient Monitor. The PC is listed as a Compliant device.

On the External FortiGate, go to FortiView > Physical Topology. The PC appears connected to the Marketing FortiGate.

Go to FortiView > Logical Topology. The PC appears connected to the Marketing FortiGate.

Go to Monitor > FortiClient Monitor. Because endpoint control is applied to the Marketing FortiGate, the PC is listed as an Exempt device.

Previous
Next

Adding Endpoint Control to the Security Fabric

In this example, you will use endpoint control on an ISFW FortiGate that is part of a Cooperative Security Fabric (CSF). To do this, you will create a FortiClient Profile that only allows traffic from compliant devices to flow through the FortiGate. The FortiClient Profile will also enforce the use of AntiVirus, Web Filtering, and Application Control, and make sure that a current version of FortiClient is used.

In the example, the ISFW FortiGate has the host name Marketing. The FortiClient Profile is applied on the Marketing FortiGate, rather than External, because the internal network connects directly to this FortiGate.

This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.

This recipe requires both FortiOS 5.4.1 (or higher) and FortiClient 5.4.1 (or higher). If you need to upgrade, make sure to upgrade registered FortiClient endpoints to FortiClient 5.4.1 before you upgrade FortiGate.

1. Enabling endpoint control on the FortiGate

On the Marketing FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled.

2. Enforcing FortiClient registration on the internal interface

Go to Network > Interfaces and edit the interface used for the internal network.

Under Administrative Access, enable FortiTelemetry.

UnderAdmission Control, enable Enforce FortiTelemetry for all FortiClients. You can also Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.

3. Configuring the FortiClient Profile

Configuring a FortiClient Profile allows you to control the security features enabled on the registered endpoint. The profile is automatically downloaded by FortiClient when it connects to the FortiGate. You can add additional FortiClient Profiles to define exceptions to the default profile. The configuration of the exception profiles includes devices, users, or addresses to which the exception applies.

Go to Security Profiles > FortiClient Profiles and edit the default profile.

Set Non-compliance action to Auto-update, to make sure any non-compliant endpoints will have their configurations updated to become compliant.

Enable AntiVirus, then enable both Realtime Protection and Up-do-date signatures.

Enable both Web Filter and Application Firewall and select the default filters.

Enable System compliance, then enable Minimum FortiClient version. Set both Windows endpoints and Mac endpoints to FortiClient 5.4.1 (or higher).

4. Setting up a compliant FortiClient device

Use a PC on the internal network that does not have FortiClient installed and attempt to connect to the Internet. A message appears stating that endpoint compliance has failed. The message also contains instructions about how to become compliant.

Install FortiClient on the PC, then go to the Compliance screen. Set up a FortiTelemetry connection to the Marketing FortiGate.

After the connection is made, the device may still appear as Non-compliant because it has to receive and apply updates from the Marketing FortiGate.

5. Results

Once FortiClient shows that your device is Compliant, you are able to connect to the Internet.

On the Marketing FortiGate, go to Monitor > FortiClient Monitor. The PC is listed as a Compliant device.

On the External FortiGate, go to FortiView > Physical Topology. The PC appears connected to the Marketing FortiGate.

Go to FortiView > Logical Topology. The PC appears connected to the Marketing FortiGate.

Go to Monitor > FortiClient Monitor. Because endpoint control is applied to the Marketing FortiGate, the PC is listed as an Exempt device.

Previous
Next