DO NOT REPRINT

© FORTINET

FortiClient EMS
Study Guide
for FortiClient EMS 7.0
DO NOT REPRINT
© FORTINET
Fortinet Training

https://training.fortinet.com

Fortinet Document Library

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://training.fortinet.com/local/staticpage/view.php?page=certifications

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Feedback

Email: [email protected]

9/21/2021
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Introduction to FortiClient and FortiClient EMS 4

02 Installation and Licensing 43
03 FortiClient EMS Configuration and Administration 75
04 FortiClient Deployment 135
05 FortiClient Provisioning Using FortiClient EMS 160
06 ZTNA 231
07 Diagnostics and Troubleshooting 292
 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to integrate FortiClient into your existing network, and manage the security of
multiple endpoint devices from a single management console, such as FortiClient Enterprise Management
Server (EMS).

FortiClient EMS 7.0 Study Guide 4

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiClient EMS 7.0 Study Guide 5

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of what FortiClient is and what it does, you will be able to
understand how FortiClient fits into your network.

FortiClient EMS 7.0 Study Guide 6

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

In a typical endpoint network security solution, multiple instances of single-purpose software applications are
used. Each application provides a specific service, including antivirus protection, web filtering, VPN access,
application firewall, and so on.

Many endpoint security solutions are not capable of providing central management, central logging, and other
features.

When several different applications are used, most times they all are made by different vendors. Using
applications from multiple vendors can introduce unwanted complexity, create many potential points of failure,
and increase the cost of initial installation and ongoing operation.

On the other hand, FortiClient offers comprehensive endpoint protection for your Windows-based and Mac-
based desktops, laptops, file servers, and mobile devices. FortiClient can safeguard your systems with
advanced security technologies and provide a single management console.

FortiClient EMS 7.0 Study Guide 7

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

Traditional antivirus software can protect your endpoints from known viruses, but may be unable to detect and
protect against advanced threats. This can result in data being lost or compromised.

Present day attackers use advanced methods to hijack your identity, such as social media accounts, and
access your banking information. Sometimes, this information is browser or application-based, and antivirus
software can do a little to protect it.

More and more people connect to corporate networks from Wi-Fi hotspots, providing no control over remote
or mobile devices.

Not only do threats come from outside your network, people often take mobile devices inside your network,
which may be compromised. They also use your VPN to download files, which may be contain potential
issues.

This is why you need endpoint security!

FortiClient EMS 7.0 Study Guide 8

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

Standard security software can provide basic protection, but endpoint security provides basic security plus
much more.

Endpoint security provides an antivirus program and much more to protect your devices and it creates a
barrier between your network and the outside. Endpoint security provides antivirus updates, antimalware,
IPS/IDS signatures, and updates.

Endpoint security also forces endpoint compliance, which requires endpoint devices to comply with specific
criteria before they can gain access to the network.

FortiClient EMS 7.0 Study Guide 9

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient provides comprehensive endpoint protection for your Windows-based, Mac-based, and Linux-
based desktops, laptops, file servers, and mobile devices such as iOS and Android. It helps you to safeguard
your systems with advanced security technologies, all of which you can manage from a single management
console.

FortiClient enables every device4local or remote, stationary or mobile4to integrate with your FortiClient
EMS and FortiGate. FortiClient supports Windows, Mac OS, Linux, iOS, Android mobile devices and
Chromebook, and also integrates your home offices, mobile workers, and visiting partners.

FortiClient EMS 7.0 Study Guide 10

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient must be used with FortiClient EMS. FortiClient must connect to FortiClient EMS to activate its
license and become provisioned by the endpoint profile that the administrator configured in FortiClient EMS.
You cannot use any FortiClient features until FortiClient is connected to FortiClient EMS and licensed.

When FortiClient is connected only to FortiClient EMS, FortiClient EMS provisions and manages FortiClient.
FortiClient EMS also sends zero-trust tagging rules to FortiClient, and uses the results from FortiClient to
dynamically group endpoints in EMS. Only FortiClient EMS can control the connection between FortiClient
and FortiClient EMS. However, FortiClient cannot participate in the Fortinet Security Fabric.

FortiClient in the security fabric connects to FortiClient EMS to receive a profile of configuration information as
part of an endpoint policy. FortiClient EMS is connected to FortiGate to participate in the Security Fabric.
FortiClient EMS sends FortiClient endpoint information to FortiGate. FortiGate can also receive dynamic
endpoint group lists from FortiClient EMS and use them to build dynamic firewall policies.

FortiClient automates prevention of known and unknown threats through its built-in, host-based security stack
and integration with FortiSandbox.

FortiClient also provides secure remote access to corporate assets through VPN.

FortiClient EMS 7.0 Study Guide 11

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

The following Fortinet products can work together to support FortiClient:

FortiClient EMS: FortiClient EMS runs on a Windows server. EMS manages FortiClient endpoints by
deploying FortiClient (Windows) and endpoint policies to endpoints, and the endpoints can connect FortiClient
Telemetry to EMS. FortiClient endpoints can connect to EMS to participate in the Security Fabric. FortiClient
endpoints connect to EMS to be managed in real time.

FortiManager: FortiManager provides central FortiClient management for FortiGate devices that
FortiManager manages. When endpoints are connected to managed FortiGate devices, you can use
FortiManager to monitor endpoints from multiple FortiGate devices.

FortiGate: FortiGate provides network security. EMS defines compliance verification rules for connected
endpoints and communicates the rules to endpoints and FortiGate. FortiGate uses the rules and endpoint
information from EMS to dynamically adjust security policies. When using FortiManager, FortiGate
communicates between EMS and FortiManager.

FortiAnalyzer: FortiAnalyzer can receive logs, and Windows host events directly from endpoints connected to
EMS, and you can use FortiAnalyzer to analyze the logs and run reports. FortiAnalyzer receives
other FortiClient data from EMS.

FortiSandbox: FortiSandbox offers capabilities to analyze new, previously unknown, and undetected virus
samples in real time. Files sent to it are scanned first, using a similar antivirus engine and signatures available
on FortiOS and FortiClient. If the file is not detected but is an executable file, it is run in a Microsoft Windows
VM and monitored. The file is given a rating or score based on its activities and behavior in the VM.

FortiClient EMS 7.0 Study Guide 12

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiSASE SIA is a Security-as-a-Service deployed via FortiClient SASE deployment. This scalable cloud-
based platform is easy to manage and powered by Fortinet9s award- winning FortiGuard advanced protection
services allowing customers to extend FWaaS, IPS, DLP, DNS, SWG, sandboxing off-fabric remote users.
FortiSASE SIA offers up-to-date, real-time protection to terminate client traffic, scan traffic for known and
unknown threats, and enforce corporate security policies for users anywhere. All features of EPP/ATP are
included in a FortiSASE deployment. This deployment is only supported with FortiClient Cloud.

FortiClient EMS 7.0 Study Guide 13

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient Security Fabric integration provides endpoint visibility through telemetry and ensures that all fabric
components, FortiGate, FortiAnalyzer, EMS, Managed APs, Managed Switches, and Sandbox have a unified
view of endpoints in order to provide tracking and awareness, compliance enforcement, and reporting. Secure
remote connectivity is provided by either traditional VPN tunnels or new, automatic ZTNA tunnels.

FortiClient comes in four different editions:

" ZTNA (Zero Trust Network Access)

" EPP/APT (Endpoint Protection Platform/Advanced Persistent Threat)
" Managed Service
" Chromebook

FortiClient EMS 7.0 Study Guide 14

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

This slide shows the comparison table of FortiClient editions.

FortiClient ZTNA works with FortiOS to enable secure, granular access to applications whether the user is on-
fabric or off-fabric. Each session is initiated with an automatic, encrypted tunnel from FortiClient to the FortiOS
proxy point for user and device verification. If verified, access is granted for that session. Two-Factor
authentication can also be used to provide an additional layer of security. With ZTNA, organizations benefit
from both a better remote access solution and a consistent policy for controlled access to applications both on
and off the network.

EPP/APT: includes all features detailed for the Zero Trust Network Access (ZTNA) license, as well as
antivirus (AV), antiransomware, anti-exploit, cloud-based malware detection, application firewall, software
inventory, and advanced threat protection through FortiClient Cloud Sandbox.

The managed service includes all features detailed for ZTNA and EPP editions, as well as initial FortiClient
cloud provisioning with the customer, to set up and configure their FortiClient cloud environment, endpoint on-
boarding, security fabric setup and integration, and endpoint vulnerability monitoring

Chromebook: license allows management of one Google Chromebook user. If the number of Chromebooks
that the EMS is managing exceeds the number of Chromebook licenses available, FortiClient EMS licenses
the additional Chromebooks using any available Fabric Agent licenses.

FortiClient EMS 7.0 Study Guide 15

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

This slide is the continuation of the comparison table.

FortiClient EMS 7.0 Study Guide 16

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 17

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

Good job! You now know more about what FortiClient is and what it does.

Now, you will learn about FortiClient EMS.

FortiClient EMS 7.0 Study Guide 18

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating a competent understanding of the components and management functions of FortiClient

EMS, you will be able to understand the purpose of FortiClient EMS.

FortiClient EMS 7.0 Study Guide 19

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient EMS is a security management solution that enables scalable and centralized management of
multiple endpoints (computers). It also provides efficient and effective administration of endpoints running
FortiClient, and visibility across the network to securely share information and assign security profiles to
endpoints. It is designed to maximize operational efficiency and includes automated capabilities for device
management and troubleshooting.
FortiClient EMS also works with the FortiClient Web Filter extension to provide web filtering for Google
Chromebook users.

The benefits of deploying FortiClient EMS include:

" Remotely deploying FortiClient software to Windows computers
" Updating profiles for endpoint users regardless of access location
" Administering FortiClient endpoint connections, such as accepting, disconnecting, and blocking
connections
" Managing and monitoring endpoints, such as status, system, and signature information
" Identifying outdated versions of FortiClient software
" Defining web filtering rules in a profile, and remotely deploying the profile to the FortiClient Web Filter
extension on Google Chromebook endpoints

You can manage endpoint security for Windows and macOS platforms using a unified organizational security
policy. An organizational security policy provides a full, understandable view of the security policies defined in
the organization. You can see all policy rules, assignments, and exceptions in a single unified view. FortiClient
EMS is part of the Fortinet Endpoint Security Management suite, which ensures comprehensive policy
administration and enforcement for an enterprise network.

FortiClient EMS 7.0 Study Guide 20

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

The following components make up FortiClient EMS:

" FortiClient EMS: manages FortiClient on endpoints that connect to your network. It also manages the
FortiClient Web Filter extension installed on Google Chromebook endpoints, which are connected to your
Google domain. It includes two types of software:
" Console software that manages security profiles, FortiClient on endpoints, and Chromebook endpoints
" Server software that provides secure communication between endpoints and the console and between
Chromebook endpoints and the Google Admin console
" Database: stores security profiles and events. Also stores user information retrieved from the Google
Admin console for Chromebooks. The SQL database is installed as part of the FortiClient EMS installation
" FortiClient: helps enforce security and protection on endpoints. It runs on servers, desktops, and portable
computers you want to secure
" FortiClient Web Filter extension: communicates with FortiClient EMS and enforces web filtering on
Google Chromebook endpoints

In the EMS lesson, you will learn about FortiClient EMS in more detail, and explore all the features and
options.

FortiClient EMS 7.0 Study Guide 21

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 22

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiClient EMS.

Now, you will learn about FortiClient security features and what they do.

FortiClient EMS 7.0 Study Guide 23

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating a competent understanding of the key features of FortiClient, you will be able to use
FortiClient features and operation modes in your network.

FortiClient EMS 7.0 Study Guide 24

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

The FortiClient Telemetry tab displays whether FortiClient Telemetry is connected to EMS. You can use the
FortiClient Telemetry tab to manually connect FortiClient Telemetry to EMS and to disconnect FortiClient
Telemetry from EMS.

FortiClient can use a gateway IP address to connect FortiClient Telemetry to FortiClient EMS.

FortiClient EMS 7.0 Study Guide 25

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

When FortiClient Telemetry is connected to EMS, FortiClient collects the hardware information (MAC
addresses), software information (OS version on the endpoint), identification information (username, avatar,
and hostname), and vulnerability information that the vulnerability scanning module reports about the endpoint
and its workload, and sends it to EMS. When EMS participates in the Security Fabric, the Security Fabric
uses the information to understand the endpoint and its workload to better protect it.

After installation, FortiClient automatically launches and connects telemetry to the EMS server that created
the installed deployment package. You can also manually enter the EMS IP address or invitation code to
connect. When you confirm the telemetry connection to EMS, you can instruct FortiClient to remember the
EMS IP address. If a connection key is required, FortiClient remembers the connection key too. FortiClient
can remember up to 20 IP addresses for EMS.

When you instruct FortiClient to forget an IP address for EMS, FortiClient Telemetry does not use the IP
address to automatically connect to EMS when rejoining the network. You must disconnect FortiClient
Telemetry from EMS to connect to another EMS or to disable and uninstall FortiClient.

FortiClient EMS 7.0 Study Guide 26

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

In FortiClient 7.0.0, compliance depends on FortiClient EMS and FortiOS. This feature is available only if you
are using FortiClient 7.0.0 with FortiClient EMS 7.0.0 and FortiOS 7.0.0. Because of changes to the license,
you can't have a mixed version environment.

The administrator can define compliance verification rules on FortiClient EMS based on criteria, such as
certificates, the logged-in domain, files present, OS versions, running processes, and registry keys. When a
FortiClient endpoint registers on the FortiClient EMS, FortiClient EMS dynamically groups the endpoint based
on the compliance verification rules. FortiOS can receive the dynamic endpoint groups from FortiClient EMS
and use them to create dynamic firewall policies. The endpoint may be unable to access the network based
on the compliance verification rules.

FortiClient EMS 7.0 Study Guide 27

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

ZTNA connection rules on FortiClient create a secure encrypted connection to protected applications without
using VPN. FortiClient uses the FortiGate device application proxy feature to create a secure connection
through HTTPS using a certificate received from EMS that includes the FortiClient UID. FortiGate acts as a
local proxy gateway.

FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to
FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access
as applicable.

FortiClient EMS 7.0 Study Guide 28

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

On the ZTNA Connection Rules tab, for TCP forwarding to non-web-based applications, you must define
ZTNA connection rules in FortiClient.

You must configure the following:

" Rule Name: allows you to enter the desired name for a rule.
" Destination Host: allows you to enter the IP address or FQDN and port number of the destination
host/server.
" Proxy Gateway: allows you to enter the FortiGate device access IP address and port number.
" Mode: allows you to select Transparent mode for a connection.

FortiClient EMS 7.0 Study Guide 29

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient has enhanced capabilities for the detection of malware. The protection includes antivirus
protection, anti-ransomware, cloud-based malware protection, anti-exploit and removable media access

In FortiClient antivirus, when you enable the botnet feature, FortiClient monitors and compares network traffic
on a compromised system with a list of known command and control servers, and blocks it.

The real-time protection (RTP) feature on FortiClient uses tight integration with Microsoft Windows to monitor
files locally or over a network file system, as they are being downloaded, saved, run, copied, renamed,
opened, or written to.

FortiClient can scan system files, executable files, removable media, dynamic-link library (DLL) files, memory,
and drivers. FortiClient also scans for and removes rootkits. File-based malware, malicious websites,
phishing, and spam URL protection is part of the antivirus component.

FortiClient EMS 7.0 Study Guide 30

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

After FortiClient is registered to EMS, Web Filter configuration settings are pushed from the management
device and are read-only on the FortiClient console.

Web Filter features allow you to block, allow, warn, and monitor web traffic based on URL category or custom
URL filters. URL categorization is handled by the FDN. You can create a custom URL filter exclusion list,
which overrides the FDN category.

The EMS administrator can enable a web browser plugin for HTTPS web filtering on the endpoint. This
improves detection and enforcement of Web Filter rules on HTTPS sites. After this option is enabled, you
must open the browser to approve installing the new plugin. The plugin is supported only for the Google
Chrome browser on Windows platforms.

FortiClient EMS 7.0 Study Guide 31

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient supports both IPsec and SSL VPN connections to your network for remote access. The FortiClient
EMS administrator can provision client VPN connections in the FortiClient profile (EMS endpoint profile) or the
endpoint user can configure new connections on the FortiClient console.

You can also configure two-factor authentication using FortiToken for enhanced security for both types of
VPNs on your FortiGate device for FortiClient VPN connections.

FortiClient VPN features are not limited to basic configuration and provisioning, but can be used for advanced
configurations. For example, you can automatically connect to a VPN when FortiClient is launched, or you can
map or unmap a network drive when a tunnel is connected or disconnected, respectively.

You can also configure FortiClient to connect to a VPN before the login in (either logging in to a Windows
account, or through an AD environment). Advanced features like redundant IPsec VPN and priority-based
SSL VPN are also supported on FortiClient for Windows and Mac OS.

FortiClient EMS 7.0 Study Guide 32

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

To connect to a VPN (IPsec or SSL), select the VPN name from the drop-down list on the FortiClient console.
Enter your username, password, and then click Connect. Optionally, in the system tray, right-click the
FortiClient icon and select the VPN connection you want to connect to. When connected, the console displays
the connection status, duration, and other relevant information.

Note that provisioned VPN connections are listed under Corporate VPN. Locally configured VPN connections
are listed under Personal VPN.

FortiClient EMS 7.0 Study Guide 33

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

You can use the application firewall feature to detect and take actions against network traffic, depending on
the application that is generating the traffic. The application firewall uses IPS protocol decoders to analyze
and detect application traffic, even on non-standard ports.

FortiClient can recognize the traffic generated by a large number of applications. You can create rules to block
or allow application traffic on FortiGate or EMS, based on the category or application. The rules are then
pushed to the managed FortiClient.

Application firewall settings are read-only on the FortiClient console. You can view blocked applications for the
past seven days.

FortiClient EMS 7.0 Study Guide 34

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

When endpoint users are transferring data over the internet, hackers can exploit vulnerabilities in endpoint
devices, and use those vulnerabilities to gain unauthorized access to the system.

FortiClient can perform a vulnerability scan to search endpoint devices to identify weaknesses, provide details
about the impact of those weaknesses and recommend actions to protect the applications running on the
endpoint devices.

FortiClient communicates with the FortiGuard Center to get the signature updates.

After the scan is complete, FortiClient displays the list of vulnerabilities and details. You can click an item in
the list, such as release date, severity, impact, and recommended actions, to name a few.

FortiClient EMS 7.0 Study Guide 35

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

You can export the log file (.log) from FortiClient.

FortiClient provides options for logging levels, such as information, notice, or emergency. When FortiClient is
managed by FortiClient EMS, the administrator can configure the XML configuration to set the logging levels.

The default logging level on FortiClient is Information.

FortiClient EMS 7.0 Study Guide 36

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

You can configure FortiClient to send logs and software inventory reports to FortiAnalyzer or FortiManager.
You need the following products:
" FortiClient
" FortiClient EMS
" FortiAnalyzer or FortiManager

FortiClient uses TCP port 514 to upload to FortiAnalyzer or FortiManager. FortiClient collects information on
regular software installed on the endpoint and sends the information to EMS and FortiAnalyzer. FortiClient
sends the software inventory information when it first registers on EMS and when it first sends data to
FortiAnalyzer. If software changes occur on the endpoint, such as installing new software, updating existing
software, or removing existing software, FortiClient sends an updated inventory to EMS and FortiAnalyzer.

FortiClient Telemetry must connect to EMS for FortiClient to upload logs and software inventory reports to
FortiAnalyzer or FortiManager.

Note that you must enable logging on FortiManager. By default, this feature is disabled.

FortiClient EMS 7.0 Study Guide 37

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient 7.0.0 supports a number of features, such as VPNs, antivirus, web filtering, and more. When
FortiClient is registered with FortiGate or FortiClient EMS, it enhances comprehensive security, helping you to
safeguard your systems with advanced security technologies, which are all managed from a single
management console with easy provisioning, monitoring, and auditing.

You can also customize the FortiClient installation and use VPN auto-connect to ensure that FortiClient
creates a VPN connection to FortiGate when it is considered to be off-net. FortiClient also supports
configuration provisioning for iOS (.mobileconfig files) in addition to FortiClient configuration provisioning.

FortiClient EMS 7.0 Study Guide 38

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

You use FortiClient ports to communicate with other Fortinet products.

Note that Chromebook port TCP 3400 for URL rating is only used with EMS.

FortiClient EMS 7.0 Study Guide 39

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 40

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiClient EMS 7.0 Study Guide 41

 Introduction to FortiClient and FortiClient EMS

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use FortiClient features and options to
install and use FortiClient to secure endpoints in your network.

FortiClient EMS 7.0 Study Guide 42

 Installation and Licensing

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to install FortiClient and FortiClient EMS. You will also learn about FortiClient
editions and FortiClient EMS operation modes.

FortiClient EMS 7.0 Study Guide 43

 Installation and Licensing

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiClient EMS 7.0 Study Guide 44

 Installation and Licensing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in identifying and understanding FortiClient installation options, tools, and
features, you will be able to select the appropriate options, editions, and tools to install FortiClient in your
network.

FortiClient EMS 7.0 Study Guide 45

 Installation and Licensing

DO NOT REPRINT
© FORTINET

The files mentioned are available in the firmware image file folder on the Fortinet Support Portal.

The FortiClient tools package contains various tools you can use to customize your FortiClient installation.
The FortiClientVirusCleaner tool was developed to identify and cleanse systems of viruses.

SupportUtils folder contains various tools:

" RemoveFCTID.exe: is a tool to remove the unique identifier
" FCRemove.exe: is a cleanup tool for use only if the Add/Remove Programs applet fails to remove
FortiClient
" ReinstallNIC.exe: is a tool for use on Windows 7 if DHCP address allocation is slow
" FortiClient_Diagnostic_Tool.exe: is a tool to gather information, such as the FortiClient
connection to FortiGuard Distribution Server (FDS), general system information, and installed feature
information, all of which can be useful for troubleshooting

VPNAutomation includes FCCOMIntDLL.tlb, which is a type of library needed for building applications that
use the FortiClient IPsec VPN COM interface, and SSLVPNcmdline includes FortiSSLVPNClient.exe,
which is a command line tool for controlling SSL-VPN tunnels.

The Mac OS X FortiClient tools file contains an online installer which downloads and installs the latest
FortiClient file from the public FDS, and RemoveFCTID.exe to remove the unique identifier.

For files in the Linux folder, refer to this slide.

FortiClient EMS 7.0 Study Guide 46

 Installation and Licensing

DO NOT REPRINT
© FORTINET

In 7.0.0 or later, the FortiClient (Windows and MacOS) installers are available on EMS. You can configure and
select installed features and options on EMS. The administrator configures a FortiClient deployment package
in EMS that includes an EXE and MSI file. The administrator specifies which modules to install in the
deployment package. The EMS administrator will provide a download link to the FortiClient installation files.

MSI installers are supported in Microsoft Windows environments only.

FortiClientSetup_7.0.X.zip: A zip package containing FortiClient.msi and language transforms

for 32-bit Windows. Some properties of the MSI package can be customized with a custom installer.

FortiClientSetup_7.0.X_x64.zip: A zip package containing FortiClient.msi and language

transforms for 64-bit Windows. Some properties of the MSI package can be customized with a custom
installer.

The MSI installer in the ZIP file package is customizable for a larger rollout to many computers in an
organization.

FortiClient EMS 7.0 Study Guide 47

 Installation and Licensing

DO NOT REPRINT
© FORTINET

The FortiClient installer always runs a quick AV scan on the target host system before proceeding with the
complete installation. If the system is clean, the installation proceeds as normal. Any virus found during this
step is quarantined before installation continues. In case a virus on an infected system prevents you from
downloading the new FortiClient package, use the following process:
1. Boot into Safe mode with networking. This is required for the FortiClient installer to download the latest
signature packages from the Fortinet Distribution Network.
2. Run the FortiClient installer.
The installer scans the entire file system. If a virus is found, it is quarantined. When the scan is complete,
reboot into normal mode and run the FortiClient installer to complete the installation, (Windows does not allow
FortiClient installation to complete in safe mode).
If you configure computers using a cloned hard disk image, you must remove the unique identifier from the
FortiClient application. You will encounter problems with FortiGate if you deploy multiple FortiClient
applications with the same identifier. You must use the following steps:
1. Install the FortiClient application.
2. Right-click the FortiClient icon in the system tray, and select Shutdown FortiClient.
3. From the folder where you expanded the FortiClientTools.zip file, run RemoveFCTID.exe. The
RemoveFCTID tool requires administrative rights. Do not include the RemoveFCTID tool as part of a login
script.
4. Shut down the computer. Do not reboot the Windows operating system on the computer before you create
the hard disk image. The FortiClient identifier is created before you log in.
5. Create the hard disk image and deploy it, as needed.

You can also install FortiClient using the CLI. The table on this slide summarizes the installation options
available when using the CLI. For example, FortiClientSetup_7.0.0.1131_x64.exe /quiet
/log"Log< installs FortiClient 7.0.0 build 1131 in quiet mode, creating a log file with the name Log.

FortiClient EMS 7.0 Study Guide 48

 Installation and Licensing

DO NOT REPRINT
© FORTINET

You can deploy FortiClient installation using Microsoft AD servers. On your domain controller, create a
distribution point and a shared network folder to distribute the FortiClient MSI installer file that is available
from FortiClient EMS. Set file permissions on the shared folder to allow access to the distribution package.
Now copy the FortiClient MSI installer and MST package into this shared folder.
In your domain, add a new organizational unit (OU) and move all the computers you want to distribute the
FortiClient software to, into the newly-created OU. Create a group policy object (GPO), and then create the
FortiClient installer package. Force a GPO update. The software is installed on the next reboot of the client
computer. You can also wait for the client computer to poll the domain controller for GPO changes and install
the software then.

To uninstall FortiClient, you can either use a GPO or manual process. To do a manual uninstall, disconnect
FortiClient from EMS. The endpoint is no longer managed by FortiClient EMS. Click Unlock to unlock the
configuration and then shut down FortiClient. After FortiClient is shut down, uninstall FortiClient using the
Windows Add/Remove Programs application.

An administrator will control FortiClient upgrades for you. When an administrator deploys a FortiClient
upgrade from FortiClient EMS to endpoints running a Windows operating system, an Upgrade Schedule
dialog opens on the endpoint to let endpoint users schedule the upgrade and mandatory endpoint reboot. If
FortiClient is not installed on the endpoint, a reboot is not required for the installation, and the Upgrade
Schedule dialog does not open. The endpoint user can postpone the reboot for a maximum of 24 hours.
Before the mandatory reboot occurs, a FortiClient dialog opens giving you a 15 minute warning.

FortiClient EMS 7.0 Study Guide 49

 Installation and Licensing

DO NOT REPRINT
© FORTINET

FortiClient 7.0.0 offers a free VPN-only version that you can use for VPN-only connectivity to FortiGate. You
can download the VPN-only application from www.fortinet.com. You cannot use the VPN-only client with
the FortiClient Single Sign-On Mobility Agent (SSOMA). To use VPN and SSOMA together, you must
purchase an FortiClient EMS license.

FortiClient EMS 7.0 Study Guide 50

 Installation and Licensing

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 51

 Installation and Licensing

DO NOT REPRINT
© FORTINET

Good job! You now know about FortiClient installation files and tools.

Now, you will learn about FortiClient EMS installation.

FortiClient EMS 7.0 Study Guide 52

 Installation and Licensing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in installing and licensing FortiClient EMS, you will be able to understand
system requirements, and identify license types, services, and ports. You will also know how to use the
FortiClient EMS installation file to install FortiClient EMS using the GUI and the CLI.

FortiClient EMS 7.0 Study Guide 53

 Installation and Licensing

DO NOT REPRINT
© FORTINET

You should read the FortiClient EMS Release Notes to become familiar with the relevant software
components and other important information about the product.

Internet access is required during installation. This becomes optional after installation is complete. FortiClient
EMS accesses the internet to obtain information about FortiGuard engine and signature updates.

Note that you should install only FortiClient EMS and the default services for the operating system on the
server. You should not install additional services on the same server as FortiClient EMS.

FortiClient EMS 7.0 Study Guide 54

 Installation and Licensing

DO NOT REPRINT
© FORTINET

The following are the latest license bundles:

" EPP is a full license that offers all FortiClient features. Includes all features detailed for the ZTNA license,
as well as antivirus (AV), anti-ransomware, anti-exploit, cloud-based malware detection, application
firewall, software inventory, and advanced threat protection via FortiClient Cloud Sandbox.
" ZTNA includes support for fabric agent for endpoint telemetry, security posture check through ZTNA
tagging, remote access (SSL and IPsec VPN), vulnerability scan, web filter, threat protection through
sandbox (appliance only) and USB device control. Each purchased ZTNA license allows management of
one FortiClient Windows, macOS, Linux, iOS, Android, or Chromebook endpoint.

You must purchase a minimum of 25 endpoint licenses.

A Chromebook license allows management of one Google Chromebook user. You must purchase a minimum
of 25 Google Chromebook user licenses.

Fortinet also offers FortiClient managed services to streamline the configuration, deployment, and monitoring
of FortiClient agents in the cloud. Services include initial FortiClient cloud provisioning, endpoint onboarding,
security fabric setup and integration, and endpoint vulnerability monitoring. This also include BPS (Best
Practice Service) which is an account-based annual subscription providing access to a specialized team that
delivers remote guidance on deployment, upgrades, and operations.

FortiClient EMS uses one license seat per logged-in user. If the user logs out, the license seat times out
(default timeout value is 30 days), and the license is released. At this point, another user can use this license
seat.

FortiClient EMS 7.0 Study Guide 55

 Installation and Licensing

DO NOT REPRINT
© FORTINET

The table on this slide shows the ports and services that are required by FortiClient EMS to communicate with
endpoints and servers running associated applications. You do not need to enable port 8013 and port 10443
on the server because the FortiClient EMS installation opens these.

FortiClient EMS 7.0 Study Guide 56

 Installation and Licensing

DO NOT REPRINT
© FORTINET

The table on this slide shows the ports and services that are required by FortiClient EMS to communicate with
Chromebook endpoints or Chromebook endpoints to communicate with FortiClient EMS.

FortiClient EMS 7.0 Study Guide 57

 Installation and Licensing

DO NOT REPRINT
© FORTINET

The table on this slide shows the ports and services that are required by FortiClient EMS to communicate with
FortiGuard to download AV and vulnerability scan engine and signature updates. FortiClient EMS can connect
to legacy FortiGuard or FortiGuard Anycast.

FortiClient EMS 7.0 Study Guide 58

 Installation and Licensing

DO NOT REPRINT
© FORTINET

FortiClient EMS is available for download from the Fortinet Support website. You can also receive the
installation file from a sales representative. The installation file available for FortiClient EMS is shown in this
slide.

Note that local administrator rights and internet access are required to install FortiClient EMS.

FortiClient EMS 7.0 Study Guide 59

 Installation and Licensing

DO NOT REPRINT
© FORTINET

You can install FortiClient EMS using the CLI.

The AllowedWebHostnames command allows you to configure the host name. The default value is
localhost, 127.0.0.1. To clear this value, first enter AllowedWebHostnames=*, then enter the desired
AllowedWebHostnames value. Otherwise, the value entered will be appended to localhost,
127.0.0.1.

In ApacheServerAdminEmail option, you can configure the Apache server administrator's email
address. By default, this is [email protected]. The BackupDir option allows you to enter the
desired backup directory path for the SQL server. Similarly, ClientDownloadPort allows you to enter the
customized HTTP port number and RemoteManagementPort allows you to enter the HTTPS port number.
The default values are 80 (HTTP) and 443.

The image on this slide, shows FortiClient EMS installation using the CLI with a custom port (port 22443) for
remote access.

For details on other CLI commands, refer to the FortiClient EMS Administration Guide.

FortiClient EMS 7.0 Study Guide 60

 Installation and Licensing

DO NOT REPRINT
© FORTINET

Installation using the CLI allows you to enable specific options during installation, such as customizing the
SQL Server Express installation directory, using custom port numbers, and so on.

Take a look at the example of a customized configuration during CLI installation, shown on the slide. Here, we
use different ports for FortiClient download (11443) and management (22443) because default ports (10443
and 443) are used by pre-existing services running on Windows server.

FortiClient EMS 7.0 Study Guide 61

 Installation and Licensing

DO NOT REPRINT
© FORTINET

You can uninstall FortiClient EMS in the following cases:

" If migrating one EMS on-premises environment to another new server
" If conflicting with another application or services running on server
" If performing a fresh installation to resolve issues cause by upgrade or compatibility

FortiClient EMS can be uninstalled using the Windows Add or Remove Program. FortiClient EMS installs
the dependencies. If other applications on the same computer are not using them, you can uninstall them
manually, after removing FortiClient EMS. The list of dependencies are shown on this slide.

FortiClient EMS 7.0 Study Guide 62

 Installation and Licensing

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 63

 Installation and Licensing

DO NOT REPRINT
© FORTINET

Good job! You now understand the system requirements to install FortiClient EMS. You also learned about
license types, services, the FortiClient EMS installation file, as well as how to install FortiClient EMS using the
GUI and CLI.

Now, you will learn about the FortiClient EMS operation modes.

FortiClient EMS 7.0 Study Guide 64

 Installation and Licensing

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence understanding FortiClient EMS operation modes and FortiClient Cloud, you will
be able to use it effectively in your network.

FortiClient EMS 7.0 Study Guide 65

 Installation and Licensing

DO NOT REPRINT
© FORTINET

FortiClient EMS in standalone mode provides FortiClient endpoint provisioning. FortiClient endpoints connect
FortiClient Telemetry to FortiClient EMS to receive configuration information in an endpoint profile, as part of
an endpoint policy from FortiClient EMS. FortiClient EMS also sends compliance verification rules to
FortiClient, and uses the results from FortiClient to dynamically group endpoints in EMS. Only EMS can
control the connection between FortiClient and EMS. Any changes to the connection must be made from
EMS, not from FortiClient. When FortiClient is connected to EMS, FortiClient settings are locked, so the
endpoint user cannot change any configuration.

FortiClient EMS 7.0 Study Guide 66

 Installation and Licensing

DO NOT REPRINT
© FORTINET

You can integrate FortiGate with FortiClient EMS. In this scenario, FortiClient Zero Trust Telemetry connects
to FortiClient EMS to receive a profile of configuration information as part of an endpoint policy and FortiClient
EMS is connected to the FortiGate to participate in the Security Fabric. FortiClient EMS sends FortiClient
endpoint information to the FortiGate.

FortiClient can also receive a device certificate from FortiClient EMS. FortiClient can use the device certificate
to securely encrypt and tunnel TCP and HTTPS traffic through HTTPS to the FortiGate. This feature requires
FortiClient 7.0.0 or a later, and FortiOS 7.0.0 or later.

FortiGate also receives dynamic endpoint group lists from FortiClient EMS and uses them to build dynamic
firewall policies. FortiClient EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the
policies based on those groups. This feature requires FortiOS version 6.2.0 or a later.

Note that FortiGate does not provide configuration information for FortiClient and the endpoint. An
administrator must configure FortiClient using an FortiClient EMS endpoint policy.

FortiClient EMS 7.0 Study Guide 67

 Installation and Licensing

DO NOT REPRINT
© FORTINET

A cloud-based SaaS endpoint management service called FortiClient Cloud is available. This is a Fortinet-
hosted EMS solution. You can execute EMS functions from the cloud-based FortiClient EMS. You must
complete the following steps to create a cloud-based EMS instance under your FortiCloud user account:

1. Register a FortiClient Cloud subscription to your FortiCloud account.

2. Register a FortiClient license contract for management by FortiClient Cloud to your FortiCloud account.

FortiClient Cloud is a component of FortiSASE SIA, a cloud-based SaaS service that offers protection for
remote, off-net endpoints. FortiSASE SIA works only with a new FortiClient Cloud instance. You cannot apply
a FortiSASE SIA license to an existing FortiClient Cloud instance.

The following items are required to initiate a FortiClient Cloud instance:

" A FortiCloud account with FortiClient Cloud subscription
" Access to create a FortiClient Cloud instance
" A browser to access FortiClient Cloud GUI

Note that you can create only one FortiClient Cloud instance per FortiCloud account. You can manage the
following endpoints:
" Windows
" macOS
" Linux
" iOS
" Android

FortiClient EMS 7.0 Study Guide 68

 Installation and Licensing

DO NOT REPRINT
© FORTINET

When installing FortiClient on the Windows endpoint from a deployment package created in FortiClient Cloud,
the administrator carries out some actions, while the endpoint user carries out others, as shown on this slide.
Since you can not create deployment packages for FortiClient Linux, iOS, or Android endpoints, you must use
the invitation code provided by the administrator, to join FortiClient Cloud. You can type the code in the Join
FortiClient Cloud field on the Zero Trust Telemetry tab in FortiClient.

FortiGate can connect to FortiClient Cloud as a Security Fabric device. You must authorize a connection
request from FortiGate, to allow a fabric connection between FortiClient Cloud and the FortiGate.

Although FortiClient Cloud functions are the same as those for an on-premises FortiClient EMS, there are
some limitations:
" FortiClient Cloud can support only up to 20000 endpoints. If there are more than 20000 endpoints, you
must use an on-premises FortiClient EMS.
" Active directory (AD) integration is supported but FortiClient cloud does not currently support initial
FortiClient deployment to AD devices.

FortiClient EMS 7.0 Study Guide 69

 Installation and Licensing

DO NOT REPRINT
© FORTINET

The table on this slide shows a comparison of FortiClient Cloud and on-premises FortiClient EMS.

FortiClient EMS 7.0 Study Guide 70

 Installation and Licensing

DO NOT REPRINT
© FORTINET

This slide shows a continuation of the comparison table.

FortiClient EMS 7.0 Study Guide 71

 Installation and Licensing

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 72

 Installation and Licensing

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiClient EMS 7.0 Study Guide 73

 Installation and Licensing

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to install FortiClient and FortiClient EMS.
You also learned about FortiClient editions, FortiClient EMS Cloud, and operation modes.

FortiClient EMS 7.0 Study Guide 74

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to configure and administer FortiClient EMS. You will also learn how to
manage a large number of endpoints.

FortiClient EMS 7.0 Study Guide 75

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiClient EMS 7.0 Study Guide 76

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the management functions of FortiClient EMS, you will be
able to perform FortiClient EMS administration and database management, and identify its components.

FortiClient EMS 7.0 Study Guide 77

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can access FortiClient EMS by launching the FortiClient EMS application or by using a supported web
browser. On the FortiClient EMS server, type access localhost via https in the web browser, and, if
accessing remotely, use the server hostname or FQDN to access the page over the web.

You can get the server name by running the command ipconfig /all on the server. The host name will
appear in the Windows IP configuration. If you are unable to access the server remotely, make sure you are
able to ping servername, which you can do by adding it to the DNS entry or Windows host file. You may
have to modify the firewall rules to allow the connection.

FortiClient EMS 7.0 Study Guide 78

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You use the dashboard to view summary information about the system and endpoints. You can also view
summary information about vulnerability scans on endpoints.

In the FortiClient EMS dashboard, you see the system and license information widget:
" System information widget: displays hostname, version, database, system time, and uptime information of
the FortiClient EMS
" License information widget: displays FortiClient EMS serial number, FortiCloud account, zero trust security
license, next-generation endpoint security license, and Chromebook license information

Status page charts and widgets display number of pie charts. Each pie chart provides a summary of endpoint
information. You can click any section of the pie charts or any row in the table to display more details. The
details include endpoint activity (on-fabric or off-fabric status), endpoint alerts, endpoint connection status,
managed Windows, Mac FortiClient version, and OS version. It also shows antivirus, sandbox, vulnerability,
and web detection.

The Vulnerability Scan dashboard displays a number of charts and widgets containing a summary of
vulnerability scan information collected from endpoints.

When Chromebook management is enabled on the EMS settings page, you can also view the Chromebook
status. Chromebook status displays a number of charts. Each chart provides a summary of Chromebook
information.

FortiClient EMS 7.0 Study Guide 79

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can use an invitation code in the following scenarios:

" To register a FortiClient Linux, iOS, or Android endpoint to FortiClient EMS. Since you cannot create a
deployment package for these operating systems in FortiClient EMS, this is the only way to register these
endpoints to FortiClient EMS.
" To register a FortiClient device that does not automatically register to FortiClient EMS after installation.

End users enter invitation codes to connect FortiClient to FortiClient EMS. If you have configured SMTP
settings, you can enable the option to send invitation codes as email notifications. You can send the email
notification individually or in bulk. Sending individual invitation codes is a best practice, because it limits any
unexpected endpoints from connecting to FortiClient EMS.

Create a new installer to include an installer with the invitation. End users use this installer to install FortiClient
on their endpoint and use the invitation code to connect to FortiClient EMS if their FortiClient did not connect
automatically after installation.

FortiClient EMS 7.0 Study Guide 80

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

The default user named admin has complete access to all FortiClient EMS permissions, including
modification, user permissions, approval, discovery, and deployment. The admin user has access to all
configured Windows and LDAP servers and users, and has the authority to configure user privileges and
permissions. If you are not authorized to perform certain tasks or access certain devices, the related menu
items, items in content pages, and buttons are hidden or disabled. In addition, a message informs you that
you do not have permission to view the selected information or perform the selected operation.

By default, the admin user account has no password. You must add a password to increase security.

FortiClient EMS 7.0 Study Guide 81

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can configure local, Windows, and LDAP admin user accounts. The local admin account store in
FortiClient EMS local database. The Windows users list is derived from the host server on which FortiClient
EMS is installed. The LDAP users list is derived from those in the AD domain imported into EMS.

You can use admin roles to define the permissions for each administrator account in FortiClient EMS. You can
use one of the four default admin roles in FortiClient EMS or create a new admin role to assign to an
administrator account.

The four default roles are:

" Super administrator
" Standard administrator
" Endpoint administrator
" Restricted administrator

Each admin role can include permissions from three categories: endpoint permissions, policy permissions,
and settings permissions. For admin roles that are not authorized for certain tasks or devices, EMS hides or
disables the related menu items, items in content pages, and buttons.

FortiClient EMS 7.0 Study Guide 82

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can also configure user settings on EMS. The Inactivity timeout setting specifies how long to keep
inactive users logged into FortiClient EMS. When the time expires, EMS automatically logs the user out. To
keep inactive users logged into FortiClient EMS indefinitely, type a value of 0.

The Allowed inactive days setting specifies the number of days of inactivity after which to disable a user
account. For example, if this field is set to 10 and a user does not log into FortiClient EMS for ten days, EMS
disables their account so that they cannot log into FortiClient EMS. A user with super administrator
permissions can reactivate their account.

Maximum password age setting specifies the number of days after which the user is forced to change their
password. You can disable the setting by setting the value to 0. This setting only applies to built-in users such
as the admin user and EMS users.

FortiClient EMS 7.0 Study Guide 83

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can also enable SAML SSO to allow users to log in to FortiClient EMS using a FortiGate as an identity
provider (IdP). You can only use the SAML SSO feature in FortiClient EMS with FortiGate as the IdP.
FortiClient EMS does not support using FortiAuthenticator as an IdP, or using custom IdPs.

FortiClient EMS 7.0 Study Guide 84

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

In the FortiClient EMS Administration window, you can view all FortiGate devices that the FortiClient EMS
has authorized in the Fabric Devices window. After FortiGate is added, you can change the status to deny or
authorize. These fabric devices only appear when FortiClient EMS is part of the Security Fabric.

The Log Viewer option allows you to view and download FortiClient EMS logs. The log viewer page includes
logs from all the FortiClient EMS processes such as the GUI console, service update, AD service, EMS
service, and so on. You can also apply filters to see specific FortiClient EMS logs. The raw logs are
downloaded as zip file to your computer.

FortiClient EMS 7.0 Study Guide 85

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

FortiClient database management allows you to back up and restore the database, as shown on this slide.
The options are available on the FortiClient EMS Dashboard > Status window. A password is required to
perform a backup. The same password will be used to restore the database using the same backup. When
the database is restored, a message appears. The message instructs you to wait for the restored database to
reload. You must wait until the database is completely restored.

Note that restore will work only if the database was backed up using the same version number.

FortiClient EMS 7.0 Study Guide 86

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 87

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

Good job! You now know how to access the FortiClient EMS GUI. You also learned about FortiClient EMS
components, FortiClient administration, and database management.

Now, you will learn about system settings for FortiClient EMS.

FortiClient EMS 7.0 Study Guide 88

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiClient EMS system settings, you will be able to configure the server,
logs, FortiGuard, endpoints, login banner, EMS alerts, endpoint alerts, SMTP server, and custom messages
settings.

FortiClient EMS 7.0 Study Guide 89

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

The FortiClient EMS Shared Settings option is shared between Windows, MacOS, Linux, and Chromebook
endpoints. You can configure the FortiClient EMS hostname, IP address, and FQDN. When you enable the
Use FQDN option, FortiClient can connect using either the specified IP address in the Listen on IP
Addresses field, or the specified FQDN.

The Remote HTTPS access option specifies settings for remote administration access to FortiClient EMS.
You can enable or disable remote HTTPS access to FortiClient EMS. When you select Remote HTTPS
access, the HTTPS port, predefined hostname, management IP and port for proxy, and custom hostname
options are available. The pre-defined hostnames includes server binding names or IP addresses. FortiClient
EMS responds to all the names that are defined in this field.

The SSL certificate option displays the SSL certificate currently imported. If you have already uploaded an
SSL certificate, the page displays the Replace button.

The EMS CA certificate (ZTNA) requires the ZTNA or EPP license and only applies for endpoints running
FortiClient 7.0.0 and later versions.

FortiClient EMS 7.0 Study Guide 90

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

On the EMS Settings window, you can configure the Listen on port setting by typing a new port number in
the field. FortiClient will connect using the specified port. By default, it displays port 8013 for the FortiClient
EMS server.
You can also enable or disable TLS 1.0 or 1.1 for file downloads. Windows 7 uses old TLS versions.

In the FortiClient download URL field you can see the URL on which FortiClient installers created on
FortiClient EMS will be made available for download.

You can use the Enforce invitation-only registration for option to deregister a FortiClient endpoint that
does not satisfy the requirement. You can select all, none, or FortiClient version 7.0.0 or later for endpoints
using invitation-only registration.

The Sign software packages option allows you to digitally sign Windows FortiClient software installers with a
code signing certificate created by or uploaded to FortiClient EMS.

The Configure EMS server list allows you to select a specific FortiClient EMS IP address or FQDN that
FortiClient uses to register.

The Connect to local subnets only option allows connections to FortiClient EMS local subnets.

When you select the Enable login banner check box, a message appears on the login screen before a user
logs in to FortiClient EMS. The Preview section displays a preview of the message when you type a message
in a Message box.

FortiClient EMS 7.0 Study Guide 91

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

The EMS for Chromebooks Settings window also includes the Listen on port setting, which, like EMS
settings, displays the default port for the FortiClient EMS server for Chromebooks. You can change the port
by typing a new port number. The default port is 8443.

You can also configure the User inactivity timeout setting, which is the number of hours of inactivity after
which the user is timed out. Profile update interval specifies the profile update interval, in seconds.

SSL certificate displays the SSL certificate currently imported. If you have already uploaded an SSL
certificate, the page displays the Replace button. Service account displays the service account ID currently
in use. You must enter an account ID and private key to update the account. Note that you must add an SSL
certificate to FortiClient EMS to allow Chromebooks to connect to FortiClient EMS.

FortiClient EMS 7.0 Study Guide 92

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

When the FortiClient endpoint is registered to FortiClient EMS, it consumes a license seat. You can configure
a license timeout value in days. If an endpoint disconnects from EMS, the license seat is retained in
anticipation that the endpoint will reconnect.

If the endpoint does not reconnect within the given timeout, its connection record is removed from FortiClient
EMS. If the endpoint is removed, switched off, or goes offline, and does not re-establish a telemetry
connection to FortiClient EMS within the Delete timeout value, the endpoint is deleted from FortiClient EMS,
even if FortiClient on the endpoint shows that it is still connected. The default license timeout value is 45
days. The maximum allowed value is 90 days. The License Timeout value releases the license after the given
timeout.

The Automatically upload avatars option allows FortiClient to upload user avatars to all of the devices, and
the Enable endpoint snapshot reports setting enables the endpoint snapshot report. You can set the
interval for the snapshots, it must be between 300 and 86400 seconds.

FortiClient EMS 7.0 Study Guide 93

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

In the Log Settings section, you can specify what level of log messages to capture in the logs for FortiClient
EMS. For example, if you select Info in the Log level drop-down list, all log messages from Info to
Emergency are added to the FortiClient EMS logs. Generally, the level you want to use is Info because it
includes most of the logs the system generates (except Debug) including administrator login or logout activity.
Emergency logs only generate when the system is unstable and do not include other system logs. Depending
on the type of log and the needs of your organization, you may want to log only specific levels of system logs.

You can also specify when to automatically delete logs, alerts, and events. By default, it is 30 days for all logs,
alerts, and other OS events, and seven days for Chromebook events.

You can click Clear now to immediately delete all FortiClient EMS logs, alert, or events.

FortiClient EMS 7.0 Study Guide 94

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

The FortiGuard settings include Server Location, which allows you to configure the FortiGuard server
location to Global, US, or Europe. Europe is only available if you have selected the Enable SSL checkbox.

You can also enable the Use FortiManager for client software/signature updates option, which allows you
to use FortiManager for client software and signature updates. If you select Failover, this enables failover to
FDN, when FortiManager for FortiClient is not available. The settings in the Endpoints window allows you to
add the FortiClient telemetry connection key for FortiClient EMS. FortiClient must provide this key during
connection. You can also configure keep alive intervals. FortiClient sends short and full keep alive messages
to FortiClient EMS at the specified intervals. The Cloud Services section provides options that allow you to
connect FortiCloud, and you can select region and time offset.

FortiClient EMS 7.0 Study Guide 95

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can view the alerts FortiClient EMS generates. Examples of events that generate an alert are shown on
this slide. A red label is associated with the Alert icon when new notifications are available or received. It is
cleared when you view the alert. You select the Alert icon (a bell) in the toolbar to view alerts. You can use
the Filter icon in each column heading to apply filters, and the Clear Filters icon to remove the filters.

You can also set up an SMTP server to enable alerts for FortiClient EMS or endpoint events. When an alert is
triggered, EMS sends an email notification.

The EMS Alerts window allows you to send an email notification for version and FortiClient alerts. This slide
shows all of the alerts that are available on the EMS Alerts window.

On the Endpoint Alerts window, you enable the option to send an email alert for the endpoints. This slide
shows all the endpoint events that you can select to generate email alerts. You can also select a time interval
to send alert emails. By default, it is set to 30 minutes.

FortiClient EMS 7.0 Study Guide 96

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can view the alerts FortiClient EMS generates. Examples of events that generate an alert are shown on
this slide. A red label is associated with the Alert icon when new notifications are available or received. It is
cleared when you view the alert. You click the Alert icon (a bell) in the toolbar to view alerts. You can use the
Filter icon in each column heading to apply filters, and the Clear Filters icon to remove the filters.

FortiClient EMS 7.0 Study Guide 97

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

On the SMTP Server window, you can set up an SMTP server to enable alerts for EMS and endpoint events.
All the options available for SMTP server configuration are shown on this slide. You can choose to encrypt
SMTP traffic using STARTTLS or SMTPS. Selecting one of the encryption options will enable the username
and password fields on the GUI.

FortiClient EMS 7.0 Study Guide 98

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can customize messages that display on endpoints in certain situations, such as when FortiClient EMS
has quarantined the endpoint. For example, you can customize the message to include your organization's
help desk phone number so that users can contact the network administrator about their machine.

You can also customize the messages that display on an endpoint in in-browser web filter result pages. In
Custom Messages, select WebFilter Custom Messages. The left panel displays the customization fields,
while the right panel previews the custom messages as they will appear in a web browser when using the
latest version of FortiClient. The types of web filter messages are: blocklisted page, blocked page, blocked
FortiGuard inaccessible page, warning page, and warning FortiGuard inaccessible page.

In the left pane, enable or disable the fields and enter the desired messages. You can also upload images for
logo and icon fields. The right pane displays previews of the messages.

FortiClient EMS 7.0 Study Guide 99

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

On the Feature Select pane, you can choose which features to show and hide. Only features that are enabled
on the Feature Select window are available for configuration in other areas of FortiClient EMS.

For example, if you disable Web Filter on the Feature Select window, the Web Filter tab will not appear on
endpoint profiles, and the option to enable web filter logs on the system settings will also not be available.

Also, when you enable web filter in a deployment package, and the deployment package installs web filter on
the endpoint, the Web Filter option does not appear in the FortiClient GUI because it is disabled.

The Web Filter Detection widget on the status dashboard and option to import a profile from
FortiGate/FortiManager are also not available.

Only a FortiClient EMS super administrator can enable and disable features on the Feature Select window.
Other FortiClient EMS users can view which features are enabled and disabled on the Feature Select page,
but cannot modify the configuration.
If you previously enabled a feature on an endpoint, but you later disable the feature on the Feature Select
window, FortiClient EMS then disables the feature on the endpoint.

FortiClient EMS 7.0 Study Guide 100

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

In the FortiClient EMS multi-tenancy setup, you can create multiple sites to provide granular access to
different sites for different administrators and separate endpoint data and configuration into different sites. The
sites are completely separate from each other and cannot share data between them. For example, if an
administrator only has access to Site A, they cannot view data from any other site.

FortiClient EMS supports up to 500 multi-tenancy sites. When multi-tenancy is enabled, Fabric connectors
must use an FQDN to connect to EMS, where the FQDN hostname matches a site name in EMS (including
"Default site").

You would use multi-tenancy in an MSSP environment to conserve resources and use the same license (the
total number of FortiClient licenses are shared between sites). This will also work well in enterprise
environments that use segmentation and different ADs for different departments.

You must enable Manage Multiple Customer Sites in FortiClient EMS system settings. FortiClient EMS
forces the GUI to restart for the changes to take effect. After restarting, the EMS GUI displays the global
dashboard. When you initially enable multi-tenancy, there are two sites: global, where you can set and view
global settings; and default, which contains the endpoints that belong to your original FortiClient EMS
instance. The settings associated with your original FortiClient instance are retained. To switch between sites,
select the site name in the upper-right corner, then select the desired site from the drop-down list.

After you enable multi-tenancy, all previously created administrators, except the default admin user, become
administrators for the default site.

FortiClient EMS 7.0 Study Guide 101

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

To add a new site, select Configure Sites from the site selection list, as shown on this slide. You can also
open the Configure Sites page in Administration to create new site. This page displays all sites and their
license usage. You must configure name. You must also release the number of licenses from the Default site
before assigning number of licenses to a new site.

When multi-tenancy is enabled, you can configure some settings only from the global level, and other settings
only from the site level. You cannot view site-level settings from the global site. For descriptions of the
settings, see the FortiClient EMS Administration Guide document.

From the global site, you can configure the administrator. When adding a new administrator from the global
site, you can create a local administrator or configure a Windows or LDAP user. When adding a new
administrator from the site level, you can configure only an LDAP user. Administrator names from the same
source (FortiClient EMS, LDAP, or Windows) must be unique across all sites. Administrators can have the
same name if they are from different sources. In multi-tenancy, you get an additional administrator role
besides super and settings administrator4it is site administrator.

The site administrator has access to specified sites only, with no access to the global site. A site administrator
can have access to multiple sites. By default, a site administrator is a super administrator for all sites that they
have access to. A site administrator can configure the site license and system settings, including server
settings. You can modify the site administrator's available configuration options for a site by assigning them a
different admin role for that site after you log in to the site. The mentioned administrator roles are specific to
global administrator management when multi-tenancy is enabled.

FortiClient EMS 7.0 Study Guide 102

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 103

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

Good job! You now understand the system settings for FortiClient EMS.

Now, you will learn how to set up FortiClient EMS for Chromebook only.

FortiClient EMS 7.0 Study Guide 104

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in setting up FortiClient EMS to manage Chromebooks, you will be able to
configure the Google Admin console setup and service account credentials.

FortiClient EMS 7.0 Study Guide 105

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

Log in to the Google Admin console using your Google domain admin or G Suite account. Note that a Google
account set up through an organization like work, school, a club, or maybe family or friends, is called a G
Suite account.

After the FortiClient Web Filter extension is added, on the Chrome Web Store window, search for the
extension ID shown on this slide. The extension name appears as FortiClient Chromebook Web Filter
Extension.

Note that FortiClient EMS software is not available for public use. You can enable the feature only by using
the extension ID that is shown in this slide.

FortiClient EMS 7.0 Study Guide 106

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You must configure the FortiClient Chromebook Web Filter extension to enable the Google Admin console to
communicate with FortiClient EMS. FortiClient EMS hosts the services that assign endpoint profiles of web
filtering policies to groups in the Google domain. FortiClient EMS also handles the logs and web access
statistics sent from the FortiClient web filter extensions.

You must add FortiClient EMS details as profile server in the Google Admin console as shown on this slide.

For details about configuration setup, see the FortiClientEMS Administration Guide.

FortiClient EMS 7.0 Study Guide 107

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

The FortiClient Chromebook Web Filter extension communicates with FortiClient EMS using HTTPS
connections. You must obtain an SSL certificate and add it to FortiClient EMS to allow the Chromebook
extension to trust FortiClient EMS.

If you use a public SSL certificate, you need to add only the public SSL certificate to FortiClient EMS. If you
prefer to use a certificate that is not from a common certificate authority (CA), you must add the SSL
certificate to FortiClient EMS, and push your certificate's root CA to the Google Chromebooks. Otherwise, the
HTTPS connection between the FortiClient Chromebook Web Filter extension and FortiClient EMS will not
work.

For more details about certificates, see the FortiClientEMS Administration Guide.

FortiClient EMS 7.0 Study Guide 108

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You must disable developer tools and disallow incognito mode, and guest mode. Disabling access to Chrome
developer tools blocks users from disabling the FortiClient web filter extension. When users browse in
incognito mode, extensions are bypassed. Guest mode doesn9t provide profile information and deletes
browsing activity after the user closes the browser window.

You must also block Task Manager for managed Google domains to prevent the user from stopping the
FortiClient web extension. The Google Chrome browser has a built-in task manager that allows you to see
how much memory and CPU web pages, extensions, and Google processes are using while Chrome is
running. When the Task Manager opens, it displays a list of all open tabs, extensions, and processes
currently being used by Chrome, and the user can end any process.

After you add the Google domain to FortiClient EMS, the Google Admin console automatically pushes the
FortiClient Web Filter extension to the Chromebooks when users log in to the Google domain.

You can verify that the feature has become available on the Chromebooks by opening the Google Chrome
browser. Type chrome://extensions to check FortiClient extension and visit any gambling
site, such as http://www.777.com, and confirm the site is blocked.

FortiClient EMS 7.0 Study Guide 109

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

FortiClient EMS requires service account credentials generated by the Google Developer console. You can
use the default service account credentials provided with FortiClient EMS. To configure the default service
account credentials, you must add the client ID default value to the Google Admin console. No other
configuration for service account credentials is required. These settings allow Google to trust FortiClient EMS,
which enables FortiClient EMS to retrieve information from the Google domain.

Note that the service account credentials are a set. If you change one credential, you must change the other
two credentials.

When using unique service account credentials for improved security, you must complete the following steps
to add the unique service account credentials to the Google Admin console and FortiClient EMS:
1. Create unique service account credentials using the Google Developer console.
2. Add the unique service account credentials to the Google Admin console.
3. Add the unique service account credentials to FortiClient EMS.

FortiClient EMS 7.0 Study Guide 110

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 111

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

Good job! You now understand how to configure FortiClient EMS to manage Chromebooks.

Now, you will learn about endpoint management.

FortiClient EMS 7.0 Study Guide 112

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using FortiClient for endpoint management, you will be able to configure
Windows, macOS, and Linux endpoints, as well as Google domains.

FortiClient EMS 7.0 Study Guide 113

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

FortiClient EMS needs to identify which devices to manage. For Windows and macOS, device information can
come from an AD server, Windows workgroup, or manual FortiClient connection. The Linux endpoint doesn9t
communicate with the AD server.

On FortiClient EMS, you can create the domain or workgroup, and then rename and delete groups.

You can import endpoints manually from an AD server. You can import and synchronize information about
computer accounts with an LDAP or LDAPS service. You can add endpoints by identifying endpoints that are
part of an AD domain server.

Note that after importing endpoints from an AD server, you can edit the endpoints. These changes are not
synced back to the AD server.

Endpoint users can also manually connect FortiClient Telemetry to FortiClient EMS by specifying the IP
address for FortiClient EMS on FortiClient. This process is sometimes called registering FortiClient to
FortiClient EMS.

FortiClient EMS 7.0 Study Guide 114

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

After you add endpoints to FortiClient EMS, you can view the list of endpoints in a domain or workgroup on
the Endpoints pane. You can also view details about each endpoint on the Client Details pane, and use
filters to access endpoints with specific qualities.

You can save filter settings as bookmarks, then select the bookmarks to use them.

FortiClient EMS 7.0 Study Guide 115

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

On the Endpoints pane, you can perform the actions that are shown in this slide. FortiClient EMS can run
antivirus and vulnerability scans. All the scanning starts on the endpoints with the next FortiClient Telemetry
communication. You can also view the history of vulnerability scans for each endpoint on the Client Details
pane.

FortiClient EMS can automatically patch software if a vulnerability requires the endpoint user to download and
install a software to patch a vulnerability. The FortiClient console displays the information.

FortiClient can upload a log file from one or several endpoints requested by FortiClient EMS. The log file is
uploaded to the hard drive on the computer running FortiClient EMS, and file is not visible in the FortiClient
EMS GUI.

You can use FortiClient EMS to run the FortiClient diagnostic tool on one or multiple endpoints, and export the
results to the hard drive on the computer on which you are running FortiClient EMS. The exported information
is not visible in the FortiClient EMS GUI.

FortiClient EMS can also quarantine, disconnect and connect, exclude from management, and delete
endpoints.

FortiClient EMS 7.0 Study Guide 116

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can either use FortiClient EMS invitation codes or a QR code to provision Android devices. You can send
invitation codes or create a QR code to distribute to FortiClient (Android) users. FortiClient (Android) users
can type the code or scan the QR code from their devices to automatically enable FortiTelemetry and attempt
a connection to the specified FortiClient EMS server. Invitation or QR codes can contain the FortiClient EMS
server hostname or IP address, port number, and a connection key. Only the FortiClient EMS hostname/IP
address is required; all other fields are optional.

FortiClient EMS needs to identify which devices to manage. Device information comes from the Google
Admin console. The Google Domains option is available if EMS for Chromebooks Settings is selected in
the EMS server settings.

You can add domains on the Manage Domains page on the FortiClientEMS. After you add domains to
FortiClient EMS, you can view, edit, and delete them.

Note that this section is applicable only if you are using FortiClient EMS to manage Google Chromebooks.

FortiClient EMS 7.0 Study Guide 117

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can use group assignment rules to automatically place endpoints into custom groups based on their
installer ID, IP address, or OS.
Creating a FortiClient deployment package includes an option to specify an installer ID. For example, say you
want all endpoints located in your company's headquarters to be moved on the same endpoint group. You can
configure a FortiClient deployment package with an "HQ" installer ID, then deploy this deployment package to
the desired endpoints.

The IP Address option allows you to create a group assignment rule that automatically moves all endpoints
within a specified subnet or IP address range into the same custom group.

The OS option automatically moves all endpoints that have a specific OS installed into the custom group.

When the endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places the endpoints in the
desired group.

If a newly connected endpoint does not match any group assignment rule and belongs to an imported AD
domain, the endpoint is moved into the OU to which it belongs in the AD domain tree. If no AD domain has
been imported, or the endpoint also does not belong to the imported AD domain, it is placed in the Other
Endpoints group.

FortiClient EMS automatically places endpoints that do not apply to any group assignment rule into the Other
Endpoints group.

FortiClient EMS 7.0 Study Guide 118

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 119

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

Good job! You now understand endpoint management for Windows, macOS, Linux, and Chromebook user
endpoints on FortiClient EMS.

Now, you will learn about quarantine management.

FortiClient EMS 7.0 Study Guide 120

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using FortiClient EMS to manage quarantined files, you will be able to view
and allowlist quarantined files.

FortiClient EMS 7.0 Study Guide 121

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

On the Files pane, the FortiClient EMS administrator can view quarantined file information for all managed
endpoints, and whitelist files from FortiClient EMS, if needed.

FortiClient sends quarantined file information to FortiClient EMS. After FortiClient quarantines files on
endpoints and sends the quarantined file information to FortiClient EMS, you can view the list of quarantined
files in Quarantine Management on the Files pane. You can also view details about each quarantined file
and use filters to access quarantined files that have specific qualities.

You can allowlist and restore quarantined files from EMS. This releases the files from quarantine and makes
them accessible on the endpoint with the next telemetry communication between FortiClient EMS and
FortiClient. The file status changes to Quarantined & Allowlisted.

Note that the FortiClient console doesn9t allow you to restore and delete quarantined files. These options are
grayed out on the FortiClient GUI.

FortiClient EMS 7.0 Study Guide 122

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

Many of you have heard of the Security Fabric. The Security Fabric uses FortiTelemetry to link different
security sensors and tools together to collect, coordinate, and respond to malicious behaviour anywhere it
occurs on your network, in real-time.

The Fabric Agent connects endpoints with the Security Fabric, and delivers endpoint visibility and control by
sharing endpoint telemetry and compliance status with the Security Fabric. It also has vulnerability
management capabilities to extend the scanning process to either the managed FortiGate or FortiClient EMS.

In the Security Fabric topology, you can see the compromised and quarantined endpoints. You can obtain the
visibility and details about these endpoints from devices such as FortiAnalyzer, where indicator of
compromise (IoC) verdicts are based on a threshold value that is reached or exceeded, at which point an
endpoint becomes a risk, must be quarantined, and is confirmed to be compromised.

In addition to quarantining malicious files, submitting objects to FortiSandbox for analysis, and applying
patches, by integrating with the Security Fabric, FortiClient can also automate the process of quarantining
suspicious or compromised endpoints.

The benefits of quarantine automation include containing threats and incidents, and controlling outbreaks.

FortiClient EMS 7.0 Study Guide 123

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

The Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric
includes network devices listed here, you can configure the system to automatically quarantine an endpoint on
which an IoC is detected. This requires the following network devices:
" FortiGate
" FortiAnalyzer
" FortiClient EMS
" FortiClient

You must connect FortiClient to both the EMS and FortiGate. FortiGate and FortiClient must both be sending
logs to FortiAnalyzer. You must configure the EMS IP address on the FortiGate, as well as administrator login
credentials.

FortiClient EMS 7.0 Study Guide 124

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

This configuration functions as follows:

1. FortiClient sends logs to FortiAnalyzer.
2. FortiAnalyzer discovers IoCs in the logs and notifies FortiGate.
3. FortiGate identifies if FortiClient is a connected endpoint, and if it has the login credentials for the
FortiClient EMS that FortiClient is connected to. With this information, FortiGate sends a notification to
FortiClient EMS to quarantine the endpoint.
4. FortiClient EMS searches for the endpoint and sends a quarantine message to it.
5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The
endpoint notifies FortiGate and EMS of the status change.

Executing automation:
The following command triggers the quarantine action on the endpoint at endpoint_ip_address:
" diag endpoint forticlient-ems-rest-api queue-quarantine-ipv4
endpoint_ip_address

Note that this feature is not supported on FortiClient (Linux).

FortiClient EMS 7.0 Study Guide 125

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You must meet the following prerequisites for FortiClient, EMS, and FortiGate:

1. FortiClient must be installed on the endpoint and connected to the EMS.

2. On FortiClient EMS, an endpoint profile and gateway list using the FortiGate IP address, must be
assigned to the endpoint. It also needs an endpoint policy that is configured with the desired profile and
telemetry gateway list for the desired endpoint group, and the Remote HTTPS access option must be
enabled.
3. FortiGate must use the following configuration to quarantine an endpoint.
" Automation trigger
" Automation action
" Automation stitch
" EMS firewall address object (if using a FortiOS version earlier than 6.2.0)
" Endpoint control FCT-EMS object

For more details about FortiGate automation configuration, see the FortiClientEMS 7.0 Administration Guide.

FortiClient EMS 7.0 Study Guide 126

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 127

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

Good job! You now know how to configure endpoint quarantine management.

Now, you will learn about software inventory.

FortiClient EMS 7.0 Study Guide 128

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in using FortiClient EMS to view the software inventory on endpoints, you will
be able to identify what applications are installed.

FortiClient EMS 7.0 Study Guide 129

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

You can centrally view a list of software installed on all endpoints. The list includes details for each
application, such as vendor and version information. You can view this information by application or by
vendor, on the Applications pane, or by host on the Hosts pane. FortiClient sends installed application
information to FortiClient EMS.

The FortiClient EMS administrator can view installed application information for all managed endpoints on the
Applications pane.

The Applications pane also shows the total number of application installed, vendors, and newly installed
applications. You can view the application names alphabetically, or by vendor. You can also apply filters by
application name, vendor name, and version number.

FortiClient EMS 7.0 Study Guide 130

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

The FortiClient EMS administrator can view installed applications information for all managed endpoints by
host on the Hosts pane.

The Hosts pane shows the total number of applications, OS details, and lists of the software installed on the
endpoints. You can also view other details about the hosts, as shown on this slide image.

You can apply filters by host name, user name, OS name, and IP address.

FortiClient EMS 7.0 Study Guide 131

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 132

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiClient EMS 7.0 Study Guide 133

 FortiClient EMS Configuration and Administration

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to install, configure, and administer
FortiClient EMS. You also learned how to manage a large number of endpoints.

FortiClient EMS 7.0 Study Guide 134

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to deploy FortiClient and manage deployment packages using FortiClient
EMS.

By demonstrating competence in FortiClient deployment, you will be able to deploy FortiClient endpoints using EMS in
Windows Active Directory environment, as well as prepare and manage different types of installation files.

FortiClient EMS 7.0 Study Guide 135

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

By demonstrating competence in FortiClient deployment, you will be able to prepare Windows Active
Directory (AD) server and endpoints, as well as implement different deployment types. You will also be able to
deploy various types of FortiClient endpoint using FortiClient EMS and MacOS.

FortiClient EMS 7.0 Study Guide 136

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiClient deployment, you will be able to prepare Windows AD server and
endpoints, as well as implement different deployment types.

FortiClient EMS 7.0 Study Guide 137

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

There are two methods that you can use to add FortiClient to EMS: Windows AD and workgroups.

AD setup provides central management and control (group policies) for the Windows endpoint. It is generally
used in large setups to implement corporate policies such as resource usage and access control.

When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you
cannot deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS is installed
on endpoints and endpoints are connected to FortiClient EMS, you can deploy upgrades, removals, and
replacements of both FortiClient for Windows and macOS using AD servers.

FortiClient EMS 7.0 Study Guide 138

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

A Windows workgroup is a collection of computers on a local area network (LAN) that share common
resources and responsibilities. Being a peer-to-peer (P2P) network design, each workgroup computer may
both share and access resources if configured to do so. Workgroups are designed for small LANs. This setup
doesn9t have a centralized server and all the Windows endpoints in LAN need to be configured as individually
machines.

When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after
FortiClient is installed on endpoints and endpoints are connected to FortiClient EMS, you can use workgroups
to uninstall and update FortiClient on endpoints.

FortiClient EMS 7.0 Study Guide 139

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

To deploy FortiClient from FortiClient EMS, you must prepare the AD server for deployment and deploy
FortiClient on the endpoints. Before you can successfully deploy a FortiClient installation, ensure you install
and prepare the AD server by completing the tasks shown on this slide.

Note that you cannot use FortiClient EMS to deploy an initial installation of FortiClient to endpoints (macOS
and workgroup computers). However, after FortiClient is installed on the endpoints, and the endpoints are
connected to FortiClient EMS, you can use FortiClient EMS to uninstall and update FortiClient on endpoints.

FortiClient EMS 7.0 Study Guide 140

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

You must enable and configure the following services on each Windows endpoint before FortiClient
deployment:
" Task Scheduler: Automatic
" Windows Installer: Manual
" Remote Registry: Automatic

The Windows firewall must allow SMB-in and RPC traffic for inbound connections.

For AD group deployments, an AD administrator account is required. For non-AD deployments, the installer
URL can be shared with users, who can then download and install FortiClient manually. You can locate the
installer URL in the Manage Installers pane.

Note that when you are adding endpoints using an AD domain server, FortiClient EMS automatically resolves
endpoint IP addresses during initial deployment of FortiClient. FortiClient EMS can deploy FortiClient
(Windows) to AD endpoints that do not have FortiClient installed, as well as upgrade existing FortiClient
installations, if the endpoints are already connected to the EMS server.

You can execute gpresult.exe /H gpresult.html on any AD client to verify if you have an issue
pushing the group policy to the endpoints.

FortiClient EMS 7.0 Study Guide 141

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

You can deploy FortiClient on Windows endpoints using an AD server: For successful deployment of
FortiClient installation from FortiClient EMS using an AD server, you must prepare the AD server, add the AD
server to FortiClient EMS as a domain, add an installer package to FortiClient EMS, add a profile (which
includes the installer package and configured FortiClient features), and assign the profile to a branch of the
AD domain to push the installation. You can verify the deployment by monitoring FortiClient connections to the
EMS.

FortiClient EMS cannot be used to deploy initial installations of FortiClient (macOS). You can deploy an initial
installation of FortiClient (macOS) by doing one of the options that are shown on this slide. After FortiClient
(macOS) is installed on endpoints, and you have connected FortiClient Telemetry to FortiClient EMS, you can
use FortiClient EMS to replace, upgrade, and uninstall FortiClient.

You can also deploy a FortiClient software update from FortiClient EMS when endpoints running older
version. A prompt appears on the FortiClient endpoint when an installer package is requested to be deployed.
The prompt instructs the user to choose an upgrade option: Upgrade Now or Upgrade Later. If you select
the Upgrade Now option, FortiClient performs the upgrade and automatically restarts your computer. If you
select the Upgrade Later, the user can indicate the time to start the upgrade. The default is 8:00 PM. Your
computer automatically restarts after the upgrade.

If no option is selected, the upgrade occurs, by default, at 8:00 PM. After FortiClient EMS uninstalls the
previous version, it asks if the user wants to reboot now or reboot later.

FortiClient EMS 7.0 Study Guide 142

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

You can create a deployment configuration on FortiClient EMS. An administrator can select different
configuration options when deploying FortiClient. You can configure the configuration deployment name,
select endpoint groups, take action to install or uninstall FortiClient, and select deployment installer.

The EMS administrator can also select start time to install FortiClient. An unattended installation option restrict
user from changing installation schedule and if required, the device reboots without warning.

The Reboot When Needed option reboots the endpoint to install FortiClient when needed and the Reboot
When No Users Are Logged In option allows the endpoint to reboot without prompt, if no endpoint user is
logged into FortiClient.

The Notify Users and Let Them Decide When To Reboot When Users Are Logged In option notifies the
end user if a reboot of the endpoint is needed and allows the user to decide what time to reboot the endpoint.
Disable this option to reboot the endpoint without notifying the user.

The username and password allows you to enter the admin credentials for the AD. The credentials allow
FortiClient EMS to install FortiClient on endpoints using AD.

You can also enable or disable the deployment using the Enable the Deployment option.

When an endpoint is eligible for multiple endpoint deployment configurations, two factors determine which
configuration EMS applies to the endpoint:
1. EMS applies deployment configurations to endpoints only if the configurations are enabled on the EMS.
2. If an endpoint is eligible for multiple enabled configurations, FortiClient EMS applies the configuration with
the first priority level to the endpoint.

FortiClient EMS 7.0 Study Guide 143

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 144

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiClient deployment methods and types.

Now, you will learn about how to manage FortiClient installers and the deployment package.

FortiClient EMS 7.0 Study Guide 145

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in working with deployment packages and installers, you will be able to create
deployment packages, installers, and manage on FortiClient EMS.

FortiClient EMS 7.0 Study Guide 146

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

You can create deployment packages to deploy FortiClient to endpoints. Deployment packages include the
FortiClient installer, which determines the FortiClient release and patch to install on the endpoint, as well as
which FortiClient features are installed on the endpoint.

You can also specify what FortiClient features to include in the deployment package for the endpoint. You can
include a feature in the deployment package, then disable the feature in the profile. Because the feature is
included in the deployment package, you can update the profile later to enable the feature on the endpoint.

After you add a package to the FortiClient EMS, you can not edit it. You can delete the package and edit the
deployment package outside of the FortiClient EMS and then can add the edited deployment package to the
FortiClient EMS. When adding a package you can select an installer type, release version, patch, and enable
FortiClient to automatically update to the latest release, and installer9s name and notes.

In Features section, you can select options to enable zero-trust telemetry (enabled by default and can9t be
disabled); secure success (SSL and IPSec VPN); APT, and additional security features such as antivirus
protection, web filtering, SSO agent, and cloud-based malware detection.

The Advanced section allows you to enable automatic registration, desktop shortcut, installer ID, and
endpoint profile. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server,
which will manage FortiClient after it is installed on the endpoint.

You can view the deployment packages in the Deployment & Installers pane. You can view more details or
delete packages in the Deployment Packages pane.

FortiClient EMS 7.0 Study Guide 147

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

When the administrator creates a FortiClient deployment package in EMS, they choose which setup type and
modules to install:
" Zero trust telemetry (Selected by default, you must also select one of the other security feature to create
package)
" Secure access architecture components
" Vulnerability scan
" Advanced persistent threat (APT) components
" Additional security features

The impact of the options are shown on this slide. The administrator can use an FortiClient EMS profile to
disable installed components on FortiClient but cannot use an FortiClient EMS profile to enable uninstalled
components on FortiClient.

For example, if the administrator creates the FortiClient EMS installer with APT components selected, the
Sandbox Detection tab is enabled on FortiClient. The administrator can use an EMS profile to disable
Sandbox Detection. However, if the installer did not include APT components, the Sandbox Detection tab is
disabled on FortiClient and the administrator cannot use an EMS profile to enable Sandbox Detection.

FortiClient EMS 7.0 Study Guide 148

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

By default, zero trust telemetry feature is selected and enabled when you select a installer file. This setup
installs telemetry component to FortiClient. You must also select one of the other security feature to create
package.

Telemetry provides endpoint visibility and ensures that all fabric components4FortiGate, FortiAnalyzer,
FortiClient EMS, managed APs, managed switches, and sandbox have a unified view of endpoints in order to
provide tracking and awareness, compliance enforcement, and reporting.

FortiClient EMS 7.0 Study Guide 149

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

The secure access architecture component installs FortiClient with the Remote Access tab. FortiClient
provides flexible options for VPN connectivity. It supports both secure sockets layer (SSL) and internet
protocol security (IPsec) VPNs.

If you enable this feature for a deployment package and include a preconfigured VPN tunnel in the included
endpoint profile, users who use this deployment package to install FortiClient can connect to this
preconfigured VPN tunnel for three days after their initial FortiClient installation. This is useful for remote
users, as it allows them to connect to the corporate network to activate their FortiClient license. If the user
does not activate their FortiClient license within the three days, all FortiClient features, including VPN, stop
working on their device.

Note that this is an optional feature.

FortiClient EMS 7.0 Study Guide 150

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

The vulnerability scan feature enables host vulnerability scanning on FortiClient. FortiClient helps
organizations reduce attack surface with vulnerability scanning and optional auto-patching. Combined with the
zero-trust access principles, this approach can enhance an organization9s hygiene and security posture.

All vulnerable endpoints are easily identified on FortiClient EMS for remediation. This feature is optional.

FortiClient EMS 7.0 Study Guide 151

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

The APT components feature enables FortiSandbox integration with FortiClient. By integrating with
FortiSandbox and leveraging FortiGuard global threat intelligence, FortiClient prevents advanced malware
and vulnerabilities from being exploited.

FortiClient integrates with FortiSandbox to analyze all downloaded files in real time to FortiClient endpoints.
FortiClient and FortiSandbox users worldwide share information about known and unknown malware with
FortiGuard threat intelligence platform. FortiGuard automatically shares the intelligence with FortiClient
endpoints to protect against emerging threats.

FortiClient EMS 7.0 Study Guide 152

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

The Additional Security Features option enables the malware, web filtering, application firewall and single
sign-on mobility agent.

Malware includes antivirus, anti-exploit, removable media access, anti-ransomware, and cloud-based
malware outbreak detection. These feature provide real time protection against a variety of threats such as file
system activities exhibited by ransomware exploits or high risk file types from internet and network drives.

Web Filtering provides defence against web-based attacks.

Application Firewall inspects intrusions that attempt to exploit known vulnerabilities.

Single Sign-On Mobility Agent enables transparent authentication or single sign-on feature. This setup
requires FortiAuthenticator.

FortiClient EMS 7.0 Study Guide 153

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

You can include an installer ID in a FortiClient deployment package. After FortiClient installation, the endpoint
connects to FortiClient EMS and FortiClient EMS groups the endpoint according to the installer ID group
assignment rule. You can configure one installer ID for each deployment package.
In an environment with a large number of endpoints, you may have multiple installer IDs that you want to use
to group endpoints automatically in FortiClient EMS after installation. Since you can configure each
deployment package with only one installer ID, it may be inefficient to create a deployment package for each
installer ID.

Instead, you can use the same deployment package on multiple endpoints, providing different installer IDs in
the CLI depending on which group you want FortiClient EMS to place the endpoint in. When these endpoints
connect to FortiClient EMS, FortiClient EMS groups them according to the installer ID provided in the CLI.
This process consists of the following steps:
1. Create a deployment package in FortiClient EMS. Do not configure an installer ID.
2. Create installer ID group assignment rules to automatically move endpoints into the desired groups.
3. Install FortiClient on endpoints using the CLI commands show on this slide:

Consider that you want to deploy the same deployment package but different installer IDs for the HR,
marketing, and office management teams at your organization. In this scenario, you would use EMS to create
an deployment package without an installer ID and an installer ID group assignment rule for each endpoint
group. Then, you can install FortiClient on the endpoints using the deployment package and CLI command as
shown on this slide.

After the endpoints connect to FortiClient EMS, FortiClient EMS automatically places them into groups based
on their installer IDs (for example HR, marketing, and office management).

FortiClient EMS 7.0 Study Guide 154

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

FortiClient EMS automatically connects to FDN to provide access to FortiClient installers that you can use
with FortiClient EMS profiles. If a connection to FDN is not available, you must manually download FortiClient
installers to use with FortiClient EMS.

You can download FortiClient installers to use with FortiClient EMS from the Fortinet Support site.

After you add a FortiClient installer to FortiClient EMS, you cannot edit it. You can delete the installer from
FortiClient EMS, and edit the installer outside of FortiClient EMS. You can then add the edited installer to
FortiClient EMS.

FortiClient EMS 7.0 Study Guide 155

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

You can create a custom FortiClient installer and add it to FortiClient EMS. Alternately, if a connection to FDN
is not available, you may need to manually download a FortiClient installer and add it to FortiClient EMS.

There are options to select Windows or Mac installer. Windows installers must be MSI or ZIP files and
macOS must be DMG files. You cannot upload the FortiClient free VPN client installer.

After you add FortiClient installers to FortiClient EMS, you can view them in the FortiClient Installers pane.
By default, this page lists installers from FortiGuard first, then from uploaded installers. The following
information is displayed for each installer:
" Name
" Versions
" Type

FortiClient EMS 7.0 Study Guide 156

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 157

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiClient EMS 7.0 Study Guide 158

 FortiClient Deployment

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about deployment types, configuration, and
packages.

FortiClient EMS 7.0 Study Guide 159

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to provision FortiClient on endpoints using FortiClient EMS.

By demonstrating competence in FortiClient provisioning, you will be able to create endpoint policy and
profiles, as well as enable different FortiClient features and settings.

FortiClient EMS 7.0 Study Guide 160

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiClient EMS 7.0 Study Guide 161

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring and editing endpoint policy, you will be able to use endpoint
policy to apply an endpoint profile to endpoint groups or users.

FortiClient EMS 7.0 Study Guide 162

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

An endpoint policy assigns endpoint profiles to endpoint groups or users of Windows, macOS, and Linux
endpoints. The Manage Policies page provides a comprehensive summary of which endpoint policies are
applied to which endpoint groups or AD device groups (computers).

When you install FortiClient EMS, a default policy is created. By default, the default policy assigns a default
endpoint profile to unassigned endpoint groups or AD device groups, or to groups or users that do not match
any other policy configured on FortiClient EMS on initial setup.

You can edit a default policy but you cannot disable it or delete it. You can modify only on-fabric and off-fabric
endpoint profiles on the default policy.

Note that when a user switches accounts between a local non-domain account and a domain account on the
same machine, FortiClient EMS may not apply the correct policy to the endpoint.

FortiClient EMS 7.0 Study Guide 163

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can create new endpoint policies to assign endpoint profiles to endpoint groups or AD users.

In the screen capture shown on this slide, you can see that endpoints that belong to the domain trainingAD
group and All Groups include workgroup endpoints that have the endpoint profiles configured in the endpoint
policy. You must select an on-fabric profile on the policy, but an off-fabric profile is optional. FortiClient EMS
pushes these settings to the endpoint with the next Telemetry communication. In this example, endpoints in
the trainingAD group are applicable for the Student Policy. FortiClient EMS applies only the Training Policy
to the group.

You can add, edit, delete, enable, or disable a policy on the Manage Policies page.

You can also create Chromebook policies to assign endpoint profiles and telemetry gateway lists to groups of
Chromebook endpoints. The Manage Chromebook Policies page provides a comprehensive summary of
which policies are applied to which groups within the Google domain. This option is available only if the
FortiClient EMS for Chromebooks Settings option is enabled on the FortiClient EMS server.

Chromebook policies function identically to Windows, macOS, and Linux endpoint policies, except that they
are applied to Chromebook endpoints and can include only a Chromebook profile, not a telemetry gateway
list.

FortiClient EMS 7.0 Study Guide 164

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

An endpoint can be eligible for multiple endpoint policies. When an endpoint is eligible for multiple endpoint
policies, the following factors determine which endpoint policy FortiClient EMS applies to the endpoint:
" FortiClient EMS applies endpoint policies to endpoints only if those policies are enabled on the Endpoint
Policy & Components Manage Policies page.
" If an endpoint is eligible for multiple enabled endpoint policies, FortiClient EMS determines which policy to
apply using the following criteria, in the following order:
1. If a policy is directly assigned to the user (configured in the Users field for the endpoint policy),
FortiClient EMS assigns that policy to the endpoint.
2. If there are policies assigned to the group container, or user group, or both, FortiClient EMS
assigns the policy with the highest priority level to the endpoint.
3. If there are inherited policies assigned to the group container, or user group, or both (policies
assigned to a parent container or group), FortiClient EMS assigns the policy with the highest
priority level to the endpoint.

In the example shown on this slide, the AD group TrainingAD is eligible for both the Training and AD-Group
policies. In this scenario, FortiClient EMS applies the first eligible endpoint policy, Training, to the AD group
because it has the highest priority level. In order to apply a more restrictive policy (AD-Group) to endpoints,
the administrator must move the policy so that it has a higher priority level than the Training policy.

To change priority level, on the Manage Policies page, click Change Priority, select a policy, and then move
the selected policy up or down, depending on your requirements.

FortiClient EMS 7.0 Study Guide 165

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient EMS allows you to upload or import a CA certificate. You can upload the certificate manually by
browsing the CA certificates files on your local computer. Alternatively, you can import a certificate from
FortiGate. You will need to provide the FortiGate IP address, VDOM information, and login credentials.

FortiClient EMS will use the HTTPs port to import certificates.

FortiClient EMS 7.0 Study Guide 166

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can configure on-fabric detection rules for endpoints. FortiClient EMS uses the rules to determine if the
endpoint is on-fabic or off-fabric. Depending on the endpoint on-fabric status, FortiClient EMS may apply a
different profile to the endpoint, as configured in the applied endpoint policy. A rule set is available for on-
fabric detection.

The DHCP server allows you to configure the IP address, the MAC address, or both, of the DHCP server. You
can also configure the DHCP code. The DHCP code is synonymous with option 224 in FortiOS 6.0, which
was the FortiGate serial number. Now, the DHCP code can be any string configured in the DHCP server as
option 224. You may still use the FortiGate serial number as the DHCP code, if desired. FortiClient EMS
considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified
configuration. You can configure multiple IP and MAC addresses and DHCP codes. If you select a DNS
server, FortiClient EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that
matches the specified configuration. You can configure multiple IP addresses for the DNS server.

If FortiClient EMS Connection is selected as the detection type, FortiClient EMS considers the endpoint as
satisfying the rule if it is online with FortiClient EMS. The local IP/subnet allows you to configure a range of IP
addresses considered as local IP addresses. Configuring the gateway MAC address is optional. FortiClient
EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range
specified, and if its default gateway MAC address matches the one specified, if it is configured.

The default gateway option allows you to configure the gateway IP address. FortiClient EMS considers the
endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and
MAC address. Again, the MAC address is optional.

FortiClient EMS 7.0 Study Guide 167

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

For ping server detection, FortiClient EMS considers the endpoint as satisfying the rule if it can access the
server at the specified IP address. The public IP option allows you to use the public IP address or WAN IP
address of an endpoint. FortiClient EMS considers the endpoint as satisfying the rule if its public (WAN) IP
address matches the one specified. You can configure multiple addresses.

If you select Connection Media as the detection type, you have the option to select a connection status, such
as Connected, or Not Connected for the Ethernet connection, the Wi-Fi connection, or both. The Wi-Fi
option also requires the SSID and security type of the wireless connection. FortiClient EMS considers the
endpoint as satisfying the rule if its network settings match all configured fields.

Note that on-fabric detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions.

In the VPN tunnel option, you can type an SSL or IPSec VPN tunnel name. FortiClient EMS considers the
endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure
tunnels by pressing the + button.

This slide shows some of the detection types and their options.

FortiClient EMS 7.0 Study Guide 168

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 169

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Good job! You now understand endpoint policy and its components.

Now, you will learn about endpoint profiles.

FortiClient EMS 7.0 Study Guide 170

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring, editing, assigning, and managing endpoint profiles, you will be
able to use endpoint profiles to define the features installed on FortiClient endpoints.

FortiClient EMS 7.0 Study Guide 171

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

When you install FortiClient EMS, a default profile is created. By default, this profile is applied to any groups
you create. The default profile is designed to provide effective levels of protection. There are separate default
profiles for Windows, macOS, and Linux endpoints and for Chromebook endpoints.

You can create and configure separate profiles for Windows, macOS, and Linux endpoints and for
Chromebook endpoints. You can also edit the default profiles as shown on this slide.

You can edit, to add, or remove settings in the default profile. You can also revert to the default settings by
clicking Revert to Default.

FortiClient EMS 7.0 Study Guide 172

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The default profile is designed to provide effective levels of protection. To use specific features, such as
application firewall, create a new profile or edit the default profile.

Note that an individual FortiClient must belong to a group before the settings can be pushed to them.

FortiClient EMS 7.0 Study Guide 173

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can create endpoint profiles to configure FortiClient. This profile excludes any installation or uninstallation
of FortiClient software on endpoints, and is used to configure FortiClient software on endpoints.

You can also configure FortiClient profile settings in FortiClient EMS by using XML or a custom
XML configuration by using the XML editor on FortiClient EMS. The custom XML file must include all settings
required by the endpoint at the time of deployment.

FortiClient EMS 7.0 Study Guide 174

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can import a FortiClient web filter profile from FortiGate and FortiManager devices into FortiClient EMS,
then edit the profile in FortiClient EMS to add a FortiClient installer or other configuration details.

To import profiles successfully from FortiOS to FortiClient EMS, the HTTPS port on FortiGate and
FortiManager must be open.

You need the IP address and port number of the FortiGate or FortiManager device from which the profile is
being imported. You also need a VDOM name from the FortiGate or FortiManager, if applicable; login
username; and password to connect.

You can also import the XML configuration file to create a profile. If the profile has a feature enabled that is
disabled in Feature Select, FortiClient EMS displays a warning that the feature will not be enabled on
endpoints that the profile is deployed to. To enable this feature on the endpoint, you must enable the feature in
Feature Select.

FortiClient EMS 7.0 Study Guide 175

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Chromebook profiles support web filtering by categories, block and allow lists, and safe search. You can
create different profiles and assign them to different groups in the Google domain. When you install FortiClient
EMS, a default profile is created. This profile is applied to any domains you add to FortiClient EMS.

The search engine provides a safe search feature that blocks inappropriate or explicit images from search
results. The safe search feature helps block most adult content. FortiClient EMS supports safe search for
most common search engines, such as Google, Yahoo, and Bing.

The profile in FortiClient EMS controls the safe search feature.

FortiClient EMS 7.0 Study Guide 176

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

When you assign the profile using endpoint policy to domains or workgroups, the profile settings are
automatically pushed to the endpoints in the domain or workgroup. If you do not assign a profile to a specific
domain or workgroup, the default profile is automatically applied. After editing an existing profile assigned to
endpoints or domains, the changes are also automatically pushed to the endpoints or Chromebooks when you
save the profile.

When you clone a profile, all the content displays in the content pane, and you can save the cloned profile
with a new name.

For profiles imported from FortiGate or FortiManager, you can manually sync profiles so they are updated with
the latest changes from the FortiGate or FortiManager device that they were imported from. You can also edit
the sync schedule time.

You can also delete any newly created profile. But note that you cannot delete the default profile and the
assigned profiles.

FortiClient EMS 7.0 Study Guide 177

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

For Chromebooks, only the Web Filter and System Settings tabs are available. All other tabs are exclusive
to Windows, macOS, and Linux endpoints.

The Profile Name allows you to enter a name and select a display option. The Basic display option shows all
the GUI options. The Advanced display option enables the XML configuration tab to configure a profile using
XML. This option is available only for Windows, macOS, and Linux profiles.

FortiClient EMS 7.0 Study Guide 178

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The eye icon is available on the following FortiClient features:

" Malware Protection
" Sandbox
" Web Filter
" Application Firewall
" VPN
" Vulnerability Scan

You can use the eye icon to show or hide the feature from the end user, in FortiClient. When you select hide,
the feature will still run in the background, but the endpoint user cannot see it. It is very useful when inspecting
the traffic without the user9s knowledge.

FortiClient EMS 7.0 Study Guide 179

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can enable antivirus protection on FortiClient. Some options display only if you enable Advanced.

In the general settings, you enable or disable options that will block communication to known channels, block
access to malicious websites, and identify malware and exploits using signatures from FortiSandbox.

In real-time protection settings, FortiClient can take different actions on virus discovery. You can also select
file size and scan files accessed by a user or system process, such as read or write. On-demand scanning
integrates FortiClient into the Windows Explorer menu. You can pause scanning when a computer is running
on battery power, and automatically submit suspicious files to FortiGuard for analysis. You can also select
schedule type, scan type, and priority. You can also select removable media and network drives for scanning.

Anti-ransomware protects specific files, folders, or file types on your endpoints from unauthorized changes.

The anti-exploit option enables the anti-exploit engine to monitor commonly used applications for attempts to
exploit known vulnerabilities. You can exclude applications from anti-exploit detection and enable system tray
notifications.

You can enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps
protect endpoints from high risk file types that come from external sources, such as the internet or network
drives, by querying FortiGuard to determine whether files are malicious.

You can also enable controlling access to removable media devices and file or folder exclusions from
antivirus scanning. The Other option enables scanning for rootkits, adware, riskware, email, media on
insertion, and advanced heuristics signature. You must use the Advanced view to see the Other option.

FortiClient EMS 7.0 Study Guide 180

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Once malware is enabled on the endpoint profile and pushed to FortiClient, you can view available options on
the anti-virus dashboard on the FortiClient console.

You can view the real-time protection status, view if the database is up-to-date, or perform an on-demand
antivirus scan. Malware protection is disabled, by default, on the FortiClient EMS Default endpoint profile.

FortiClient automatically disables RTP after installation when one of the following is true:
" The OS is a server
" Exchange Server is detected
" SQL Server is detected

FortiClient EMS 7.0 Study Guide 181

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

As you know, FortiClient security features are licensed with FortiClient EMS. Without a connection to
FortiClient EMS, the features disappear. You can only configure AV options on an endpoint profile in
FortiClient EMS to make changes.

You can click the Settings icon to view most of the antivirus configuration. On real-time protection, you can
configure settings to specify what to scan. When a virus is detected during real-time monitoring, it is
automatically quarantined. If you have another antivirus program installed, FortiClient displays a warning
message stating that your system may lock up or become unstable because of conflicts between the different
antivirus products. You should uninstall all conflicting antivirus software before installing FortiClient or
enabling antivirus real-time protection.

You can also enable scheduled antivirus scans that automatically scan your workstation at a scheduled time.
An exclusion list allows you to include files and folders that you don't want included in an antivirus scan.

FortiClient EMS 7.0 Study Guide 182

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

This slide shows the configuration of the real-time protection on FortiClient. To enable real-time protection,
you must select Scan files as they are downloaded or copied to my system. Why?

When you download software from the internet, there is always a chance that you could download
applications or programs that will try to inject malware, grayware, or viruses into your system.

You can also enable command and control (C&C) detection using IP reputation database signatures. It
checks network traffic against known C&C IP addresses, plus port number combinations.

Block malicious websites blocks all access to malicious websites. You must select FortiProxy (Disable
Only When Troubleshooting) on the System Settings tab before you can enable this option.

You can configure one of the actions for the Security Risk site category, which includes block, warn, allow,
and monitor. You can also select to view all the subcategories, and configure individual actions (Block, Warn,
Allow, Monitor) for each subcategory. The security risk category contains the following subcategories:
" Dynamic DNS
" Malicious Websites
" Newly Observed Domain
" Newly Registered Domain
" Phishing
" Spam URLs

FortiClient EMS 7.0 Study Guide 183

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can configure daily, weekly, and monthly scans as well as selecting one of the scan types on this slide.
Quick Scan scans only executable files, DLLs, and drivers that are currently running for threats. Full Scan
performs a full system scan including all files, executable files, DLLs, and drivers for threats, and Custom
Scan allows you to select a specific file folder on your local hard disk drive (HDD) to scan for threats. All three
scan types run the rootkit detection engine to detect and remove rootkits.

By default, FortiClient is scheduled to run full system scans monthly. It is recommended that you run a full
system scan on your endpoint, as specified by the default settings. Using the default settings provides the
best balance between protecting your endpoint from network threats and supporting the best overall
performance. If the default settings do not meet your needs, you can adjust and fine-tune the settings
accordingly.

Note that if you configure monthly scans to occur on the 31st of each month, the scan occurs on the first day
of the month for those months with fewer than 31 days.

If you want to exclude specific files or folders from the antivirus scan, but still want to perform an antivirus
scan on the rest of the system, you can configure an exclusions list. The files and folders that you add to this
list are excluded from antivirus scanning.

FortiClient EMS 7.0 Study Guide 184

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can also run an on-demand antivirus scan on the FortiClient Console. There are four types of scans:
" Custom Scan: runs the rootkit detection engine to detect and remove rootkits. It allows you to select a
specific file folder on your local hard disk drive (HDD) to scan for threats.
" Full Scan: runs the rootkit detection engine to detect and remove rootkits. It then performs a full system
scan of all files, executable files, DLLs, and drivers.
" Quick Scan: runs the rootkit detection engine to detect and remove rootkits. It scans only the following for
threats: executable files, DLLs, and drivers that are currently running.
" Removable Media Scan: runs a full scan on removable media. You cannot schedule scans for
removable media.

You can view the date of the last scan run. You can perform a virus scan on a specific file or folder on your
workstation by right-clicking the file or folder and selecting Scan with FortiClient AntiVirus and Submit for
analysis. You can submit up to five files per day to FortiGuard for analysis. FortiClient uses SMTP port 25 to
upload files. The port must be open on the network firewall. The FortiGuard team does not provide feedback
for the files submitted, but creates signatures for the malicious files detected.

Note that the Submit for Analysis option is available only when you select an individual file.

FortiClient EMS 7.0 Study Guide 185

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

On the FortiClient console, the Threats Detected link allows you to view quarantined threats, site violations,
and real-time protection events. Each link provides further information about the threat or violation.

The Quarantined Files link allows you to view, submit, or see details of the quarantined file. You can also
view the original file location, view the virus name, submit the suspicious file to FortiGuard, and view logs.
Only the FortiClient EMS administrator can delete, allowlist, and restore quarantined files.

The Site Violations link allows you to view site violations, which are part of FortiClient antivirus, and submit
requests to have the site recategorized. It allows you to view site violation details, including the website name,
category, date and time, user name, and status.

When an antivirus real-time protection event occurs, it is logged in the realtime_scan.log and you can
open it in any text editor. By default, real-time protection events open in the default viewer.

FortiClient EMS 7.0 Study Guide 186

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

If FortiClient detects a virus file that is being downloaded through a web browser, FortiClient presents a
warning message if the action on virus discovery is either set to Deny Access To Infected File or
Quarantine Infected File. When the file discovery action is quarantined, you can take one of the actions
shown on this slide. FortiClient locks the file on a specified location shown on the file details page until any
action is taken. In version 6.2, restore and allowlist is done on FortiClient EMS quarantine management.

When the action is set to Deny Access to Infected Files, a message is displayed stating that users are not
permitted to download the file because it is infected.

Note that if you do not select Alert when viruses are detected, the virus alert dialog box does not open when
you attempt to download a file that contains a virus through a web browser.

FortiClient EMS 7.0 Study Guide 187

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can view the current FortiClient version, engine, and signature information by selecting About.

You can use FortiManager for client software and signature updates when registered on FortiGate or
FortiClient EMS.

FortiClient EMS 7.0 Study Guide 188

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Anti-ransomware protects specific files, folders, or file types on your endpoints from unauthorized changes.
The anti-ransomware section includes options for protected folder, file types, and action valid signer.

You can select the desired folders from the existing list, or create a custom directory to protect. Use the Add
Folder button to add a new folder. FortiClient anti-ransomware protects all content in the selected folders
against unauthorized changes.

There is also a list of file types that are protected. You can add additional file types to protect from suspicious
activity, separating each file type with a comma. Please note, do not include the leading dot when entering a
file type. For example, to include text files, you would enter txt, as opposed to .txt.

When anti-ransomware detects suspicious activity, it displays a pop-up window asking the user if they want to
terminate the process. If the user selects yes, FortiClient terminates the suspicious process. If the user
selects no, FortiClient allows the process to continue. However, If the user does not select an option,
FortiClient waits for the configured action timeout, then does one of the following, as configured:
" Blocks access and warns the user if suspicious activity is detected: FortiClient terminates the suspicious
process.
" Warns the user and resumes after the timeout: FortiClient allows the process to continue.

Bypass Valid Signer enables FortiClient to exclude a process from the selected anti-ransomware action if it
has a valid signer.

FortiClient EMS 7.0 Study Guide 189

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The anti-exploit detection protects vulnerable endpoints from unknown exploit attacks. FortiClient monitors the
behavior of popular applications, such as web browsers (Internet Explorer, Chrome, Firefox, Opera),
Java/Flash plug-ins, Microsoft Office applications, and PDF readers, to detect exploits that use zero-day or
unpatched vulnerabilities to infect the endpoint. Once detected, FortiClient terminates the compromised
application process.

The anti-exploit detection feature also protects the endpoint from memory-based attacks and drive-by
download attacks. It also detects and blocks unknown and known exploit kits.

This slide shows the list of commonly used application in the anti-exploit section. You can also exclude an
application from being monitored by moving it to the Excluded Applications box. In this example, the Opera
internet browser is excluded.

Anti-exploit is a signature-less solution.

FortiClient EMS 7.0 Study Guide 190

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The cloud-based malware protection feature helps protect endpoints from high-risk file types coming from
external sources, such as the internet or network drives, by querying FortiGuard to identify whether files are
malicious. When a file is downloaded or executed, FortiClient generates a SHA1 checksum for the file.
FortiClient sends the checksum to FortiGuard , where it is compared against the FortiGuard checksum library
to identify if it is malicious. If the checksum is found in the library, FortiGuard communicates to FortiClient that
the file is deemed malware. By default, FortiClient quarantines the file.

This feature submits only high risk file types, such as .exe, .doc, .pdf, and .dll, to FortiGuard. You can enable
this feature independently of antivirus protection. By default, the list of high-risk file types is the same as the
list of file types submitted to FortiSandbox.

This slide shows the options you can select for cloud-based malware protection:
For Server settings, you can either select to wait for cloudscan result and then allow access if the result times
out, or deny access to file when there is no result at all. Time out happens if FortiClient EMS cannot reach
FortiGuard.

The File Submission Options section allows you to select the source from which files need to submit for
analysis. The source can be removable media like USB, mapped network drives, web downloads, and email
downloads. You can also exclude files from trusted sources by enabling Exclude Files from Trusted
Sources.

Remediation Actions allows you to select either Quarantine or Alert & Notify when a malicious file is
detected. This action applies when FortiClient quarantines the file, depending on if FortiGuard reports the file
as malicious.

FortiClient EMS 7.0 Study Guide 191

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Removable Media Access section controls access to removable media devices, such as USB drives or
external hard drives. You can also configure rules to allow or block specific removable devices. Rules for
specific devices require the class, manufacturer, vendor ID, product ID, and revision information. You can find
the desired values for the device in one of the following ways:
" Microsoft Windows Device Manager: select the device and view its properties.
" USBDeview

FortiClient can allow, block, or monitor access to removable media devices based on the rules, as configured
by the FortiClient EMS administrator. Access control or action for devices that do not match any configured
rules are control by Default removable media access settings. In the example on this slide, action Monitor
is selected as the default action and there is no rule configured for a specific device. With this configuration,
FortiClient will log the connections to the endpoint for all the removable devices that connect to it.

FortiClient EMS 7.0 Study Guide 192

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The Exclusion option enables exclusions from AV scanning. FortiClient EMS supports using wildcards and
path variables to specify files and folders to exclude from scanning. The wildcards and variable FortiClient
EMS support are shown on this slide.

Note that combinations of wildcards and variables are not supported. A longer exclusion list affects AV
performance. It is recommended to keep the exclusion list as short as possible. Exclusion lists are case-
sensitive.

FortiClient EMS 7.0 Study Guide 193

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The Other section allows you to enable scanning of rootkits, adware, riskware, email, media on insertion,
advanced heuristics, and MIME files. It also enables FortiGuard analytics that automatically sends suspicious
files to FortiGuard for analysis.

You can also enable notifications for expired AV signatures for logged in FortiClient users.

FortiClient EMS 7.0 Study Guide 194

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient supports integration with FortiSandbox both on-premises or in the cloud. When configured,
FortiSandbox automatically scans files downloaded on the endpoint, or from removable media attached to the
endpoint, or mapped network drives. FortiClient also automatically scans files downloaded with an email client
on the endpoints, or from the internet. In each case, if the file is not detected locally, and FortiSandbox
integration is configured, FortiClient sends the file to FortiSandbox for further analysis. Endpoint users can
also manually submit files to FortiSandbox for scanning. FortiClient periodically downloads the latest AV
signatures from FortiSandbox, and applies them locally to all real-time and on-demand AV scanning.
FortiClient can send a maximum of 300 files daily to FortiSandbox Cloud. If multiple files are submitted around
the same time, FortiClient sends one file to FortiSandbox Cloud, waits until it receives the verdict for that file,
then sends the next file to FortiSandbox Cloud. In the case of FortiSandbox, the total number of files sent by
FortiClient is limited to hardware specifications.

FortiClient EMS 7.0 Study Guide 195

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can enable Sandbox Detection on the FortiClient EMS. Some options display only if you enable
Advanced.
When you enable FortiSandbox, the following options are available:
" Server allows you to select FortiSandbox in the network, and file access options based on results.
" In the File Submission Options section, you can select file resources like removable media, network
drives, web downloads, and email downloads.
" Remediation Actions allows you to select the Quarantine or Alert & Notify action for infected files.
" Exceptions allows you to exclude files from trusted sources and specific files or folders.
" Inclusions allows you to include folders and files for FortiSandbox submission.
" Other hides sandbox scan option from Windows context menu.
In addition to configuring the options shown on this slide, you must also configure the connection to FortiClient
EMS on FortiSandbox. On FortiSandbox, click Scan > Devices, and search for and authorize FortiClient EMS
using its serial number. You can find the FortiClient EMS serial number on the System Information widget on
the Dashboard.

FortiClient EMS 7.0 Study Guide 196

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can click the Settings icon to view the sandbox configuration on the FortiClient console. These options
include:
Wait for FortiSandbox results before allowing file access: Select to wait for FortiSandbox analysis results
before files can be accessed.
Deny Access to file when there is no sandbox result: Select to deny access to files when FortiClient
cannot reach FortiSandbox for file analysis, or no result.
You can view the following FortiSandbox submission options:
All files executed from mapped network drives: Select to submit all files that are executed on mapped
network drives to FortiSandbox for analysis. Clear the checkbox to disable this feature.
All files executed from removable media: Select to submit all files executed on removable media, such as
USB drives, to FortiSandbox for analysis. Clear the checkbox to disable this feature.
All web downloads: Select to submit all web downloads on the endpoint to FortiSandbox for analysis.
All email downloads (Ex. Outlook): Select to submit all email downloads on the endpoint to FortiSandbox
for analysis.

FortiClient EMS 7.0 Study Guide 197

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can view the following remediation options:

Quarantine infected files: Select to quarantine infected files.
Alert & Notify only: Select to alert and notify the endpoint user about infected files, but not quarantine
infected files.
You can view the following exclusion options:
Exclude files from trusted sources: Select to exclude files from trusted sources from FortiSandbox
analysis.
Exempt specified files / folders: Select to exempt specified files and/or folders from FortiSandbox analysis.
You must also create the exclusion list.

Note that all the configuration changes are done on the FortiClient EMS endpoint profile. For example, you
can also include files with no extension but they must be configured through XML configuration.

FortiClient EMS 7.0 Study Guide 198

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can send files to FortiSandbox for scanning on demand when FortiSandbox is enabled and online.

FortiSandbox scan results display on the Malware Protection page. When a virus is detected, FortiClient
creates a notification alert that displays the number of files. Access to files can be blocked until the
FortiSandbox scanning result is returned. When scanning is complete, FortiSandbox can quarantine infected
files, or alert and notify the endpoint user of infected files without quarantining the files.

The SUBMITTED box shows the number of files submitted to FortiSandbox for scanning. The ZERO-DAY
box shows the number of detected zero-day files. The CLEAN box shows the number of files identified as
clean after FortiSandbox scanning, and the PENDING box shows the number of files waiting for FortiSandbox
scanning.

FortiClient EMS 7.0 Study Guide 199

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can view files quarantined by FortiSandbox. Endpoint users can submit files to FortiSandbox only for
scanning and checking details of quarantined files.

The maximum age for quarantined files is specified in the <quarantine></quarantine> XML tags.

FortiClient sends quarantined file information to FortiClient EMS. If the FortiClient EMS administrator
allowlists the file (in the case of a false positive), FortiClient EMS sends the allowlist information to FortiClient.
After FortiClient receives the allowlist information, it releases the file from quarantine.

FortiClient EMS 7.0 Study Guide 200

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The Web Filter tab enables web filtering options. For Windows, macOS, and Linux profiles, you must enable
FortiProxy (Disable Only When Troubleshooting) on the System Settings tab to use the Web Filter.

General settings include Enable WebFiltering on FortiClient that allows FortiClient to perform web filtering
even when it is on-net with FortiGate in the network also configured with a web filter profile. This option is
available only for Windows and macOS profiles. This setting affects the Block Access to Malicious
Websites setting in AntiVirus protection.

Log All URLs enables logging for all URLs access by endpoint user. You can also enable Log User
Initiated Traffic to include user information in web filtering logs.

Show Bubble Notification When HTTPS Site Is Blocked enables the showing of a bubble notification when
a HTTPS site is blocked. Select Enable Web Browser Plugin for HTTPS Web Filtering to improve
detection and enforcement of web filter rules on HTTPS sites.

You can also enable the safe search option for search engines like Google search or YouTube.

Site Categories enables site categories from FortiGuard. When site categories are disabled, FortiClient is
protected by the exclusion list. For all categories below, you can configure an action for the entire site
category by selecting either Block, Warn, Allow, or Monitor. Each site category is shown on this slide.

You can also import a web filter profile from FortiOS or FortiManager into FortiClient EMS, then synchronize
the web filter profile settings to an endpoint profile on FortiClient EMS.

FortiClient EMS 7.0 Study Guide 201

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

In Rate IP Addresses, you can filter URLs and resolved IP addresses at the same time and select the action
for rating errors.

Note that if you enable the Allow websites when rating error occurs option, FortiClient will block all URLs,
including the captive portal authentication page. This will prevent users from getting access to the
authentication page.

The Exclusion List option allows you to select an action, and enter specific URLs and their type, such as
simple, wildcard, or regular expression.

FortiClient EMS 7.0 Study Guide 202

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The endpoint user can view the current configuration by clicking the settings icon on FortiClient console. The
FortiClient EMS administrator can configure a web security profile to Allow, Block, Warn, or Monitor web
traffic based on website categories and subcategories.

What if you want to exempt a URL that is part of a category, but you still want to take action on that category
as a whole?

The FortiClient EMS administrator can configure an exclusion list to which the administrator can add websites
and set the permissions to allow, block, and monitor. An administrator can also configure simple, wildcard, or
regular expressions as a type. If the website is part of a blocked category, an allow or monitor permission in
the exclusion lists allows the user to access the specific URL. Note that when site categories are disabled,
FortiClient is protected by the exclusion list only.

When you configure web filter general settings, you can choose to log all URLs with an assigned action, and
the logged files can be downloaded. You can also select to log only user-initiated browsing.

You can view site violations and violation details, including the website name, category, date and time, and
username. The violation shows only if the action is set to block or warn for FortiGuard site categories, and
block for the exclusion list.

FortiClient EMS 7.0 Study Guide 203

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Application Firewall tab enables or disables application control.

In the General section, you can enable bubble notifications for blocked applications. You can also enable the
inspection of network traffic for intrusions attempting to exploit known vulnerabilities.

In the Categories section, you can select the following actions on the categories shown in this slide image:
" Block
" Allow
" Monitor

The Application Overrides option allows the FortiClient firewall to allow, block, or monitor applications based
on their signatures. You can delete an application and add a signature to an application. Note that FortiClient
does not include SSL deep inspection. FortiClient cannot apply signatures marked as Require Deep
Inspection, do not use these signatures in a profile.

FortiClient EMS 7.0 Study Guide 204

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The VPN tab, enable or disable VPN use on endpoints. There are general and specific VPN type settings
available to configure.

The General section allows you to enable or disable various VPN-related settings. You can also select a
maximum number of attempts. These options are applied to both SSL and IPSec VPN.

SSL VPN includes the DNS Cache Service Control setting. You can select to disable, leave unchanged, or
restart the DNS cache control service. You can also override the DNS server to SSL VPN DNS IP.

You can also enable or disable different IPSec VPN options that are shown on this slide.

FortiClient EMS 7.0 Study Guide 205

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can add VPN profiles for both SSL and IPsec.

The SSL VPN settings include remote gateway IP, SSL port number, and options to request the certificate and
prompt for the user name. There is also an option to enter connect and disconnect scripts. This option must
also be enabled on FortiGate.

The IPSec VPN settings includes remote gateway IP, authentication method, pre-shared key (if Pre-Shared
Key is selected for Authentication Method), and prompt username. You can select the IPsec mode (Main or
Aggressive), and options such as Mode Config, Manual Set, DHCP over IPSec, DNS server, and so on in
the VPN Settings pane.

You can also configure phase 1 and phase 2 settings. You can select the encryption and authentication
algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms
as required, and algorithms that will be proposed to the remote VPN peer. You need to select a minimum of
one and a maximum of two combinations. The remote peer or client must be configured to use at least one of
the proposals that you define.

FortiClient EMS 7.0 Study Guide 206

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient (Windows) supports source application-based split tunnel, where you can specify which application
traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications.

For example, you can exclude applications like Microsoft Office 365, Microsoft Teams, Skype, GoToMeeting,
Zoom, and so on.

You must configure these settings in the endpoint profile in EMS. This feature does not support explicitly
including traffic in the VPN tunnel.

The example shown on this slide shows that the application Microsoft Teams is specified by its name, full
path, or directory where it is installed. Multiple entries can be separated by a semi-colon (;).

FortiClient EMS 7.0 Study Guide 207

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can also configure IPsec VPN directly on the FortiClient console when the FortiClient EMS administrator
allows you to add personal VPN connections. This allows you to create, edit, save, or delete IPsec VPN
connections. You can create and save multiple IPsec connections. Because this configuration is one side of
IPsec VPN, the configuration settings must match the FortiGate IPsec configuration in order to connect and
access remote resources.

When a personal VPN is not allowed by the FortiClient EMS administrator, the endpoint profile VPN tab
allows you to provision these configurations, along with advanced configurations, such as redundant IPsec
VPN connections, save password, auto connect, and always up, to name a few.

FortiClient EMS 7.0 Study Guide 208

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The SSL VPN configuration is similar to the IPsec configuration, where you configure one side of the tunnel
and the other side is configured on FortiGate.

When personal VPN is not allowed by the FortiClient EMS administrator, the endpoint profile VPN tab allows
you to provision these configurations, along with advanced configurations on SSL VPN portals, and many
more.

DTLS is a Windows-only feature and is not recommended for slower networks. DTLS settings must also be
enabled on FortiGate SSL VPN settings.

FortiClient EMS 7.0 Study Guide 209

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

You can select vulnerability scan for endpoints after connecting to FortiGate, when updating a vulnerability
signature, and for OS updates.

You can also select the Enable Proxy setting to enable proxy.

The Automatic Maintenance setting allows you to configure the vulnerability scan to run as part of Windows
automatic maintenance. Adding FortiClient vulnerability scans to the Windows automatic maintenance queue
allows the system to choose an appropriate time for the scan.

You can also schedule scans. In the Schedule Type drop-down list, you can select Daily, Weekly, or
Monthly. In the Scan On field, you can configure the day the scan will run. This setting applies if the schedule
is set to Monthly. You can also specify the time the scan will start.

Automatic Patching allows patches to be installed automatically when vulnerabilities are detected. You can
select patch severity level such as Critical, High, Medium, Low or All.

The Exclusions section contains options that allow you to exclude applications. The options are shown in the
image on this slide. These options do not exclude applications from vulnerability scanning. When the Disable
Automatic Patching for These Applications button is enabled in exclusion, it disables automatic patching
for the applications excluded from the vulnerability compliance check.

FortiClient EMS 7.0 Study Guide 210

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

If compliance is enabled for FortiClient, and FortiClient EMS compliance rules require it, all automatic and
manual software patches must be installed within a time frame that maintains compliant status and network
access. The default time frame is one day.

However, the FortiGate administrator may choose a different time frame. Contact your system administrator to
learn how long you have to fix vulnerabilities.

FortiClient EMS 7.0 Study Guide 211

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Vulnerability scan identifies vulnerabilities on the endpoint that should be fixed by installing software patches.
You can automatically install software patches by clicking Fix Now, or you can review detected vulnerabilities
before installing software patches. Any software patches that cannot be automatically installed are also listed.
You should manually download and install software patches for the vulnerable software.

FortiClient updates vulnerability scan signatures at specific intervals or daily. For intervals, you must select
the value in hours. The minimum is 1 and the maximum is 24. For daily, you must select a specific time of the
day. FortiClient does not support push updates.

When the scan is complete, FortiClient displays a summary of vulnerabilities found on the endpoint. If any
detected vulnerabilities require you to manually install remediation patches, the list of affected software is also
displayed.

You can view the history of the last seven vulnerability scans and patches. You can view the history to see
what software was identified as vulnerable and whether patches for the vulnerabilities were installed.

FortiClient EMS 7.0 Study Guide 212

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 213

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiClient endpoint profiles

Now, you will learn how to configure FortiClient settings.

FortiClient EMS 7.0 Study Guide 214

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in configuring FortiClient settings, you will be able to configure different
FortiClient settings to suit your requirements.

FortiClient EMS 7.0 Study Guide 215

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The majority of these configuration options are available only for Windows, macOS, and Linux profiles.
Options such as Upload Logs to FortiAnalyzer/FortiManager are available for all endpoints. Some options
are available only when you enable the Advanced view.

The UI section specifies how the FortiClient user interface appears when installed on endpoints.

The Log section specifies log settings such as Level and Features for which logs will generate. There are
different log levels available for FortiClient. They include Info, Emergency, Alert, Critical, Notice, Debug,
and so on.

You can also select Client-Based Logging When On-Net, this includes local log messages when client is
on-net, and Upload Logs to FortiAnalyzer/FortiManager. This will require the IP address of the
FortiAnalyzer or FortiManager and other settings such as upload schedule, log generation timeout, and log
retention policy in days. You can also select to upload event logs from FortiClient endpoints.

The Proxy section allows you to enable access to FortiGuard servers and submit viruses to FortiGuard using
the configured proxy. You can select proxy type, IP, port, username, and password.

FortiClient EMS 7.0 Study Guide 216

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

In the Update section, you can specify whether FortiManager is used for FortiClient updates. You can also
select FortiClient software updates, the update schedule, FortiGuard server location and type, and anycast.

You must enable FortiProxy to use the web filter options as well as some antivirus options. You can enable
HTTPS Proxy. If disabled, FortiProxy no longer inspects HTTPS traffic. It also enables other useful options
that are shown on this slide.

The Endpoint Control section specifies the settings for the endpoint. You can refer to this slide for all the
options available. For example, an administrator can enable Disable Disconnect to disallow users from
disconnecting the FortiClient telemetry connection to FortiClient EMS.

FortiClient EMS 7.0 Study Guide 217

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The options in the user identity settings sections enables users to specify their identity in FortiClient using
the following methods:
" Manually entering their details in FortiClient
" Logging in to a social media account, such as LinkedIn, Google, or Salesforce.

By default, FortiClient EMS obtains user details from the endpoint OS. If the user provides their details using
one of the methods listed above, FortiClient EMS obtains the user-specified details instead. If this option is
disabled, FortiClient EMS obtains and displays user details from the endpoint OS.

The Zero Trust Network Access (ZTNA) Settings section enables the ZTNA connection rules feature on
FortiClient. This feature on FortiClient is required to manually add rules for ZTNA TCP forwarding access
proxy connections.

The options in the Other section enable CA certificate installation on the client. You can add certificates on
the Manage CA Certificates pane. It also enables the SSO mobility agent for FortiAuthenticator. To use this
feature, you need to apply a FortiClient SSO mobility agent license to your FortiAuthenticator device. The
default port is set to 8001. The FortiAuthenticator listens on a configurable TCP port. FortiClient connects to
FortiAuthenticator using TLS/SSL with two-way certificate authentication. FortiClient sends a login packet to
FortiAuthenticator, which replies with an acknowledgement packet. FortiClient to FortiAuthenticator
communication requires the following:
1. The IP address must be unique in the entire network.
2. FortiAuthenticator must be accessible from clients in all locations.
3. FortiAuthenticator must be accessible by all FortiGate devices.

The option in the iOS section allows you to upload .mobileconfig file to distribute the configuration profile.

FortiClient EMS 7.0 Study Guide 218

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

There are additional settings available on the FortiClient system settings GUI, which include:
Backup: to back up the FortiClient configuration.
Restore: to restore the FortiClient configuration. Note that restore button is always grayed out because
FortiClient is managed by FortiClient EMS.

Note that the FortiClient configuration file is an XML format configuration file. When performing a backup, you
can select the file destination and save the file in an unencrypted (.conf) or encrypted format (.sconf). You can
include or exclude comments in the XML configuration file.

FortiClient EMS 7.0 Study Guide 219

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 220

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiClient settings

Now, you will learn how to configure FortiClient XML.

FortiClient EMS 7.0 Study Guide 221

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in configuring FortiClient XML, you will be able to configure FortiClient
configuration in the XML editor.

FortiClient EMS 7.0 Study Guide 222

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

XML is a markup language that defines a set of rules for encoding documents in a format that is both human-
readable and machine-readable.

FortiClient supports the import and export of its configuration in an XML file, and supports two file types, which
are:
" .conf: a plain-text configuration file
" .sconf: a secure (encrypted) configuration file, which requires a password

You can generate and back up a configuration file (which is an XML file) on the Settings page of the
FortiClient dashboard, or by using the command-line program FCConfig.exe, which is installed with
FortiClient.

In the FortiClient EMS XML editor, you can configure FortiClient profile settings by using XML or a custom
XML configuration file. The custom XML file must include all settings required by the endpoint at the time of
deployment.

FortiClient EMS 7.0 Study Guide 223

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

For the purpose of understanding the FortiClient XML configuration, the major section elements of the XML
configuration are as follows:

" Metadata: facilitates the discovery of relevant information and is the basic data controlling the entire
configuration file.
" System settings: are general settings that are not specific to any of the modules listed below (or affect
more than one module).
" Endpoint control: includes settings related to controlling endpoints, such as enable enforcement, off-net
update, skip confirmation, disable unregister, silent registration, and so on.
" VPN: includes settings related to global options that apply to both SSL VPN and IPsec VPN, and settings
related to SSL VPN and IPsec VPN individually.

You can also configure XML for settings related to certificates, antivirus, single sign-on mobility agent, web
filtering, application firewall, and vulnerability scan.

The XML configuration is controlled by two boolean values (usually denoted as true and false) that enable or
disable a configuration setting40 means false (feature is disabled), and 1 means true (feature is enabled).

Also in this lesson, you will learn how to enable and disable specific configuration settings.

FortiClient EMS 7.0 Study Guide 224

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

All of the XML tags and data in a configuration file are contained inside the XML tag
<forticlient_configuration>. The first line of the configuration starts with a standard XML start tag
<?xml version==1.0= encoding==utf-8=?>, which includes the XML version and encoding.

The XML configuration has elements (or nested child elements) that begin with a start tag and end with a
matching end tag. An empty FortiClient configuration would look like the example shown on this slide.

If you export the configuration from FortiClient, it includes the FortiClient version, date of generation, and OS
version (Windows or Mac OS X) from where the configuration was generated4either FortiGate or FortiClient
FortiClient EMS.

<partial_configuration> is a line of metadata that controls whether the configuration is replaced or

added in an import or restore. The value 0 replaces the configuration, and the value 1 appends the
configuration to the existing configuration.

FortiClient EMS 7.0 Study Guide 225

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The endpoint control configuration element controls settings related to controlling endpoints, such as disable
unregister, silent registration, enable enforcement, off-net update, skip confirmation, which features to display
on the FortiClient console, and so on.

You usually download the endpoint control configurations from FortiGate or FortiClient EMS, or you can build
it using the instructions in the FortiClient XML configuration section in the XML Reference Guide available at
http://docs.fortinet.com.
The endpoint control configurations are divided into two parts:
1. Endpoint control general attributes. These are contained in the <endpoint_control> XML tags.
2. Configuration details relating to specific FortiClient services, such as antivirus, web filtering, application
firewall, vulnerability scanner, and so on. They are found in their respective configuration elements
contained inside their XML tags. For example, the antivirus configuration is contained in the <antivirus>
XML tags.

In the example shown on this slide, silent_registration, allows you to automatically register on
FortiGate or FortiClient EMS without prompting the user to accept the registration. Silent registration is
intended to be used with disable_unregister, which prevents a registered client from being able to
unregister after successfully registering on a FortiGate or FortiClient EMS server.

The addresses XML setting defines that FortiClient will attempt to register on the first FortiGate or
FortiClient EMS listed here. You can add multiple IP addresses delimited with a semicolon.

FortiClient EMS 7.0 Study Guide 226

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

The FortiClient configuration file is user editable and includes all client configurations. When building an XML
configuration, you should adopt the following design considerations:
" Input validation: The import function performs basic validation, and writes to a log when errors or
warnings are found. The default values for omitted configurations are ignored, but for VPN they are defined
in the configuration.
" Handling of password fields: The password and username fields are encrypted (prefixed with <Enc=)
when a configuration is exported. However, the import function is able to take either the cleartext or
encrypted format.
" Segment of configuration file: The XML configuration allows you to import the segment (partial
configuration) of a configuration file. However, the segment should follow the syntax and hierarchy defined
in the XML Reference Guide available at http://docs.fortinet.com.

In the example, the invalid segment configuration file is missing the hierarchy and syntax for
<system> level commands and is considered to be an invalid segment.

Client certificate: Client certificates are exported in an encrypted format in the configuration file.

FortiClient EMS 7.0 Study Guide 227

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 228

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiClient EMS 7.0 Study Guide 229

 FortiClient Provisioning Using FortiClient EMS

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to use FortiClient EMS endpoint policy
and components, profiles, profile references, and more. You also learned about FortiClient settings and XML
configuration.

FortiClient EMS 7.0 Study Guide 230

 ZTNA

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about zero trust network access (ZTNA).

By demonstrating competence in ZTNA, you will be able to understand key ZTNA concepts and how to
configure ZTNA. You will also learn how to troubleshoot and debug ZTNA issues on the FortiGate and
FortiClient EMS.

FortiClient EMS 7.0 Study Guide 231

 ZTNA

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiClient EMS 7.0 Study Guide 232

 ZTNA

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the benefits and basic configuration of ZTNA, you will be able
to implement ZTNA in your environment.

FortiClient EMS 7.0 Study Guide 233

 ZTNA

DO NOT REPRINT
© FORTINET

ZTNA is an access control method that uses client device identification, authentication, and zero trust tags to
provide role-based application access. ZTNA gives administrators the flexibility to manage network access for
on-fabric local users and off-fabric remote users. ZTNA grants access to applications only after device
verification, authenticating the user9s identity, authorizing the user, and then performing context-based posture
checks using zero trust tags.

Traditionally, a user and a device have different sets of rules for on-fabric access and off-fabric VPN access to
company resources. With a distributed workforce, and access that spans company networks, data centers,
and the cloud, managing the rules can be complex. User experience is also affected when an organization
needs multiple VPNs to access various resources.

ZTNA has two modes:

" Full ZTNA allows users to securely access resources through an SSL-encrypted access proxy. This
simplifies remote access by eliminating the use of VPNs.
" IP/MAC filtering uses ZTNA tags to provide an additional factor for identification, and a security posture
check to implement role-based zero-trust access.

FortiClient EMS 7.0 Study Guide 234

 ZTNA

DO NOT REPRINT
© FORTINET

This slide demonstrates ZTNA telemetry, tags, and policy enforcement. You configure ZTNA tag conditions
and policies on FortiClient EMS. FortiClient EMS shares the tag information with FortiGate through Security
Fabric integration. FortiClient communicates directly with FortiClient EMS to continuously share device status
information through ZTNA telemetry. FortiGate can then use ZTNA tags to enforce access control rules to
incoming traffic through ZTNA access.

FortiClient EMS 7.0 Study Guide 235

 ZTNA

DO NOT REPRINT
© FORTINET

To enable ZTNA on the GUI, you must enable the feature on FortiGate System > Feature Visibility, and then
enable Zero Trust Network Access. You must also enable Explicit Proxy feature on the FortiGate System
> Feature Visibility.

ZTNA configuration on the FortiGate requires the following configuration:

" FortiClient EMS adds a fabric connector in the security fabric. FortiGate maintains a continuous connection
to the EMS server to synchronize endpoint device information, and also automatically synchronizes ZTNA
tags. You can create groups and add tags to use in the ZTNA rules and firewall policies.

" The ZTNA server defines the access proxy VIP and the real servers that clients connect to. The firewall
policy matches and redirects client requests to the access proxy VIP. You can also enable authentication.

" A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to
enforce zero-trust role-based access. You can configure security profiles can be configured to protect this
traffic.

" The firewall policy matches and redirects client requests to the access proxy VIP. You can define the
source interface and addresses that can access the VIP can be defined. By default, the destination is any
interface. UTM processing of the traffic happens at the ZTNA rule.

You can also configure authentication to the access proxy. ZTNA supports basic HTTP and SAML methods
are supported.

FortiClient EMS 7.0 Study Guide 236

 ZTNA

DO NOT REPRINT
© FORTINET

FortiClient must connect to FortiClient EMS. You can verify connection status on the FortiClient console in the
ZERO TRUST TELEMETRY menu, or on FortiClient EMS by clicking Endpoints > All Endpoints page.

To provide connectivity to the remote FortiClient endpoints, you must allow access to port 8013 on the
FortiClient EMS through the corporate firewall. On FortiGate, you can create a VIP and inbound policy to allow
access to TCP port 8013 from the internet.

FortiClient EMS 7.0 Study Guide 237

 ZTNA

DO NOT REPRINT
© FORTINET

You can configure the on-premises FortiClient EMS connector on FortiGate by clicking Security Fabric >
Fabric Connectors. After applying the FortiClient EMS settings, FortiGate must accept the FortiClient EMS
server certificate. However, when you configure a new connection to FortiClient EMS server, the certificate
might not be trusted. To resolve, you must manually export and install the certificate on FortiGate. The
FortiClient EMS certificate that is used by default for the SDN connection is signed by the CA certificate that is
saved on the Windows server when you first install FortiClient EMS. This certificate is stored in the Trusted
Root Certification Authorities folder on the server. For more information about exporting and
installing certificates on FortiGate, refer to the FortiOS-7.0.1 Administration Guide.

Next, you must authorize FortiGate on FortiClient EMS. If you log in to FortiClient EMS, a pop-up window
opens, requesting you to authorize FortiGate. If you do not log in, you can click Administration > Devices,
select the FortiGate device, and then authorize it. Note that the FortiClient EMS connector status appears
down until you authorize FortiGate on FortiClient EMS.

FortiGate automatically synchronizes ZTNA tags after it connects to FortiClient EMS.

FortiClient EMS 7.0 Study Guide 238

 ZTNA

DO NOT REPRINT
© FORTINET

You can create, edit, and delete zero trust tagging rules for Windows, macOS, Linux, iOS, and Android
endpoints. The following happens when using zero trust tagging rules with FortiClient EMS and FortiClient:
" FortiClient EMS sends zero trust tagging rules to endpoints through telemetry communication.
" FortiClient checks endpoints using the provided rules and sends the results to FortiClient EMS.
" FortiClient EMS receives the results from FortiClient.
" FortiClient EMS dynamically groups endpoints together using the tag configured for each rule. You can
view the dynamic endpoint groups by clicking Zero Trust Tags > Zero Trust Tag Monitor.

Note that when the endpoint network changes or user login and logout events occur, FortiClient triggers an X-
FFCK-TAG message to FortiClient EMS, even if there are no tag changes. After FortiClient EMS receives the
tags, it processes them immediately, and updates the FortiOS tags within five seconds of the REST API
response. For other tag changes, FortiClient sends the information to FortiClient EMS regularly.

FortiClient EMS 7.0 Study Guide 239

 ZTNA

DO NOT REPRINT
© FORTINET

You can click Add to add a new rule on the Zero Trust Tagging Rules page. The rule set requires a name,
tag, and rule types for different operating systems. The type of OS you select affects what rule types and
related options are available. You can configure multiple rule types on the rule set.

By default, an endpoint must satisfy all configured rules to be eligible for the rule set. You may want to apply
the tag to endpoints that satisfy some, but not all, of the configured rules. In this case, you can modify the rule
set logic. In the example shown on this slide, an administrator wants to apply the same tag to endpoints that
fulfill one of the following criteria:
" Running Windows 10
" Running Windows 7, and antivirus software is installed and running

With the default rule set logic, an endpoint would be eligible for the rule set if it is running Windows 7 or 10
and has antivirus software installed and running. To modify the rule set logic, click Edit Logic to numerical
values to each rule. Enter (1 and 2) or 3, to indicate that endpoints that satisfy both the antivirus and
Windows 7 rules (rules 1 and 2) or only the Windows 10 rule (rule 3) satisfy the rule set. To restore the default
logic, you can click Default Logic.

You can use and and or to define the rule logic. You cannot use not when defining the rule logic. You can
also use parentheses to group rules, as show on this slide.

FortiClient EMS 7.0 Study Guide 240

 ZTNA

DO NOT REPRINT
© FORTINET

You can import and export a zero-trust tagging rule set as a JSON file. You can also use a zero-trust tagging
rule as a predefined rule for FortiGuard outbreak alerts by uploading rule signatures.

The JSON file should contain an array of alert objects, each with a tag name and array of signatures. Each
signature should have the following properties:
" OS (Windows, MacOS, Linux, iOS, Android)
" Type (file, registry, process)
" Content
If the import succeeds, FortiClient EMS displays a FortiGuard outbreak alert signatures imported
successfully message. If the file is formatted incorrectly, FortiClient EMS shows an Invalid JSON error.

FortiClient EMS 7.0 Study Guide 241

 ZTNA

DO NOT REPRINT
© FORTINET

The Manage Tags window displays all configured tags and the rules that apply the tags to endpoints that
satisfy the rule. You can delete tags that do not have any rules attached. In the example shown on this slide,
you can delete the Server 2012 rule because it does not have any rules attached.

You can view all dynamic endpoint groups in the Zero Trust Tag Monitor section. FortiClient EMS creates
dynamic endpoint groups based on the tag configured for each rule.

The endpoint must satisfy all configured conditions to satisfy the rule. You can use the NOT operator as well.
Note that not all the rule types support the NOT operator. For detailed information, refer to the FortiOS 7.1.
Administration Guide.

FortiClient EMS 7.0 Study Guide 242

 ZTNA

DO NOT REPRINT
© FORTINET

ZTNA tagging rule has different rule types which varies with OS you select. This slide shows the zero trust
tagging rule types available for Windows OS. Each rule type gives options to select. For example if you select
AD Group then you need to select the desired AD group from the available group on the domain server. To
use this option, you must configure your domain under Endpoints. For all rule types, you can
configure multiple conditions.

The endpoint must satisfy all configured conditions to satisfy the rule. You can use the NOT as well. Note that
not all the rule types support NOT option. For detailed information about all the rules types and OS these are
available for, refer to the FortiOS-7.0-Administartion Guide.

FortiClient EMS 7.0 Study Guide 243

 ZTNA

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 244

 ZTNA

DO NOT REPRINT
© FORTINET

Good job! You now know about ZTNA and its basic configuration requirements.

Now, you will learn about device identity and trust among FortiClient, FortiClient EMS, and FortiGate.

FortiClient EMS 7.0 Study Guide 245

 ZTNA

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in device identity and trust, you will be able to understand device roles and
how SSL certificate-based authentication works.

FortiClient EMS 7.0 Study Guide 246

 ZTNA

DO NOT REPRINT
© FORTINET

Device identity and trust are integral to ZTNA. Device identity is established through client certificates, and
trust is established among FortiClient, FortiClient EMS, and FortiGate devices. In ZTNA, devices perform
specific roles.

FortiClient provides the following information to FortiClient EMS when it registers:

" Device information (network details, operating system, model, and so on)
" Logged in user information
" Security posture (On-fabric and Off-fabric, antivirus software, vulnerability status, and so on)
FortiClient also requests and obtains a client device certificate from the EMS ZTNA Certificate Authority (CA)
on its first attempt to connect to the access proxy. The client uses this certificate to identify itself to FortiGate.

FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate serial number, and
EMS serial number. FortiClient EMS then synchronizes the certificate with FortiGate. FortiClient EMS also
shares its EMS ZTNA CA certificate with FortiGate, so that FortiGate can use it to authenticate the clients.
FortiClient EMS uses zero-trust tagging rules to tag endpoints based on the information that it has on each
endpoint. FortiClient EMS also shares the tags with FortiGate.

FortiGate maintains a continuous connection to FortiClient EMS to synchronize endpoint device information
such as FortiClient UID, client certificate SN, FortiClient EMS SN, network details (IP and MAC address), and
so on. When device information changes, such as when a client moves from on-fabric to off-fabric, or their
security posture changes, FortiClient EMS updates the device information, and then updates the FortiGate.

FortiClient EMS 7.0 Study Guide 247

 ZTNA

DO NOT REPRINT
© FORTINET

FortiClient EMS has a default_ZTNARootCA certificate generated by default that the ZTNA CA uses to sign
CSRs from the FortiClient endpoints. Clicking the refresh button revokes and updates the root CA, forcing
updates to the FortiGate and FortiClient endpoints by generating new certificates for each client. FortiClient
EMS can also manage individual client certificates. You can also revoke the certificate that is used by the
endpoint when certificate private keys show signs of being compromised. Click Endpoint > All Endpoints,
select the client, and then click Action > Revoke Client Certificate.

Do not confuse the FortiClient EMS CA certificate (ZTNA) with the SSL certificate. The latter is the server
certificate that is used by FortiClient EMS for HTTPS access and fabric connectivity to the FortiClient EMS
server.

FortiClient EMS 7.0 Study Guide 248

 ZTNA

DO NOT REPRINT
© FORTINET

In Windows, FortiClient automatically installs certificates into the certificate store. The certificate information in
the store, such as certificate UID and SN, should match the information on FortiClient EMS and FortiGate. To
locate certificates on other operating systems, consult the vendor documentation.

You can use the CLI command diagnose endpoint record list a to verify the presence of matching
endpoint record, and information such as the client UID, client certificate SN, and EMS certificate SN on the
FortiGate. If any of the information is missing or incomplete, client certificate authentication might fail because
FortiClient cannot locate the corresponding endpoint entry.

This slide shows that client certificate information is synchronized to the FortiGate.

FortiClient EMS 7.0 Study Guide 249

 ZTNA

DO NOT REPRINT
© FORTINET

Endpoint obtains a client certificate when it registers to FortiClient EMS. FortiClient automatically submits a
CSR request and the FortiClient EMS signs and returns the client certificate. This certificate is stored in the
operating system certificate store for subsequent connections. The endpoint information is synchronized
between FortiGate and FortiClient EMS. When an endpoint disconnects or is unregistered from FortiClient
EMS, its certificate is removed from the certificate store and revokes on FortiClient EMS. The endpoint
obtains a certificate again when it reconnects to the FortiClient EMS.

By default, client certificate authentication is enabled on the access proxy, so when FortiGate receives the
HTTPS request, the FortiGate WAD process challenges the client to identify itself with its certificate. The
FortiGate makes a decision based on specific possibilities.

If the client responds with the correct certificate that the client UID and certificate SN can be extracted from:
" If the client UID and certificate SN match the record on FortiGate, the client is allowed to continue with the
ZTNA proxy rule processing.
" If the client UID and certificate SN do not match the record on FortiGate, the client is blocked from further
ZTNA proxy rule processing.

If the client cancels and responds with an empty client certificate, the client is allowed to continue with ZTNA
proxy rule processing when you can empty-cert-action to accept. If empty-cert-action to block,
FortiGate blocks the client from further ZTNA proxy rule processing.

FortiClient EMS 7.0 Study Guide 250

 ZTNA

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 251

 ZTNA

DO NOT REPRINT
© FORTINET

Good job! You now know about device identity, trust among FortiClient, FortiClient EMS, and FortiGate, and
certificate-based authentication.

Now, you will learn about different ZTNA configuration setups.

FortiClient EMS 7.0 Study Guide 252

 ZTNA

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding ZTNA configuration setups, you will be able to implement the
ZTNA configuration your environment requires.

FortiClient EMS 7.0 Study Guide 253

 ZTNA

DO NOT REPRINT
© FORTINET

The FortiGate HTTPS access proxy works as a reverse proxy for the HTTP server. When a client connects to
a web page hosted by the protected server, the address resolves to the FortiGate access proxy VIP
(192.186.2.86:8443), as shown on this slide. FortiGate proxies the connection and takes steps to
authenticate the device. It prompts the user for the endpoint certificate on the browser, and verifies this
against the ZTNA endpoint record that is synchronized from the FortiClient EMS.

This example shows access control that allows or denies traffic based on ZTNA tags. FortiGate allows the
traffic when the FortiClient endpoint is tagged as Low risk, and denies the traffic when the endpoint is tagged
with Malicious-File-Detected. This setup assumes that the FortiGate EMS fabric connector is already
successfully connected and the tagging rule Malicious-File-Detected is configured, which you learned about
in a previous section.

ZTNA also support IPv6. You can configure the following IPv6 scenarios:
" IPv6 Client 4 IPv6 Access Proxy 4 IPv6 Server
" IPv6 Client 4 IPv6 Access Proxy 4 IPv4 Server
" IPv4 Client 4 IPv4 Access Proxy 4 IPv6 Server

FortiClient EMS 7.0 Study Guide 254

 ZTNA

DO NOT REPRINT
© FORTINET

After you can FortiClient EMS as the fabric connector and you sync ZTNA tags with FortiGate, you must
create a ZTNA server or access proxy. The access proxy VIP is the FortiGate ZTNA gateway that clients
make HTTPS connections to. The service and server mappings define the virtual host matching rules and the
real server mappings of the HTTPS requests.

The example on this slide shows access proxy VIP and the real server IP. The IP address 100.64.1.250 and
port 9443 is an access proxy VIP that the client connects to, and then the request redirects the client to real
server IP address 10.0.1.250 on port 443. In the Service/server mapping window, you can select Any Host
so that any request that resolves to the access proxy VIP is mapped to the real servers. For example, if both
www.example1.com and www.example2.com resolve to the VIP, then both requests are mapped to your
real servers. The Specify option allows you to configure the name or IP address of the host that the request
must match. For example, if you enter www.example2.com as the host, then only requests to
www.example2.com match. The path can be matched by substring, wildcard, or regular expression. For
example, if you specify the virtual host as www.example2.com, and the path substring is map1 as shown on
this slide, then www.example2/map1 is matched.

The Servers table, allows you to configure the real server IP address, port number, and status. You can
configure multiple servers and server mappings.

FortiClient EMS 7.0 Study Guide 255

 ZTNA

DO NOT REPRINT
© FORTINET

A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to
enforce zero-trust role-based access. To create a rule, type a rule name, and add IP addresses and ZTNA
tags or tag groups that are allowed or blocked access. You also select the ZTNA server as the destination.
You can also apply security profiles to protect this traffic.

This slide shows two rules as an example. One is configured to allow endpoints that are tagged as Remote-
Endpoints, and the other is configured to block endpoints that are tagged as Malicious-File-Detected.

FortiClient EMS 7.0 Study Guide 256

 ZTNA

DO NOT REPRINT
© FORTINET

The firewall policy matches and redirects client requests to the access proxy VIP. You can define source
interface and addresses that are allowed access to the VIP. By default, the destination is any interface, so
after a policy is configured for full ZTNA, the policy list is organized by sequence. The example on this slide is
configured to allow ALL services from all IP addresses at port1 as the incoming interface to ZTNA-
webserver as the destination.

Note that UTM processing of the traffic happens at the ZTNA rule.

FortiClient EMS 7.0 Study Guide 257

 ZTNA

DO NOT REPRINT
© FORTINET

You can add authentication to the access proxy, which requires you to configure an authentication scheme
and authentication rule on the FortiGate CLI. You use authentication schemes and authentication rules to
authenticate proxy-based policies, similar to configuring authentication for explicit and transparent proxy.

The authentication scheme defines the method of authentication that is applied. ZTNA supports basic HTTP
and SAML methods. Each method has additional settings to define the data source. For example, with basic
HTTP authentication, a user database can reference an LDAP server, RADIUS server, local database, or
other supported authentication servers that the user is authenticated against.

The authentication rule defines the proxy sources and destinations that require authentication, and which
authentication scheme to apply. ZTNA supports the active authentication method. The active authentication
method references a scheme where users are actively prompted for authentication, as they are with basic
authentication. After the authentication rule triggers the method to authenticate the user, a successful
authentication returns the groups that the user belongs to.

In the ZTNA rule and proxy policy, you can define a user or user group as the allowed source. Only users that
match that user or group are allowed through the proxy policy. This slide shows the ZTNA rule
example that user group ZTNAaccess_group was added to the authentication
configuration after the authentication scheme and authentication rule were added to
FortiGate.

FortiClient EMS 7.0 Study Guide 258

 ZTNA

DO NOT REPRINT
© FORTINET

You can also apply the SAML authentication method to authenticate the client. The FortiGate acts as the
SAML SP, and a SAML authenticator serves as the IdP. In addition to verifying the user and device identity
with the client certificate, the user is also authorized, based on user credentials, to establish a trust context
before granting access to the protected resource. For configuration details, refer to the FortiOS 7.0.1
Administration Guide.

FortiClient EMS 7.0 Study Guide 259

 ZTNA

DO NOT REPRINT
© FORTINET

In the example shown on this slide, a TCP forwarding access proxy (TFAP) is configured to demonstrate an
HTTPS reverse proxy that forwards TCP traffic to the designated resource. The access proxy tunnels TCP
traffic between the client and FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It
verifies user identity, device identity, and trust context, before granting access to the protected source.

RDP access is configured to Winserver, and SSH access to the FortiAnalyzer. The topology shown on this
slide uses IP address 10.0.3.11 and port-8443 for the external access proxy VIP.

You can also add authentication and a security posture check for TCP Forwarding Access Proxy, which you
learned about earlier in this lesson.

FortiClient EMS 7.0 Study Guide 260

 ZTNA

DO NOT REPRINT
© FORTINET

The topology shown on this slide uses IP address 10.0.3.11 and port-8443 for the external access proxy
VIP. Currently, FortiOS 7.0.0 does not fully support TCP forwarding access proxy configurations done on the
GUI. Therefore, you must configure the access proxy on the CLI. After you create the access proxy VIP, you
can view it on the GUI but you cannot make changes to it on the GUI.

This slide shows how to configure the access proxy VIP and access proxy server mappings using the CLI.
The RDP and SSH ports and real server IP addresses are already mapped. The mapped port restricts the
mapping to the specified port or port range. If mapped port is not specified, then any port is matched. The
mapped addresses must be address objects. Therefore, you can use the preexisting FortiAnalyzer and
Winserver addresses. You must create an address object before configuring the proxy VIP.

FortiClient EMS 7.0 Study Guide 261

 ZTNA

DO NOT REPRINT
© FORTINET

Next, you configure a ZTNA rule for access control and a firewall policy for full ZTNA function. This slide
shows the ZTNA rule and firewall policy for the example topology.

FortiClient EMS 7.0 Study Guide 262

 ZTNA

DO NOT REPRINT
© FORTINET

Before connecting, users must create a ZTNA rule on FortiClient. Currently, ZTNA Connection Rule
configuration from FortiClient EMS is not available in 7.0.0. You must configure them manually on FortiClient
to connect.

Note that your Destination Host is the real internal IP address and port of the server. The RDP and SSH
connections securely proxied through the gateway.

You can also configure a ZTNA TCP forwarding access proxy without encryption. The connection still begins
with a TLS handshake. The client uses the HTTP 101 response to switch protocols and remove the HTTPS
stack. Further end-to-end communication between the client and server are encapsulated in the specified
TCP port, but not encrypted by the access proxy. This improves performance by reducing the overhead of
encrypting an already secured underlying protocol, such as RDP, SSH, or FTPS. Users should still enable the
encryption option for end-to-end protocols that are insecure. In a real-life application, you should use the
encryption option for an insecure protocol such as Telnet.

FortiClient EMS 7.0 Study Guide 263

 ZTNA

DO NOT REPRINT
© FORTINET

When you enable ZTNA on FortiGate, the firewall policy provides two options:
" Full ZTNA
" IP/MAC filtering

ZTNA IP/MAC filtering mode enhances security when endpoints are physically located on the corporate
network, whereas full ZTNA mode focuses on access for remote users. ZTNA IP/MAC filtering mode uses
ZTNA tags to control access between on-fabric devices and an internal web server or internet. This mode
does not require the use of the access proxy, and uses only ZTNA tags for access control.

The example firewall policy on this slide uses the existing Malicious-File-Detected tag to control access.
Traffic is denied to internet when the FortiClient endpoint is tagged with Malicious-File-Detected.

FortiClient EMS 7.0 Study Guide 264

 ZTNA

DO NOT REPRINT
© FORTINET

You can configure ZTNA with an SSH access proxy to provide a seamless SSH connection to the server.

Advantages of using an SSH access proxy instead of a TCP forwarding access proxy include:
" Establishing device trust context with user identity and device identity checks
" Applying SSH deep inspection to the traffic through the SSH related profile
" Performing optional SSH host-key validation of the server
" Using one-time user authentication to authenticate the ZTNA SSH access proxy connection and the SSH
server connection

To act as a reverse proxy for the SSH server, FortiGate must perform SSH host-key validation to verify the
identity of the SSH server. FortiGate does this by storing the public key of the SSH server in its SSH host-key
configurations. When endpoint makes a connection to the SSH server, if the public key matches one that is
used by the server, then the connection is established. If there is no match, then the connection fails.

FortiClient EMS 7.0 Study Guide 265

 ZTNA

DO NOT REPRINT
© FORTINET

The SSH access proxy allows user authentication to occur between the client and the access proxy, while
using the same user credentials to authenticate with the SSH server. The steps on this slide explains how
this works.

FortiClient EMS 7.0 Study Guide 266

 ZTNA

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 267

 ZTNA

DO NOT REPRINT
© FORTINET

Good job! You now know about different ZTNA configuration setups.

Now, you will compare ZTNA to SSL and IPsec VPN.

FortiClient EMS 7.0 Study Guide 268

 ZTNA

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding the evolution of remote access with ZTNA, you will be able to
migrate from VPN to ZTNA HTTPS access proxy.

FortiClient EMS 7.0 Study Guide 269

 ZTNA

DO NOT REPRINT
© FORTINET

How are SSL VPN and ZTNA access different from IPsec VPNs?

SSL and TLS are commonly used to encapsulate and secure e-commerce and online banking on the internet
(HTTP). SSL VPNs and ZTNA use a similar technique, and support non-HTTP protocol encapsulation as well.
SSL resides higher up on the network stack than IP and, therefore, it usually requires more bits4more
bandwidth4for SSL VPN headers. In comparison, IPsec uses some different methods to provide
confidentiality and integrity. The primary protocol used in IPSec is ESP, which encapsulates and encrypts
UDP, RDP, HTTP, or other protocols inside the IPsec tunnel.

IPSec is also an industry-standard protocol that can work with multiple vendors and supports peers that are
devices and gateways4not just user clients with FortiGate only, like SSL VPN or ZTNA does.

The client software is also different. In an SSL VPN or ZTNA, your web browser might be the only client
software you need. You can go to the FortiGate SSL VPN portal (an HTTPS web page) and then log in.
Alternatively, you can install FortiClient or configure FortiGate as an SSL VPN client. In comparison, to use
IPsec VPN, install special client software or have a local gateway, such as a desktop model FortiGate, to
connect to the remote gateway. You might also need to configure firewalls between VPN peers to allow IPsec
protocols.

FortiClient EMS 7.0 Study Guide 270

 ZTNA

DO NOT REPRINT
© FORTINET

After you logged in, the SSL VPN connects your computer to your private network. No user-configured
settings are required, and firewalls are typically configured to allow outgoing HTTP, so technical support calls
are less likely. Simplicity makes ZTNA and SSL VPN ideal for non-technical users, or users who connect from
public computers, such as those found in public libraries and internet cafés. ZTNA takes this a step further
and makes it easier for administrators to perform device compliance checks and configuration. ZTNA also
provides an additional authentication mechanism for access control without any interaction required from the
end user.

In general, IPsec VPN is preferred when tunnels must be up continuously and interoperate with many types of
devices, while SSL VPN is preferred when people travel and need to connect to the office.

FortiClient EMS 7.0 Study Guide 271

 ZTNA

DO NOT REPRINT
© FORTINET

You can use ZTNA to replace VPN-based teleworking solutions. The example on this slide shows that you
can migrate teleworking configurations that use SSL VPN tunnel or web portal mode access to ZTNA with
HTTPS access proxy, and continue to use the same authentication server and groups to authenticate your
remote users.

In addition, by integrating with FortiClient EMS, you can also ensure that FortiGate performs device
identification is using client certificates, and checks the security posture before allowing the remote user into
the website. This provides granular control over who can access the web resource using role-based access
control. It also gives the user transparent access to the website using only their browser. You can even
configure ZTNA IP/MAC filtering mode for on-fabric devices to provide similar access control while users are
on the network.

FortiClient EMS 7.0 Study Guide 272

 ZTNA

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 273

 ZTNA

DO NOT REPRINT
© FORTINET

Good job! You now understand the evolution of teleworker remote access with ZTNA

Now, you will learn how to troubleshoot and debug ZTNA configuration issues.

FortiClient EMS 7.0 Study Guide 274

 ZTNA

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in troubleshooting and debugging ZTNA issues, you will be able to solve ZTNA
issues between FortiGate and FortiClient EMS.

FortiClient EMS 7.0 Study Guide 275

 ZTNA

DO NOT REPRINT
© FORTINET

The table on this slide shows the debug CLI commands that you can use to troubleshoot ZTNA on FortiGate.

FortiClient EMS 7.0 Study Guide 276

 ZTNA

DO NOT REPRINT
© FORTINET

This slide is the continuation of the CLI command table.

Note that the WAD daemon handles proxy-related processing, and the FortiClient NAC daemon (fcnacd)
handles connectivity between FortiGate to FortiClient EMS. The next slides show the CLI command use and
output.

FortiClient EMS 7.0 Study Guide 277

 ZTNA

DO NOT REPRINT
© FORTINET

On this slide, the diagnose endpoint fctems test-connectivity command shows that the
connection between FortiGate and FortiClient EMS is successful. The execute fctems verify command
shows that the server certificate is verified with FortiGate, and the diagnose test application fcnacd
2 command dumps the FortiClient EMS connectivity information.

If fcnacd does not report the correct status, run real-time fcnacd debugs by running the following CLI
commands:
# diagnose debug application fcnacd -1
# diagnose debug enable

FortiClient EMS 7.0 Study Guide 278

 ZTNA

DO NOT REPRINT
© FORTINET

On this slide, the diagnose endpoint record list <IP address> command shows the network,
registration, client certificate, and device information. It also shows the vulnerability status and position relative
to FortiGate. This command without an IP filter shows all the endpoint records that are connected to
FortiClient EMS and synced with FortiGate.

FortiClient EMS 7.0 Study Guide 279

 ZTNA

DO NOT REPRINT
© FORTINET

Use the diagnose endpoint wad-comm find-by uid or ip-vdom pair command is used to query
endpoint information that includes ZTNA tags. The CLI output on this slide shows that specific endpoint has 3
ZTNA tags named ZT_OS_WIN, all_registered_clients, and Medium.

FortiClient EMS 7.0 Study Guide 280

 ZTNA

DO NOT REPRINT
© FORTINET

The diagnose endpoint wad dev query-by uid or ipv4 command provides endpoint information
from the FortiGate WAD daemon. The WAD daemon handles processing related to proxy (access proxy),
which you learned about earlier.

FortiClient EMS 7.0 Study Guide 281

 ZTNA

DO NOT REPRINT
© FORTINET

The diagnose firewall dynamic list command shows all the dynamic ZTNA IP and MAC addresses
learned from EMS.

FortiClient EMS 7.0 Study Guide 282

 ZTNA

DO NOT REPRINT
© FORTINET

Use the diagnose test application fcnacd 7 or 8 command shown on this slide to check
endpoint ZTNA and route cache. The WAD commands on this slide is used to troubleshoot WAD with real-
time debugs, to understand how the proxy handled a client request.

Note that you should always reset the debugs after using them by running, diagnose debug reset
command.

FortiClient EMS 7.0 Study Guide 283

 ZTNA

DO NOT REPRINT
© FORTINET

The ZTNA log subtype is added to UTM logs, and a traffic log ID is added for ZTNA-related traffic. There are
six events that generate logs in the subtype:
1. Received an empty client certificate
2. Received a client certificate that fails to validate
3. API gateway cannot be matched
4. None of the real servers can be reached
5. ZTNA rule (proxy policy) cannot be matched
6. HTTPS SNI virtual host does not match the HTTP host header

ZTNA-related traffic generates logs when you enable logging for allowed traffic in the policy. This slide shows
the UTM and traffic logs that are generated when FortiGate connects to the ZTNA access proxy. The client
did not send a client certificate to FortiGate for verification. FortiGate disallows and blocks the empty
certificate.

FortiClient EMS 7.0 Study Guide 284

 ZTNA

DO NOT REPRINT
© FORTINET

This slide shows the UTM and traffic logs that are generated when FortiGate connects to the ZTNA access
proxy. The client sends a client certificate to FortiGate for verification, but the certificate fails validation.

FortiClient EMS 7.0 Study Guide 285

 ZTNA

DO NOT REPRINT
© FORTINET

This slide shows the UTM and traffic logs that are generated when FortiGate connects to the ZTNA access
proxy. The client tries to connect to an API gateway that does not match any virtual host, or the real server
cannot be reached.

FortiClient EMS 7.0 Study Guide 286

 ZTNA

DO NOT REPRINT
© FORTINET

This slide shows the UTM and traffic logs that are generated when FortiGate connects to the ZTNA access
proxy but is unable to match the ZTNA rule (proxy policy). For example, no ZTNA rule is matched for the
ZTNA tag assigned to the endpoint.

FortiClient EMS 7.0 Study Guide 287

 ZTNA

DO NOT REPRINT
© FORTINET

This slide shows the UTM and traffic logs that are generated when FortiGate connects to the ZTNA access
proxy and the HTTPS SNI virtual host does not match the HTTP host header. The server name indication
(SNI) or host name must match the host header field in the URL request.

FortiClient EMS 7.0 Study Guide 288

 ZTNA

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 289

 ZTNA

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiClient EMS 7.0 Study Guide 290

 ZTNA

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned about ZTNA key concepts and how to
configure different configuration setups. You also learned about the evolution of teleworker remote access,
and how to troubleshoot and debug ZTNA issues.

FortiClient EMS 7.0 Study Guide 291

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn how to diagnose and troubleshoot FortiClient issues and FortiClient EMS issues.

FortiClient EMS 7.0 Study Guide 292

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

FortiClient EMS 7.0 Study Guide 293

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in approaching and troubleshooting FortiClient issues, you will be able to solve
FortiClient and FortiClient EMS issues.

FortiClient EMS 7.0 Study Guide 294

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Before you can resolve a FortiClient issue, you need to identify the issue by gathering information to pinpoint
and define it.

For example, if the issue is registering FortiClient to FortiGate or FortiClient EMS, ask and answer the
following questions: Has the registration process ever worked? Is the existing installation not working?

If the answer to these questions is yes, check for possible changes, such as changes to the device (OS
updates, changes to administrator permissions), connection location (working from the office but not from
home), and configuration and network changes.

Now you know the exact nature of the problem: FortiClient is not registering from home. The next step is to
analyze the problem, which leads to possible opportunities to resolve the issue.

FortiClient EMS 7.0 Study Guide 295

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The analysis phase requires testing, checking, and comparing with other users to determine if they are
encountering similar issues.

Once it is determined that other users are encountering similar problems, further dissect the issue. By
comparing the expected results with your results. Find out if the issue is reproducible. These actions result in
a list of possible solutions that you can evaluate in the lab.

Remember, there might be multiple ways to resolve an issue. You should always document each of possible
solution. You should also create a backup plan before implementing a solution, in case you need to revert to a
previous state.

Once you implement a solution, monitor and review the results.

FortiClient EMS 7.0 Study Guide 296

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand how to approach FortiClient issues.

Now, you will learn about FortiClient EMS issues.

FortiClient EMS 7.0 Study Guide 297

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in taking diagnostic steps, you will be able to diagnose and resolve common
issues between FortiClient, FortiClient EMS, and FortiGate.

FortiClient EMS 7.0 Study Guide 298

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient can use a Zero Trust Telemetry IP address to connect FortiClient Telemetry to FortiClient EMS.
After FortiClient software installation completes on an endpoint, FortiClient automatically launches and
connects telemetry to the FortiClient EMS server that created the installed deployment package. You can also
manually enter the FortiClient EMS IP address.

Note that FortiClient uses the same process to connect telemetry to FortiClient EMS after
the FortiClient endpoint restarts, rejoins the network, or encounters a network change.

FortiClient EMS 7.0 Study Guide 299

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

If your FortiClient is installed on a domain-joined endpoint, you can use the following CLI command to verify
the SMB and RPC services are bound to ports 445 and 135, respectively. Run CLI commend netstat -ano
| find 135 or 445 on the endpoint to verify. The image on this slide shows that Windows is listing to
port TCP 135 and 445. You can also use this command on the FortiClient EMS server.

To test the connectivity between FortiClient and FortiClient EMS, you can use the command prompt and the
built-in Telnet application to verify this. Ensure that Telnet is enabled on your endpoint by going to Control
Panel > Turn Windows features on or off, and ensuring that the Telnet Client checkbox is selected.

In the example on this slide, 100.64.1.100 is the FortiClient EMS server IP address, and 8013 is the port that
is being checked. Run telnet 100.64.1.100 8013.
If the command is successful, the command prompt returns a blinking cursor. If the command is unsuccessful,
the command prompt returns a warning that the connection could not be opened, as shown in this slide.

FortiClient EMS 7.0 Study Guide 300

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Multiple dependencies and various factors can be involved when troubleshooting FortiClient and FortiClient
EMS issues. Common issues can be that FortiClient is unable to automatically detect any computer running
Microsoft Windows, you are unable to install or uninstall FortiClient from the host machine, or you are unable
to deploy changes using FortiClient EMS. You can resolve these issues by verifying the computer browser
services, account permissions, and ports and services enabled for FortiClient EMS.

1. Computer browser services automatically detect Microsoft Windows computers within the same local
network. Make sure computer browser services are running. For example, if the FortiClient EMS is
installed on Windows 2012 R2, on which the computer browser service is disabled by default, FortiClient
EMS will not detect computers on the same network, even if they are available.
2. Account permissions are required. Make sure the server and client have the correct account permissions
to deploy the changes. For example, the administrator needs the correct permissions to create or deploy
the changes on FortiClient EMS.
3. Confirm that the required ports and Windows services are enabled on EMS. FortiClient EMS uses many
ports and services in order to communicate with clients and servers running associated applications.
Make sure these ports and services are enabled for use for FortiClient EMS. On the client side, make
sure Task Scheduler is set to Automatic, Windows Installer is set to Manual, and Remote Registry is
set to Automatic.

FortiClient EMS has several dashboard widgets that provide information about managed clients and their
current statuses. You can view alerts generated by FortiClient EMS by clicking the bell icon in the toolbar,
which shows you generated alerts. An example of a common alert is <New version of FortiClient is available=.
Note that configuration changes to FortiClient are always pushed by EMS. FortiClient sends telemetry data
only for status updates.

FortiClient EMS 7.0 Study Guide 301

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can view the logs on FortiClient EMS using the Log Viewer page. You can filter logs by using various
parameters, such as date/time, log level, source (such as EMS Service, Update Service, AD Service), and
messages.

In the example shown on this slide, the logs provide detailed messages about the event occurred, which you
can use to troubleshoot the issues with FortiClient and FortiClient EMS. You should change the log level to
Debug.

FortiClient EMS 7.0 Study Guide 302

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 303

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand the diagnostics steps involved in resolving common issues between FortiClient and
FortiClient EMS.

Now, you will learn about FortiClient components and troubleshooting.

FortiClient EMS 7.0 Study Guide 304

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in FortiClient components and troubleshooting, you will be able to resolve
issues on the Windows operating systems.

FortiClient EMS 7.0 Study Guide 305

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When FortiClient is installed on Windows OS, by default it is installed in Program Files(x86) on

Windows 32-bit OS, and Program Files on Windows 64-bit OS. The FortiClient directory is created only
during installation and removed during uninstallation.

You can change the default installation directory while installing FortiClient. FortiClient is protected by
FortiShield, which is digitally signed and prevents modification of the Windows registry. The FortiClient folder
contains .EXE files, .DLL files, logs, signatures, quarantine files, and so on.

FortiClient EMS 7.0 Study Guide 306

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When you install FortiClient, it installs a number of executables, DLL files, signatures, and so on. Refer to this
slide for the list of FortiClient executable files and descriptions.

FortiClient EMS 7.0 Study Guide 307

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When FortiClient is installed on Windows OS, it installs the necessary drivers on Windows 32-bit OS and
Windows 64-bit OS. Refer to this slide for the list of FortiClient drivers and descriptions.

FortiClient EMS 7.0 Study Guide 308

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can check the FortiClient registry keys at the location shown on this slide. The registry keys are protected
by FortiShield.

Unlike XML, registry keys are cryptic and the user requires detailed knowledge to configure. The keys can9t be
documented in any format and so they are not supported on the FortiClient GUI. The keys are intended for
use by developers.

Note that, in some cases, Fortinet support can ask you to change the FortiClient registry or replace FortiClient
files. To perform this task, you must stop FortiShield first:
" Disconnect FortiClient from FortiClient EMS.
" Shut down FortiClient.
" In an elevated command-line window, type sc stop fortishield.

FortiClient EMS 7.0 Study Guide 309

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use the FortiClient Diagnostic Tool to generate a debug report, and then provide the debug report to
the FortiClient team to help with troubleshooting. For example, if you are working with customer support on a
problem, you can generate a debug report, and send the report to customer support to help with
troubleshooting.

The FortiClient Diagnostic Tool does not record sensitive information. It contains information about the
endpoint that are shown on this slide.

FortiClient EMS 7.0 Study Guide 310

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

By default, the log level is set to Information, which provides enough related information to resolve common
FortiClient issues. However, you can change the log level on FortiClient EMS, and then push the necessary
configuration from the System Settings page to FortiClient.

There are various log levels on FortiClient, such as Emergency, Alert, Information, Debug, and so on. To
get more detailed logs for debugging, change the log level to Debug.

Note that you can clear the checkboxes next to features to reduce log entries when troubleshooting a specific
feature issue.

FortiClient EMS 7.0 Study Guide 311

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient can cause blue screen of death (BSoD) when it conflicts with third-party software. If this happens,
provide a kernel memory dump. It is usually located in the Windows folder, as shown in this slide.

To configure the collection of dump files, refer to the Microsoft documents links that are shown on this slide.

Run and provide the output of FortiClient_Diagnostic_Tool.exe. You can download the tool from the
Fortinet support website.

FortiClient EMS 7.0 Study Guide 312

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 313

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiClient components and troubleshooting on Windows operating systems.

Now, you will learn about FortiClient EMS troubleshooting.

FortiClient EMS 7.0 Study Guide 314

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in FortiClient EMS components and troubleshooting, you will be able to resolve
EMS issues on Windows servers.

FortiClient EMS 7.0 Study Guide 315

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

By default, FortiClient EMS is installed in Windows Program Files (x86) on the Windows 64-bit OS. The
FortiClient EMS directory is created only during installation and is removed during uninstallation.

You can change the default installation directory while installing FortiClient EMS. FortiClient EMS installs SQL
Server 2017 Express edition on the server. FortiClient EMS doesn9t remove SQL Server during uninstallation.
When managing more than 5000 endpoints, installing SQL Server Standard or Enterprise instead of SQL
Server Express is recommended. Note that Microsoft SQL Server Express is free. All other editions require a
license from Microsoft.

FortiClient EMS also installs Apache HTTP Server and Python.

FortiClient EMS 7.0 Study Guide 316

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

When you install FortiClient EMS, it installs a number of executables, dll, signatures, and so on. Refer to this
slide for the list of executable files and descriptions.

FortiClient EMS 7.0 Study Guide 317

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can debug GUI access issues either by using a web browser or enabling verbose logging for Python.

Make sure you turn off the debug after troubleshooting. You should not run the debug in a production
environment. By default, Apache uses port 443 and 10443. You can use the netstat command to see if the
default Apache ports are being used by another application.

FortiClient EMS 7.0 Study Guide 318

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

On FortiClient EMS, you can see the logs on the Logs page. To get more information, you should to change
the log level to Debug. However this GUI log doesn9t include FortiClient EMS and SQL installation logs.
Installation logs are generally available in the temp folder.

Note that FortiClient EMS automatically reverts the log level from Debug to Info after 30 minutes to save
resources on the server. The FortiClient EMS GUI displays logs only from the database; daemon debug logs
are sent only to the file.

FortiClient EMS 7.0 Study Guide 319

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can use the FortiClient EMS Diagnostic Tool to generate a debug report, and then provide the debug
report to the FortiClient team to help with troubleshooting. For example, if you are working with customer
support on a problem, you can generate a debug report, and send the report to customer support to help with
troubleshooting.

The FortiClient EMS Diagnostic Tool does not record sensitive information. It contains information about the
server that is shown in this slide.

FortiClient EMS 7.0 Study Guide 320

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 321

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Good job! You now understand FortiClient EMS components and troubleshooting on Windows Servers
systems.

Now, you will learn about diagnosing and troubleshooting FortiClient features.

FortiClient EMS 7.0 Study Guide 322

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objective shown on this slide.

By demonstrating competence in diagnosing FortiClient features, you will be able to resolve issues related to
individual features.

FortiClient EMS 7.0 Study Guide 323

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The FortiClient console provides the latest information about engine and software statuses and versions used
by FortiClient. To check the latest updates on FortiClient, click About.

By default, the value for use_custom_server element is 0, which means it is disabled, failover backup
servers are not defined, and failover to public FDN is enabled. In this case, FortiClient will first attempt to
connect to the public FortiClient server, forticlient.fortinet.net or
myforticlient.fortinet.net, over TCP port 80 to download the list of secondary servers from which it
will then download the signatures and packages for FortiClient.

If a string is specified in the server element and communication fails with that server, each of the servers
specified in the fail_over_servers element are tried until one succeeds. If that also fails, then software
updates will not be possible unless fail_over_to_fdn is set to 1. If communication fails with the server(s)
specified in both server and fail_over_servers elements, fail_over_to_fdn specifies the next
course of action.

You should leave the value of fail_over_to_fdn element to 1, which is the default value.

By default, scheduled updates are enabled at intervals that specify the frequency that FortiClient checks for
updates. A network error will cause an update failure, and the temporary AV signatures keep growing. Run
the update_task command manually.

FortiClient EMS 7.0 Study Guide 324

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The signature update logs provide the date and time of the update, along with the version number of the
signatures. You can request logs through FortiClient EMS or export logs using Export logs pane of
FortiClient. Based on the logging level and log types enabled, it will export all types of logs.

The software update logs are located in the temp folder in Windows, which might be a hidden folder.

FortiClient EMS 7.0 Study Guide 325

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient requires a number of files and drivers in order to perform a real-time antivirus scan which includes
EXE, DLL, SYS, and CONF files, and are located in the Installation
directory\Fortinet\FortiClient\ folder. The vir_sig folder contains malware and antivirus
signatures along with the fdni.conf file, which contains a list of public FortiGuard servers that FortiClient
contacts to get updates on the signatures and packages.

FortiClient EMS 7.0 Study Guide 326

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

It is very important to check the XML configuration if the real-time antivirus protection is not functioning
correctly. By default, when a virus is found, FortiClient blocks access to the file. There are five levels of
on_virus_found XML configuration tags:
" 0: clean
" 1: ignore
" 2: repair
" 3: warning
" 4: quarantine
" 5: deny access

FortiClient also performs a scan on the compressed files and allows you to define the compressed file size to
scan up to 65535MB. 0 means no limit. FortiClient performs a real-time scan on a wide range of extensions
and allows you to modify the list of extensions to scan.

For example, if you set the value of the on_virus_found XML configuration tag to 1, it will ignore the virus
file and the virus will not be caught. Another example is if you modify and remove a few extensions from the
extensions XML configuration element and if the suspicious file extension is not listed in the extensions
XML configuration element, it will not be caught.

Note that this partial XML configuration is for a real-time antivirus. For a complete list of available XML
configuration elements, refer to the FortiClient 7.0.0 XML Reference guide available at Fortinet
documentation site.

FortiClient EMS 7.0 Study Guide 327

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The antivirus logs provides the date and time of the real-time antivirus scan along with the action taken, virus,
and location of the file. You can request logs from the endpoint through FortiClient EMS. If you need to export
the logs to a local computer from FortiClient, select Settings > Logging > Export Logs option.

Based on the logging level and log types enabled, Export Logs will export all types of logs.

The realtime_scan.log located in Installation

directory\Fortinet\FortiClient\logs\realtime_scan.log provides more detailed information
about malware and antivirus engines and signatures used in the real-time antivirus scan, along with name of
the virus file, action taken, and location of the file.

Debug: In an elevated command line window:

" Disable RTP on FortiClient.
" Change the FortiClient installation directory: fmon.exe 3s 3fd_1

FortiClient EMS 7.0 Study Guide 328

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

There are other security risks that are also handled by real-time protection. The sandbox signatures can also
be used by FortiClient to identify the threat. The block access to malicious websites function blocks malicious
websites. The web filter module must be installed before you can enable this protection.

FortiClient RTP also blocks known communication channels used by attackers. The application firewall
module must be installed before you can enable this protection. An Email protection on FortiClient scans
email for malicious files. It supports POP3 and SMTP.

You can use Boolean values in the EMS XML editor to enable or disable real-time protection features. The
booleon value 0 for <block_malicious_websites> shown on this slide will disable blocking of malicious
websites.

FortiClient EMS 7.0 Study Guide 329

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The scheduled and custom scan uses the same real-time antivirus files and drivers except it uses
av_task.exe instead of fmon.exe. It uses av_task.exe with the option 3f to perform a full system scan
and av_task.exe 3d to scan the specified directory.

The factory default behavior at the time of installation is to run a full system scan on the first day of the month
at 18:30 hours. It also scans removable media. However, the default XML configuration file can be modified to
change the default behavior. You can view and modify the factory default full-scan schedule under the full
element of the XML file.

There is a priority parameter in the XML file as well. By default, the priority of the scan is set to normal and
has three different levels40 for normal priority, 1 for low priority, and 2 for high priority. The
on_demand_scanning element defines how the antivirus scanner handles the scanning of files manually
requested by the end user. The scheduled and on-demand scan logs are located in
Installationdirectory\Fortinet\FortiClient\logs\av_scanxxxx.log.

FortiClient EMS 7.0 Study Guide 330

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient requires a number of files and drivers in order to perform file submission to FortiSandbox. The
vir_sanbox_sig folder contains malware and antivirus software. The maximum file size you can submit
from FortiClient to FortiSandbox is 200 MB.

Files can be submitted from the following sources:

" Removable media
" Mapped network drives
" Web downloads
" Email download

You can run a sandbox debug by entering the CLI command Fcaptmon.exe 3s fd_01 in an elevated
command-line window.

FortiSandbox also caches files to improve performance.

FortiClient EMS 7.0 Study Guide 331

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient requires a number of files and drivers in order to perform web filtering. By default, web filtering and
the FortiGuard querying service are enabled, and can store up to 5000 violations for a period of seven days.
The default value for the max_violations element is set to 5000 and can be ranged from 250 to 5000, and
the max_violation_age element is set to seven days and can be ranged from 1 to 90 days.

You can also configure safe search and the YouTube education filter under the <safe_search> and
<youtube_education_filter> XML elements.
For a complete list of available XML configuration elements, refer to the FortiClient 7.0.0 XML Reference
guide available at http://docs.fortinet.com.

Safe Search is a feature of Google search that acts as an automated filter of pornography and potentially
offensive content. The upcoming release of FortiClient will include the ability to modify the host file to force all
Google or YouTube traffic to connect to safe search websites, such as WackySafe, that only delivers safe
search results. The drawback is that this will affect all Google services, such as search, YouTube, and so on.

Enabling the Client Web Filtering When On-Net option will keep using the FortiClient web filter even if it is
behind FortiGate and on-net. When this is disabled, the FortiClient endpoint will be protected by the FortiGate
web filter profile when on-net.

You can view the web filtering violation logs directly on the FortiClient GUI or export the logs from Export
Logs.

FortiClient EMS 7.0 Study Guide 332

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

In the example shown on this slide, the first log entry is from a FortiClient. The FortiClient log show the
FortiGate serial number along with the name of the FortiClient profile it is using, and other details such as
utmaction, utmevent, and so on.

So, when diagnosing and troubleshooting web filtering issues, always pay attention to the logs because the
URL or category might be blocked in the managed profile, but allowed in the URL list, and the results might be
different than what you were expecting.

" The webfilter cache URL rating results in the urlcache.dat file. You can also run the CLI commands
fortiwf.exe -s fd_01 and fortiproxy.exe -s fd_01 -d 4 in elevated mode, to further
troubleshoot webfilter issues.

The above commands provide debug level logs for web filter and FortiProxy processes.

FortiClient EMS 7.0 Study Guide 333

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient requires a number of files and drivers for IPsec VPN. The VPN-related information is contained
inside the VPN> XML tags. The options XML tag contains global options that apply to both SSL VPN and
IPsec VPN, as shown in this slide.

The ipsecvpn XML tag contains configurations specifically related to IPsec VPN.
IPsec VPN has two subsections:
" Options: options related to the specific type of VPN
" Connections: user-defined connections

FortiClient EMS 7.0 Study Guide 334

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can request VPN-related logs through FortiClient EMS or export logs using the Export logs pane of
FortiClient. When troubleshooting VPN issues, as a best practice, change the log level to Debug and disable
other types of logging to minimize the logs from other features.

The FortiClient-FortiGate dialup request is sent from FortiClient toward FortiGate. FortiClient-FortiGate
negotiates using aggressive mode. In aggressive mode, the IKE SA contains almost everything, such as the
encryption type, length, hash type, and Diffie3Hellman (DH) group. It contains fewer exchanges and packets
and is faster than main mode.

FortiClient EMS 7.0 Study Guide 335

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can run the real-time debug commands on FortiGate, which will show you similar information as on
FortiClient.

As a best practice, run the debug commands on FortiGate to compare with the IPsec VPN logs on FortiClient.

Apart from the real-time debug command shown on this slide, you can also run the following commands on
FortiGate to troubleshoot IPsec VPN issues:
" The diagnose vpn ike config list command checks the configuration as it is seen by IKE
daemon on the FortiGate device
" To list IKE SA on FortiGate, run diagnose vpn ike gateway list.
" To list IPsec SA on FortiGate, run diagnose vpn tunnel list.
" To check the status of all tunnels (equivalent to the GUI VPN monitor) on FortiGate, run get ipsec
tunnel list.
" To check routes on FortiGate that were installed by the IKE daemon (applicable only for dialup IPsec
VPN), run diagnose vpn ike routes list.

FortiClient EMS 7.0 Study Guide 336

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient requires a number of files and drivers for SSL VPN.

The sslvpn XML tag contains configurations specifically related to SSL VPN.
SSL VPN has two subsections:
" Options: options related to the specific type of VPN
" Connections: user-defined connections

FortiClient EMS 7.0 Study Guide 337

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can request VPN-related logs through FortiClient EMS or export logs using Export logs pane of
FortiClient. When troubleshooting VPN issues, as a best practice change the log level to Debug and disable
other types of logging to minimize the logs from other features.

The FortiClient-FortiGate SSL VPN request is sent from FortiClient towards FortiGate. FortiClient-FortiGate
checks the port number for the SSL VPN service and user credentials to allow access. The SSL debug logs
show the initial connection request made by FortiClient to FortiGate. Then the SSL certificate negotiation
takes place between FortiClient and FortiGate. The FortiClient side certificate information is located in the
Installation directory\Fortinet\FortiClient folder.

FortiClient EMS 7.0 Study Guide 338

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can run real-time debug commands on FortiGate, which will show you the information that is similar to
the information shown on FortiClient.

As a best practice, run the debug commands on FortiGate to compare them with the SSL VPN logs on
FortiClient.

FortiClient EMS 7.0 Study Guide 339

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

An application firewall uses an IPS engine, so it matches the patterns in the entire byte stream of the packet
and requires multiple files and drivers.

FortiClient EMS 7.0 Study Guide 340

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The application firewall XML configuration elements can be grouped into two parts: general options and
profiles. A general option applies to all firewall activities and a profile defines the applications and the actions
that apply to the firewall activities.

You can enable the candc_enabled XML configuration element by setting the value equal to 1, to detect a
connection to a botnet command and control server. The default_action XML configuration element
value is set to pass, which enforces the action to pass on traffic that doesn9t match any defined profiles. You
can change the default action to block, reset, or pass. The profiles tag has a rules element. The
rules element may have zero or more rule tags.
The following filter elements can be used to define applications in a rule tag:
" category
" vendor
" behavior
" technology
" protocol
" application
" popularity

If the application element is present, all other sibling elements (listed above) will be ignored. If it is not
present, a given application must match all of the provided filters to trigger the rule.
In the example shown on this slide, in the first rule, categories 6 and 23 are blocked, which corresponds to
Proxy and Social.Media respectively. In the second rule, application 16779 is blocked, which is
Yahoo.Games. You can get the complete list of IDs corresponding to each category, behavior, and
application on the FortiGate CLI.

FortiClient EMS 7.0 Study Guide 341

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can view the application violation logs directly on the FortiClient GUI, request them through FortiClient
EMS or export logs using the Export logs pane on FortiClient.

In the example shown on this slide, FortiClient blocks two categories (proxy and Social.Media) and the
application Yahoo.Games, when FortiClient inspects the traffic passing through it and, based on the matching
rule, takes action. In this example, FortiClient blocks Twitter, proxy websites, and Yahoo.Games, based on
the defined rule.

Some common issues are blocked traffic, and applications that crash or are not categorized correctly.Try to
disable FortiClient features one by one, to make sure the issue is caused by the application firewall.

FortiClient EMS 7.0 Study Guide 342

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

The FortiClient vulnerability scan module can check your workstation for known system vulnerabilities. It uses
various files and drivers to perform a vulnerability scan. You can scan your workstation when registering on
FortiGate, or on a scheduled basis. Or you can run an on-demand scan directly on the FortiClient GUI and
view the vulnerabilities found on the FortiClient console.

You can view the recent vulnerabilities detected directly on the FortiClient GUI, or you can export logs through
FortiClient EMS or use the Export logs option on the FortiClient settings.

The vulnerabilities logs shows the status (started, cancelled) and also shows the name of the
vulnerabilities detected, the severity, the vulnerabilities engine, signatures used, and so on. It also provides a
reference link, which provides the description, impact, and recommended actions for the vulnerability
detected.

FortiClient EMS 7.0 Study Guide 343

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

You can run a vulnerability scan in debug mode on the command line in elevated mode. After running the
commands shown on this slide, the log file will be available at the following location:
Forticlient_install_folder/logs/vcm/timestamp_folder

FortiClient EMS 7.0 Study Guide 344

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

FortiClient EMS 7.0 Study Guide 345

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in this lesson.

FortiClient EMS 7.0 Study Guide 346

 Diagnostics and Troubleshooting

DO NOT REPRINT
© FORTINET

This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how to approach FortiClient issues and
common issues with FortiClient with FortiGate and EMS and how to diagnose and troubleshoot FortiClient
features.

FortiClient EMS 7.0 Study Guide 347

DO NOT REPRINT
© FORTINET

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet9s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet9s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.