Supported FortiClient features
IPsec VPN remote user connectivity
The following table lists the FortiClient platform and version and each version's corresponding features that FortiSASE supports for IPsec VPN remote user connectivity:
|
Feature |
Windows 7.2.14 |
macOS 7.2.14 |
|---|---|---|
|
Diagnostic logs on-demand requests from FortiSASE |
✓ |
|
|
Digital experience monitoring agent* |
✓ |
✓ |
|
FortiGuard Forensics Analysis* |
✓ |
|
|
Access |
||
|
Autoconnect to FortiSASE using Microsoft Entra ID credentials |
|
|
|
Autoconnect to FortiSASE using SAML single sign on (SSO) |
✓ |
✓ |
|
Bypass FortiSASE using application-based split tunnel |
✓ |
|
|
Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via DNS server |
✓ |
✓ |
| Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via DHCP server |
✓ |
✓ |
| Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via local subnet |
✓ |
✓ |
| Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via ping server |
✓ |
✓ |
| Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via public IP address |
✓ |
✓ |
|
Endpoint profile assignment based on Microsoft Entra ID groups |
✓ |
|
|
Endpoint profile change notifications |
✓ |
✓ |
|
Endpoint telemetry |
✓ |
✓ |
|
Endpoint VPN connectivity notifications |
✓ |
✓ |
|
Endpoint VPN disconnection by disabling management connection from FortiSASE |
✓ |
✓ |
|
External browser as user-agent for SAML login |
✓ |
✓ |
|
Force always on VPN |
✓ |
✓ |
|
IPsec VPN to FortiSASE using IKEv2, Preshared Key, and SAML |
✓ |
✓ |
|
IPsec VPN to FortiSASE using IKEv2, Preshared Key, and Local user |
✓ |
✓ |
|
Network lockdown |
✓ |
✓ |
|
Pre-logon VPN |
✓ |
|
|
Show zero trust network access (ZTNA) tags on FortiClient |
✓ |
✓ |
|
Split DNS |
✓ |
✓ |
|
FSSO |
||
|
FortiClient SSO mobility agent |
✓ |
✓ |
|
Protection |
|
|
|
Antiransomware |
✓ |
|
|
Next generation antivirus (AV) – real-time AV and cloud malware protection |
✓ |
✓ |
|
Removable media access control |
✓ |
✓ FortiClient (macOS) does not support rules. It only supports allow and block actions. |
|
Removable media access control – notify endpoint of blocks |
|
✓ |
|
Vulnerability scan |
✓ |
✓ |
|
Vulnerability scan - event-based scan |
✓ |
✓ |
|
Sandbox |
|
|
|
Sandboxing - on-premise and FortiSASE Cloud Sandbox |
✓ |
✓ |
|
ZTNA |
|
|
|
ZTNA remote access |
✓ |
✓ |
|
ZTNA tagging rules |
✓ |
✓ |
* Requires Advanced or Comprehensive subscription
SSL VPN remote user connectivity
The following table lists the FortiClient platform and version and each version's corresponding features that FortiSASE supports for SSL VPN remote user connectivity:
|
Feature |
Windows 7.2.14 |
macOS 7.2.14 |
Android |
iOS |
|---|---|---|---|---|
|
Diagnostic logs on-demand requests from FortiSASE |
✓ |
|
|
|
|
Digital experience monitoring agent* |
✓ |
✓ |
|
|
|
FortiGuard Forensics Analysis* |
✓ |
|
|
|
|
Access |
||||
|
Autoconnect to FortiSASE using Microsoft Entra ID credentials |
✓ |
|
|
|
|
Autoconnect to FortiSASE using SAML single sign on (SSO) |
✓ |
✓ |
✓ |
✓ |
|
Bypass FortiSASE using application-based split tunnel |
✓ |
|
|
|
|
Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via DNS server |
✓ |
✓ |
|
|
| Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via DHCP server |
✓ |
✓ |
|
|
| Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via local subnet |
✓ |
✓ |
|
|
| Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via ping server |
✓ |
✓ |
|
|
| Exempt endpoint from FortiSASE autoconnect when endpoint is on-net via public IP address |
✓ |
✓ |
|
|
|
Endpoint profile assignment based on Microsoft Entra ID groups |
✓ |
|
|
|
|
Endpoint profile change notifications |
✓ |
✓ |
|
|
|
Endpoint telemetry |
✓ |
✓ |
✓ |
✓ |
|
Endpoint VPN connectivity notifications |
✓ |
✓ |
|
|
|
Endpoint VPN disconnection by disabling management connection from FortiSASE |
✓ |
✓ |
|
|
|
External browser as user-agent for SAML login |
✓ |
✓ |
✓ |
✓ |
|
Force always on VPN |
✓ |
✓ |
✓ |
✓ FortiClient (iOS) does not disable the VPN button instantly. You must navigate away from the VPN page to disable the VPN button. |
|
Network lockdown |
✓ |
✓ |
|
|
|
Pre-logon VPN |
✓ |
|
|
|
|
Show zero trust network access (ZTNA) tags on FortiClient |
✓ |
✓ |
✓ |
✓ |
|
Split DNS |
✓ |
✓ |
|
✓ For split-tunnel VPN, DNS request can be routed to the split-tunnel VPN via DNS suffix. |
|
SSL VPN connection remains active after endpoint has been idle |
✓ |
✓ |
|
|
|
SSL VPN support for DTLS** |
✓ |
✓ |
✓ |
✓ |
|
SSL VPN to FortiSASE |
✓ |
✓ |
||
|
FSSO |
||||
|
FortiClient SSO mobility agent |
✓ |
✓ |
|
|
|
Protection |
|
|
|
|
|
Antiransomware |
✓ |
|
|
|
|
Next generation antivirus (AV) – real-time AV and cloud malware protection |
✓ |
✓ |
|
|
|
Removable media access control |
✓ |
✓ FortiClient (macOS) does not support rules. It only supports allow and block actions. |
|
|
|
Removable media access control – notify endpoint of blocks |
|
✓ |
|
|
|
Vulnerability scan |
✓ |
✓ |
|
|
|
Vulnerability scan - event-based scan |
✓ |
✓ |
|
|
|
Sandbox |
|
|
|
|
|
Sandboxing - on-premise and FortiSASE Cloud Sandbox |
✓ |
✓ |
✓ On-premise only |
|
|
ZTNA |
|
|
|
|
|
ZTNA remote access |
✓ |
✓ |
|
|
|
ZTNA tagging rules |
✓ |
✓ |
✓ |
✓ |
* Requires Advanced or Comprehensive subscription
** DTLS support is enabled by default for existing and new FortiSASE instances.