In this recipe, you will learn how to enforce a Profile on an internal network such that only internal devices registered with FortiClient can access the Internet and the corporate network. You will edit the default FortiClient Profile to enforce realtime antivirus protection and malicious website blocking.
This recipe requires you to enable FortiHeartBeat on a FortiGate interface. When you enable FortiHeartBeat on an interface, the option to enforce FortiClient registration becomes available. Devices connecting to that interface are forced to register to the FortiGate and install FortiClient before getting access to network services.
FortiGates come with a free FortiClient license allowing a limited number of devices to register to the FortiGate and download FortiClient. Your FortiGate gets the latest version of FortiClient for Mac and for Windows from FortiGuard. When devices register with the FortiGate they download and install one of these copies of FortiClient. You can see the status of your FortiClient licensing and purchase additional FortiClient licenses from the License Information Dashboard Widget.
This recipe was tested using FortiClient version 5.4.
1. Enabling endpoint control on the FortiGate On the FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled. 2. Enforcing FortiClient registration on the internal interface Go to Network > and select the . Under Restrict Access, enable FortiHeartBeat. Under Admission Control, enable Enforce FortiHeartBeat for all FortiClients. 3. Configuring the FortiClient Profile Configuring a FortiClient Profile allows you to control the security features enabled on the registered endpoint. The profile is automatically downloaded to FortiClient when it registers to the FortiGate. Go to Security Profiles > FortiClient Profiles and edit the default profile to provide realtime antivirus protection that scans files as they are downloaded or copied to the device, block malicious websites and block attack channels. 4. Results In this image, an internal device has FortiClient installed but not registered with a FortiGate. This is indicated by the Attention banner, and alsobecause the option to Register Endpoint is available. When a user on this device attempts to browse the Internet, an Endpoint Security Required page appears instructing the user to install and register endpoint security in the form of FortiClient. A download link is provided at the bottom of the page. When the user clicks on this link, the FortiGate responds with a download of the latest FortiClient software. Similarly, since the device requires a registered FortiClient to access network services, internal servers (such as Exchange mail servers) will also be blocked, unless otherwise exempted—see . By comparison, a registered device appears below. The device shows as registered, with a lock icon next to the device name in the upper right corner. FortiClient should automatically attempt to register to the nearest FortiGate, provided that FortiHeartBeat has been enabled and registration enforced. A user on this device can verify their registration status by clicking on the device name.FortiClient displays the device’s On-Net/Off-Net status, Hostname, Domain, registered FortiGate’s serial number (SN), and IP address. Upon registration, the FortiGate updates the FortiClient configuration to match the FortiClient Profile and downloads the latest FortiGuard antivirus database to the device. You can verify that the registered configuration update matches the FortiClient Profile. Depending on the FortiClient Profile, the user may also have the option to Unregister the device. This can be disabled on the FortiGate in Security Profiles > FortiClient Profiles, under the Advanced tab. The registered device can now access corporate network services and browse the Internet. To verify the status of the endpoints on the FortiGate, go to User & Device > Device List. By default, this list shows On-Net/Off-Net Status, endpoint Device (Hostname and device name), endpoint IP Address, and the device’s operating system (OS). To view only the status of FortiClient connections, go toMonitor > FortiClient Monitor.
For further reading, check out the .
Technical Writer at Keith Leroux is a writer on the 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea, and teaches Web-Based Documentation at Algonquin College on a part-time basis. He doesn't actually need glasses, but looks smarter wearing them. Latest posts by Keith Leroux () - March 17, 2016 - March 3, 2016 - March 3, 2016
Related posts:
Share this recipe:
You can also Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.
You can add additional FortiClient Profiles to define exceptions to the default profile. The configuration of the exception profiles includes devices, users, or addresses to which the exception applies.
Note that this list also includes unregistered endpoints and any other connected device.
The FortiClient monitor shows both registered and unregistered FortiClients, including On-Net/Off-Net status.