FortiClient EMS 7.0.0 Administration Guide
FortiClient EMS 7.0.0 Administration Guide
FortiClient EMS 7.0.0 Administration Guide
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
FEEDBACK
Email: [email protected]
Introduction 8
FortiClient EMS components 8
Documentation 10
Getting started 11
Getting started with managing Windows, macOS, and Linux endpoints 11
Deploying FortiClient software to endpoints 11
Pushing configuration information to FortiClient 12
Relationship between FortiClient EMS, FortiGate, and FortiClient 13
Getting started with managing Chromebooks 17
Configuring FortiClient EMS for Chromebooks 17
Configuring the Google Admin console 17
Deploying a profile to Chromebooks 17
How FortiClient EMS and FortiClient work with Chromebooks 18
Installation preparation 19
System requirements 19
License types 19
FortiClient EMS 20
Component applications 22
Required services and ports 22
Management capacity 25
FortiClient Telemetry security features 27
Server readiness checklist for installation 27
Upgrading from an earlier FortiClient EMS version 28
Upgrading EMS and FortiClient 28
Upgrading EMS from an earlier version 29
Install preparation for managing Chromebooks 29
Google Workspace account 29
SSL certificates 29
Installation and licensing 31
Downloading the installation file 31
Installing FortiClient EMS 31
Installing FortiClient EMS using the CLI 33
Allowing remote access to FortiClient EMS and using custom port numbers 36
Customizing the SQL Server Express install directory 36
Installing FortiClient EMS to specify SQL Server Enterprise or Standard instance 37
Starting FortiClient EMS and logging in 39
Configuring EMS after installation 39
Licensing FortiClient EMS 40
Licensing EMS by logging in to FortiCloud 41
Uploading a license file 45
Licensing EMS in an air-gapped network 45
License status 46
Help with licensing 47
FortiClient Endpoint Management Server (FortiClient EMS) is a security management solution that enables scalable and
centralized management of multiple endpoints (computers). FortiClient EMS provides efficient and effective
administration of endpoints running FortiClient. It provides visibility across the network to securely share information and
assign security policies to endpoints. It is designed to maximize operational efficiency and includes automated
capabilities for device management and troubleshooting. FortiClient EMS also works with the FortiClient Web Filter
extension to provide web filtering for Google Chromebook users.
FortiClient EMS is designed to meet the needs of small to large enterprises that deploy FortiClient on endpoints and/or
provide web filtering for Google Chromebook users. Benefits of deploying FortiClient EMS include:
l Remotely deploying FortiClient software to Windows PCs
l Updating profiles for endpoint users regardless of access location
l Administering FortiClient endpoint connections, such as accepting, disconnecting, and blocking connections
l Managing and monitoring endpoints, such as status, system, and signature information
l Identifying outdated versions of FortiClient software
l Defining web filtering rules in a profile and remotely deploying the profile to the FortiClient Web Filter extension on
Google Chromebook endpoints
You can manage endpoint security for Windows and macOS platforms using a unified organizational security policy. An
organizational security policy provides a full, understandable view of the security policies defined in the organization.
You can see all policy rules, assignments, and exceptions in a single unified view.
FortiClient EMS is part of the Fortinet Endpoint Security Management suite, which ensures comprehensive policy
administration and enforcement for an enterprise network.
FortiClient EMS provides the infrastructure to install and manage FortiClient software on endpoints. FortiClient protects
endpoints from viruses, threats, and risks.
FortiClient EMS also provides the infrastructure to install and manage the FortiClient Web Filter extension on Google
Chromebook endpoints. FortiClient protects endpoint users by working with FortiClient EMS to filter web content
endpoint users view on Google Chromebooks.
The following table lists FortiClient EMS components:
Component Description
Component Description
FortiClient Helps enforce security and protection on endpoints. It runs on servers, desktops,
and portable computers you want to secure. See the FortiClient Administration
Guide for information.
FortiClient Web Filter Extension Communicates with FortiClient EMS and enforces web filtering on Google
Chromebook endpoints.
In the diagram, the undotted lines show how different components connect to manage Windows, macOS, and Linux
endpoints using FortiClient EMS. The dotted lines represent how you use components to manage Chromebook
endpoints with FortiClient EMS.
An informative video introducing you to FortiClient EMS is available in the Fortinet Video
Library.
Documentation
You can access FortiClient EMS documentation from the Fortinet Document Library.
The FortiClient EMS documentation set includes the following:
Document Description
Administration Guide Describes how to set up FortiClient EMS and use it to manage endpoints. It
includes information on how to configure multiple endpoints, configure and
manage profiles for the endpoints, and view and monitor endpoints.
New Features Guide Describes new features and enhancements in FortiClient EMS for the release,
including configuration information.
QuickStart Guide Describes how to install and begin working with the FortiClient EMS system. It
provides instructions on installation and deployment, and includes a high-level
task flow for using the FortiClient EMS system.
Release Notes Lists any known issues and limitations for the release. This document also
defines supported platforms and minimum system requirements.
REST API The FortiClient EMS API allows you to perform configuration operations on EMS.
You can view the API documentation on the FortiAPI tab on FNDN.
Upgrade Paths Provides upgrade path information for different versions of FortiClient EMS.
Compatibility Chart Provides compatibility information for different versions of FortiClient EMS and
other Fortinet products.
Following is an overview of how to add endpoints to FortiClient EMS and configure FortiClient EMS to deploy FortiClient
to endpoints.
You can deploy FortiClient to endpoints using Active Directory (AD) servers and workgroups. There are differences
between using AD servers and workgroups.
When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you cannot
deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS installs on endpoints and
endpoints are connected to FortiClient EMS, you can deploy upgrades, uninstallations, and replacements of both
FortiClient for Windows and macOS using AD servers.
When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after FortiClient
installs on endpoints and endpoints are connected to FortiClient EMS, you can use workgroups to uninstall and update
FortiClient on endpoints.
The following shows a deployment of FortiClient using FortiClient EMS with an AD server:
1. Deploy FortiClient from FortiClient EMS using an AD server to the desired endpoints.
2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.
The following shows a deployment of FortiClient (Windows) using FortiClient EMS with Windows workgroups:
1. You cannot use workgroups with FortiClient EMS to initially install FortiClient on endpoints. You must install
FortiClient directly on endpoints. You can configure deployment packages that endpoint users can download to
install FortiClient on endpoints. See Viewing deployment packages on page 123.
2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.
1. Add endpoints with an AD server or Windows workgroups. See Adding endpoints on page 85.
Endpoints added using an AD service display in Endpoints > Domains, and endpoints added using Windows
workgroups display in Endpoints > Workgroups. You can install FortiClient on endpoints using an AD server without
connecting FortiClient to FortiClient EMS as long as the username and password are correct for the applied
deployment configuration in Deployment in FortiClient EMS. You can only use workgroups to upgrade or uninstall
FortiClient if it is already installed on the endpoints and connected to FortiClient EMS. You cannot use workgroups
for initial installations of FortiClient. When using workgroups, the deployment configuration credentials in
Deployment in FortiClient EMS are not taken into account.
2. Create a FortiClient deployment package in FortiClient EMS. See Adding a FortiClient deployment package on
page 120.
3. Create a profile that includes the desired configuration information for FortiClient software on endpoints. See
Creating a profile to configure FortiClient on page 136.
4. Prepare domains and workgroups for deployment. See Preparing the AD server for deployment on page 114.
5. Create a deployment configuration with the desired deployment package. Configure the deployment configuration
for the desired workgroup, domain, endpoint group, or organizational group. See Creating a deployment
configuration on page 116.
Depending on the selected profile's configuration, FortiClient installs on the endpoints to which the profile is applied.
After FortiClient installation, the endpoint connects FortiClient Telemetry to FortiClient EMS to receive the profile
configuration and complete endpoint management setup.
6. Monitor the installation process using the Endpoints pane. See Viewing the Endpoints pane on page 87.
After the endpoints' FortiClient connects Zero Trust Telemetry to FortiClient EMS, EMS manages the endpoints, and you
can use FortiClient EMS to push configuration information to FortiClient software on endpoints.
1. Edit an existing profile or create a new profile to configure FortiClient software on endpoints. See Creating a profile
to configure FortiClient on page 136.
2. Edit an existing endpoint policy or create a new endpoint policy that is configured with desired profile. Configure the
endpoint policy to apply to the desired domains and workgroups. See Adding an endpoint policy on page 124.
After you apply the endpoint policy to endpoint groups, EMS pushes profile changes to endpoints with the next
Telemetry communication.
3. Monitor the update using the Endpoints pane. See Viewing the Endpoints pane on page 87.
You can use FortiClient EMS in standalone mode or integrated with FortiGate. The following section illustrates the
topology for each configuration and the differences between the scenarios.
For details, see the FortiClient 7.0 Compliance Guide.
In this scenario, FortiClient Zero Trust Telemetry connects to EMS to receive a profile of configuration information as part
of an endpoint policy. EMS is connected to the FortiGate to participate in the Security Fabric. EMS sends FortiClient
endpoint information to the FortiGate.
The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies.
EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This
feature requires FortiOS 6.2.0 or a later version.
FortiClient can also receive a device certificate from EMS that it can use to securely encrypt and tunnel TCP or HTTPS
traffic through HTTPS to the FortiGate. This feature requires FortiClient 7.0.0 or a later version and FortiOS 7.0.0 or
later.
FortiGate does not provide configuration information for FortiClient and the endpoint. An
administrator must configure FortiClient using an EMS endpoint policy.
Following is a summary of how the Zero Trust Telemetry connection works in this scenario. The following assumes that
EMS is already connected to the FortiGate as a participant in the Security Fabric, and that FortiClient and FortiOS are
also 7.0.0 or a later version:
1. EMS sends its CA certificate to the FortiGate.
2. FortiClient Telemetry connects to EMS.
3. FortiClient receives the following from EMS:
l Licensing. See Windows, macOS, and Linux endpoint licenses on page 21.
l Profile of configuration information as part of an endpoint policy. See Endpoint Profiles on page 136.
l Device certificate that includes the FortiClient UID. FortiClient installs the received certificate to the current user
certificate store for Chrome and Edge browser, and installs it to the browser certificate store for Firefox. This
feature may not be available for Firefox.
4. FortiClient sends security posture information to EMS, including third-party software information, running
processes, network information, and so on.
5. EMS dynamically groups the endpoint based on the information it received, using the configured Zero Trust tagging
rules. See Zero Trust Tagging Rules on page 188.
6. FortiOS pulls the dynamic endpoint group information from EMS. The FortiOS administrator can use this data to
build dynamic firewall policies.
7. When the endpoint initiates TCP or HTTPS traffic, FortiClient works as a local proxy gateway to securely encrypt
and tunnel the traffic through HTTPS to the FortiGate, using the certificate received from EMS.
8. The FortiGate retrieves the UID to identify the device and check other information using the endpoint information
that EMS provided to the FortiGate. The FortiGate allows or denies the access as applicable.
9. EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on
those groups.
For details about dynamic endpoint groups, see FortiOS dynamic policies using EMS dynamic endpoint groups on page
195.
FortiClient follows the endpoint profile configuration that it receives from EMS. EMS locks FortiClient settings so that the
endpoint user cannot manually change FortiClient configuration.
Only EMS can control the connection between FortiClient and EMS. You can only disconnect FortiClient when you are
logged into EMS.
The EMS server's IP addresses are embedded in FortiClient deployment packages created in EMS. This allows the
endpoint to connect FortiClient Telemetry to the specified EMS server.
EMS sends the following endpoint information to FortiOS:
l User profile:
l Logged-in username
l Full name
l Email address
l Phone number
l User avatar
l Social network account IDs
l MAC address
l OS type
l OS version
l FortiClient version
l FortiClient UUID
FortiGate also opens a websocket with EMS. EMS adds a new FcmNotify daemon to handle the websocket connection.
EMS notifies the FortiGate if any of the following device information has changed. FortiOS loads the updated
information:
l System information
l User avatar
l Vulnerabilities
l Zero Trust tags
EMS also sends the following endpoint information to FortiAnalyzer:
l Telemetry/system information
l User avatar
l Software inventory
l Processes
l Network statistics
l Classification tags
FortiClient directly sends the following information to FortiAnalyzer:
l Logs
l Windows host events
See the FortiAnalyzer Administration Guide for details.
In this scenario, EMS provides FortiClient endpoint provisioning. FortiClient EMS connects Telemetry to EMS to receive
configuration information in an endpoint profile as part of an endpoint policy from EMS. EMS also sends Zero Trust
tagging rules to FortiClient, and use the results from FortiClient to dynamically group endpoints in EMS. Only EMS can
control the connection between FortiClient EMS and EMS. You must make any changes to the connection from EMS,
not FortiClient EMS. When FortiClient EMS is connected to EMS, EMS locks FortiClient EMS settings so that the
endpoint user cannot change any configuration. To disconnect FortiClient EMS from EMS, the EMS administrator must
deregister the endpoint in EMS.
In this scenario, EMS and FortiClient EMS cannot participate in the Security Fabric, since a FortiGate is not present.
In FortiOS 6.0, an administrator can quarantine FortiClient endpoints using EMS by enabling the Quarantine FortiClient
via EMS option. The following lists the requirements for this feature:
l The FortiClient endpoint is connected to FortiGate and managed by EMS.
l The FortiClient endpoint and FortiGate use the same FortiAnalyzer.
l The EMS managing the FortiClient endpoint is configured on the FortiGate. FortiOS allows configuration of up to
three EMS servers to allow endpoint control in different locations.
Configuring Quarantine FortiClient via EMS requires setting the following fields in the
FortiOS CLI: automation-stitch and forticlient-ems. See the FortiOS CLI
Reference.
If Quarantine FortiClient via EMS is enabled, the following occurs when an indicator of compromise (IOC) is detected on
an endpoint in the Security Fabric:
1. An IOC is detected on an endpoint.
2. FortiOS sends the endpoint information to EMS with instructions to quarantine the endpoint.
3. EMS identifies and quarantines the endpoint based on the request from FortiOS.
You can remove the endpoint from quarantine using EMS as described in Quarantining an endpoint on page 102 or
using FortiOS:
1. The administrator identifies that EMS has quarantined an endpoint from one of the following:
a. FortiClient on the endpoint
b. Quarantine Management or FortiClient Monitor in FortiOS
c. Endpoints pane in EMS
2. The administrator removes the endpoint from quarantine in FortiOS.
3. FortiOS sends the endpoint information to EMS with instructions to remove the endpoint from quarantine.
4. EMS identifies and removes the endpoint from quarantine based on the request from FortiOS.
1. Start and log in to FortiClient EMS. See Starting FortiClient EMS and logging in on page 39.
2. Add SSL certificates. See Adding an SSL certificate to FortiClient EMS for Chromebook endpoints on page 232.
3. Configure FortiClient EMS settings. See System Settings on page 227.
4. Configure user accounts and permissions. See Administrators on page 216. See Administration.
Following is an overview of how to configure the Google Admin console to prepare for adding the Google domain to
FortiClient EMS. The document assumes you have created the Google domain.
1. Add the FortiClient Web Filter extension. See Adding the FortiClient Web Filter extension on page 50.
2. Configure the FortiClient Web Filter extension. See Configuring the FortiClient Web Filter extension on page 51.
3. Add root certificates. See Adding root certificates on page 52.
4. Configure unique service account credentials. See Configuring unique service account credentials on page 57.
5. Disallow incognito mode. See Disallowing incognito mode on page 54.
Following is an overview of how to add a Google domain, configure profiles, and push profiles to Google Chromebooks.
After you add the extension in the Google Admin console, the extension is downloaded to the Google Chromebook when
1. Add the Google domain. See Adding a Google domain on page 110.
2. Define web filtering options in one or more profiles. You can enable Safe Search in profiles. See Adding a new
Chromebook profile on page 136.
3. Edit an existing endpoint policy or create a new endpoint policy that is configured with desired profile. Configure the
endpoint policy to apply to domains to deploy FortiClient on Chromebooks. See Chromebook Policy on page 135.
4. Verify the FortiClient Web Filter extension. See Verifying the FortiClient Web Filter extension on page 56.
5. View Google domains and Google users. See Viewing domains on page 110.
After you install and configure FortiClient EMS, the Google Admin console, and the FortiClient Web Filter extension, the
products work together to provide web filtering security for Google Chromebook users logged into the Google domain.
Following is a summary of how the products work together after setup is complete:
1. A user logs into the Google Chromebook.
2. The Google Chromebook downloads the FortiClient Web Filter extension.
3. FortiClient connects to FortiClient EMS.
4. FortiClient downloads a profile to the Google Chromebook. The profile contains web filtering settings from
FortiClient EMS.
5. The user browses the Internet on the Google Chromebook.
6. FortiClient sends the URL query to the Fortinet Ratings Server.
7. The Fortinet Ratings Server returns the category result to FortiClient. FortiClient compares the category result with
the profile to determine whether to allow the Google Chromebook user to access the URL.
This section helps you prepare to install FortiClient EMS. Before installing FortiClient EMS, be aware of the following
information.
Before installing FortiClient EMS, reading the FortiClient EMS Release Notes to become familiar
with relevant software components and other important information about the product is
recommended.
System requirements
You should only install FortiClient EMS and the default services for the operating system on
the server. You should not install additional services on the same server as FortiClient EMS.
Unnecessary services may cause port conflicts and issues during upgrades, and interrupt
EMS functionality.
License types
This section describes licensing options available for FortiClient EMS. It provides information for each license type to
help determine which license best suits your needs.
FortiClient EMS
After you install EMS, you can enable a free trial license. With the free trial license, you can provision and manage
FortiClient on three Windows, macOS, Linux, iOS, and Android endpoints indefinitely. The trial license does not include
management of Chromebook endpoints. The trial license includes the same functionality as the Fabric Agent license and
does not include Sandbox Cloud support. EMS consumes one license count for each managed endpoint.
See To apply a trial license to FortiClient EMS: on page 41.
You must have an eligible FortiCloud account to activate an EMS trial license. A FortiCloud account can only have one
EMS trial license.
You should not use a trial license for production purposes. A trial license does not entitle you to Fortinet technical
support. Fortinet may cancel a trial license if the terms of use are violated. The free trial policy terms may change at any
time at Fortinet's discretion. You can only have one trial license per customer.
For evaluation, contacting Fortinet sales for an evaluation license is recommended. With an
evaluation license, Fortinet provides support as needed during the evaluation period. See How
to Buy.
The following are the latest license bundles for FortiClient EMS:
Endpoint Protection Platform Full license that offers all FortiClient features. Includes all features detailed for the
(EPP) Zero Trust Network Access (ZTNA) license, as well as antivirus (AV),
antiransomware, antiexploit, cloud-based malware detection, Application
Firewall, software inventory, and advanced threat protection via FortiClient Cloud
Sandbox.
Zero Trust Network Access Includes support for Fabric Agent for endpoint telemetry, security posture check
via ZTNA tagging, remote access (SSL and IPsec VPN), Vulnerability Scan, Web
Filter, threat protection via Sandbox (appliance only) and USB device control.
Each purchased ZTNA license allows management of one FortiClient Windows,
macOS, Linux, iOS, Android, or Chromebook endpoint. You must purchase a
minimum of 25 endpoint licenses, and you can have these EMS licenses for a
maximum five year term. You can specify the number of endpoints and the term
duration at time of purchase.
If there is no ZTNA license applied to EMS, no endpoints can register to EMS.
You can purchase different number of EPP and ZTNA licenses. For example, you can purchase 100 EPP licenses and
200 ZTNA licenses. EMS applies licenses to endpoints based on the features that are enabled in the endpoint's
assigned profile.
The following shows a more comprehensive comparison between the features included in the EPP and ZTNA licenses:
Chromebook licenses
Each purchased Chromebook license allows management of one Google Chromebook user. You must purchase a
minimum of 25 Google Chromebook user licenses and can have these EMS licenses for a maximum three year term.
You can specify the number of Google Chromebook users and the term duration at time of purchase. FortiClient EMS
uses one license seat per logged-in user. If the user logs out, the license seat times out (default timeout being 24 hours),
and the license is released. At this point, another user can use this license seat.
If the number of Chromebooks that the EMS is managing exceeds the number of Chromebook licenses available,
EMS licenses the additional Chromebooks using any available Fabric Agent licenses. For example, consider that your
EMS instance has 50 Chromebook licenses, but 80 Chromebooks connect to the EMS instance. EMS licenses 50
Chromebooks using the Chromebook licenses, and licenses the remaining 30 Chromebooks using 30 Fabric Agent
licenses, if available. EMS only licenses Chromebooks using Fabric Agent licenses if no Chromebook license is
available. See Windows, macOS, and Linux endpoint licenses on page 21 for information about the Fabric Agent
license.
EMS sends you an email when you are running out of licenses. Additionally, a log entry is
entered when a client is refused connection due to unavailable licenses.
Component applications
Installation of common services required for FortiClient EMS does not ask you for license
information.
You must ensure that you enable required ports and services for use by FortiClient EMS and its associated applications
on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers
running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation
opens these.
The following ports and services only apply when using FortiClient EMS to manage Chromebooks:
You should enable the following ports and services for use on Chromebooks when using FortiClient for Chromebooks:
FortiClient EMS connects to FortiGuard to download AV and vulnerability scan engine and signature updates. FortiClient
EMS can connect to legacy FortiGuard or FortiGuard Anycast. The following table summarizes required services for
FortiClient EMS to communicate with FortiGuard:
For the list of required services and ports for FortiClient, see the FortiClient Administration
Guide.
Management capacity
FortiClient EMS is intended for enterprise use and has the capacity to manage a large number of endpoints.
You can use FortiClient EMS with SQL Server Express, Enterprise, or Standard. When managing more than 5000
endpoints, install SQL Server Enterprise or Standard instead of SQL Server Express, which the EMS installation installs
by default. Otherwise, you may experience database deadlocks. See Installing FortiClient EMS to specify SQL Server
Enterprise or Standard instance on page 37. The following table summarizes which SQL Server edition to use for
different numbers of managed endpoints.
Up to 5000 Express. Optionally, you can use EMS and SQL Server can be installed on
SQL Server Enterprise or Standard. the same Windows Server machine, or two
different Windows Server machines.
The following are suggested host system hardware configurations for FortiClient EMS. The suggested configurations
depend on the number of endpoints FortiClient EMS is managing. The following table shows the configurations when
EMS and SQL Server are running on the same Windows Server machine:
Number of managed Number of virtual CPUs Memory (RAM) (in GB) Suggested keep alive
endpoints interval
The following table shows the configurations when EMS and SQL Server are running on different Windows Server
machines:
The requirements listed for managing 50000 to 75000 endpoints are considered best practice,
even when managing a smaller number of endpoints.
FortiClient connects to EMS and FortiGate over an SSL connection. All protocol exchanges flow through this secure
connection. The connection is closed after protocol exchanges between both parties are complete. The SSL
connections require a valid certificate.
You can configure Telemetry connections between FortiClient and FortiGate or EMS to require a preshared password or
connection key. See Configuring EMS settings on page 228.
The default Telemetry port number is 8013. You can change this in EMS and FortiClient. When a port is not provided,
FortiClient always attempt to connect to the default port, which is 8013. Changing this in EMS locks out endpoints that
are still using the default.
At any time, you can disconnect a rogue endpoint from EMS and prevent it from reconnecting to EMS in the future.
See Required services and ports on page 22 for a list of TCP/IP ports that EMS uses. You can block all other ports or
service requests to the EMS IP address or fully qualified domain name (FQDN).
Temporarily disable security applications. You must temporarily disable any antivirus (AV) software on
the target server before you install FortiClient EMS. Installation may be slow or disrupted while these
programs are active. A server may be vulnerable to attack when you uninstall or disable security
applications.
Consider the date and time settings you apply to your server. If managing Chromebooks, syncing the
time to the Google server time is recommended.
Confirm required services and ports are enabled and available for use by FortiClient EMS.
Ensure no conflict exists with port 443 for the Apache service to function properly.
Ensure no conflict exists with ports 8013 and 8443 for the EMS service to function properly.
FortiClient EMS 7.0.0 supports upgrading from previous EMS versions as outlined in FortiClient and FortiClient EMS
Upgrade Paths.
Before any version upgrade or other maintenance, remember to back up the EMS database.
Consider performing a full server backup or taking a VM snapshot if possible.
When EMS is managing FortiClient endpoints, you must consider the version compatibilities between EMS and
FortiClient before upgrading EMS. Ensure that you follow these instructions when upgrading EMS and FortiClient:
See the EMS Compatibility Chart for EMS and FortiClient compatibility information.
You must sign up for your Google Workspace (formerly G Suite) account before you can use the Google service and
manage your Chromebook users.
The Google Workspace account is different from the free consumer account. The Google Workspace account is a paid
account that gives access to a range of Google tools, services, and technology.
You can sign up for a Google Workspace account here.
In the signup process, you must use your email address to verify your Google domain. This also proves you have
ownership of the domain.
SSL certificates
FortiClient EMS requires an SSL certificate signed by a Certificate Authority (CA) in pfx format. Use your CA to generate
a certificate file in pfx format, and remember the configured password. For example, the certificate file name is server.pfx
with password 111111.
The server where you installed FortiClient EMS should have an FQDN, such as ems.forticlient.com, and you must
specify the FQDN in your SSL certificate.
If you are using a public SSL certificate, the FQDN can be included in Common Name or Subject Alternative Name. You
must add the SSL certificate to FortiClient EMS. See Adding an SSL certificate to FortiClient EMS for Chromebook
endpoints on page 232. You do not need to add the root certificate to the Google Admin console.
If you are using a self-signed certificate (non-public SSL certificate), your certificate's Subject Alternative Name must
include DNS:<FQDN>, for example, DNS:ems.forticlient.com. You must add the SSL certificate to FortiClient EMS
and the root certificate to the Google Admin console to allow the extension to trust FortiClient EMS. See Adding root
certificates on page 52.
Before you install and license FortiClient EMS on a server, ensure you have:
l Reviewed License types on page 19
l Met the requirements listed in Required services and ports on page 22
l Completed the Server readiness checklist for installation on page 27
l Logged into the server as the administrator. The administrator user account is equivalent to a Windows
administrator account and provides access to all common services, FortiClient EMS, and other application tasks.
You can use this account to initially log into the server and to create other user accounts for normal day-to-day use
of the applications.
EMS does not currently support high availability. For increased data reliability, consider
Microsoft SQL Server redundancy. See Microsoft's documentation for details.
When installing SQL Server for use with EMS, ensure that Database Engine Services is
selected. This is the minimum required feature set for SQL Server when used with EMS.
FortiClient EMS is available for download from the Fortinet Support website.
You can also receive the installation file from a sales representative.
The following installation file is available for FortiClient EMS:
FortiClientEndpointManagement_7.0.0.<build>_x64.exe
For information about obtaining FortiClient EMS, contact your Fortinet reseller.
l FortiClient EMS
l Microsoft SQL Server 2017 Express Edition
l Apache HTTP server
Installing FortiClient EMS requires local administrator rights. Internet access is recommended,
but optional, during installation. SQL Server may require some dependencies to be
downloaded over the internet. EMS will also try to download information about FortiClient
signature updates from FortiGuard.
To install EMS:
4. (Optional) Click Options to specify a custom directory for the FortiClient EMS installation.
6. When the program has installed correctly, the Success window displays. Click Close.
Installing FortiClient EMS using the CLI allows you to enable certain options during installation, such as customizing the
EMS installation directory, using custom port numbers, and so on.
You may need to wrap certain CLI option values in double quotation marks. For example, if the backup directory path
includes a space, you must wrap the path in double quotation marks, such as: BackupDir="\\WIN-0888
AHAMILTON\Backup". Do not use single quotation marks.
The following table provides a description of all options available when installing FortiClient EMS using the CLI. These
options are case-sensitive:
Option Description
AllowedWebHostnames The default value is localhost, 127.0.0.1. To clear this
value, first enter AllowedWebHostnames=*, then enter the
desired AllowedWebHostnames value. Otherwise, the value
that you enter is appended to [localhost, 127.0.0.1],
so that AllowedWebHostNames=localhost, 127.0.01,
<new_value>.
ApacheServerAdminEmail Enter the Apache Server administrator's email address. By
default, this is [email protected].
BackupDir Enter the desired backup directory UNC path for SQL Server.
ClientDownloadPort Enter the HTTP port number. The default is 80.
RemoteManagementPort Enter the HTTPS port number. The default is 443.
Option Description
InstallFolder Specify the directory to install EMS to.
InstallSQL Controls whether the installer installfs SQL Server Express on
the same server as FortiClient EMS. Enter 1 to install SQL
Server Express. Otherwise, enter 0. By default, the
EMS installation also installs SQL Server Express.
ScriptDB Controls where the installer attempts to create the database
from db scripts. Enter 1 to create the database from db scripts.
You should only enter 0 if you have already set up databases
on the server and you are only installing EMS components
locally.
ServerHostname Enter the preferred hostname (the remote hostname). The
default is the local host.
SQLAuthType Enter sql.
SQLCmdlineOptions="/INSTANCEDIR" Enter the desired directory to install SQL Server Express to.
SQLCmdlineOptions="/INSTANCENAME" Enter the SQL Server instance name.
SQLEncryptConnection (Optional) Enter yes to encrypt the connection to SQL Server.
Otherwise, enter no. The default is yes.
SQLPort Enter the port number the remote SQL Server instance is
listening on. You should configure SQL Server to use a static
port number.
SQLServer If using an instance with a custom name, enter the DSN name
of the computer where SQL Server is already installed.
SQLServerInstance Enter the SQL Server instance name.
SQLService If using a default database instance, enter the instance name.
If using a named database instance, enter
mssql$<instance_name>. For example, if your instance is
named "database000", enter mssql$database000.
SQLTrustServerCertificate (Optional) Enter yes to trust the SQL Server certificate on the
machine where FortiClient EMS is installed. If entering no, you
must install the issuing CA certificate of SQL Server's
certificate onto the machine you are connecting FortiClient
EMS from.
SQLUser Enter the SQL username used to connect to the database
instance. You must preconfigure this user in SQL Server.
SQLUserPassword Enter the SQL password used to connect to the database
instance.
Option Description
WindowsUser Enter the Windows username that EMS services, once
installed, uses to connect to the database instance. You must
preconfigure this user in SQL Server.
WindowsUserPassword Enter the Windows password that EMS services, once
installed, uses to connect to the database instance.
DBInitialSize Enter the database initial size. The default value is 30 MB. This
option is used exclusively during installation and can be used
to override SQL Server model database settings.
DBInitialLogSize Enter the database initial log size. The default value is 3 MB.
This option is used exclusively during installation and can be
used to override SQL Server model database settings.
DBGrowth Enter the database growth value. The default value is 10 MB.
This option is used exclusively during installation and can be
used to override SQL Server model database settings.
DBLogGrowth Enter the database log growth rate. The default value is 10%.
This option is used exclusively during installation and can be
used to override SQL Server model database settings.
DBLoginTimeout Enter the database login timeout value in seconds.
This option is only useful for remote databases. You must
increase DBLoginTimeout if there is ephemerally higher than
expected latency between the EMS server and the remote
SQL server. However, if this latency is always high, then it is
likely that EMS will not perform well. In that case, the latency
should be fixed. The default value for this option is 30.
The installer only uses this option when creating/scripting the
EMS databases. This option is unused once EMS is installed.
DBQueryTimeout Enter the database query timeout value in seconds. During
installation, a SQL query is used to instruct SQL Server to
create a database. The default value for this option is 60. It can
take a long time to create the actual database file system due
to a slow hard drive.
The installer only uses this option when creating/scripting the
EMS databases. This option is unused once EMS is installed.
EPCPort Enter the default listening port that endpoints connect to. The
default value for this option is 8013.
StartServices The default value of this option is 1. Setting this option to 0
results in the installer not starting EMS services when
installation is complete.
Option Description
SQLServerCheck The default value of this option is 1. Setting this option to 0
results in the installer skipping its initial SQL server
accessibility test. Skipping this test may result in installation or
upgrade rollbacks, if the SQL server cannot be reached during
installation.
Allowing remote access to FortiClient EMS and using custom port numbers
To allow remote access to FortiClient EMS from a web browser, install FortiClient EMS by entering the following
command in the CLI. You can also specify custom HTTP and HTTPS port numbers:
FortiClientEndpointManagement_7.0.0.XXXX_x64.exe ServerHostname=<preferred_host_name>
ClientDownloadPort=<HTTP_port_number> RemoteManagementPort=<HTTPS_port_number>
AllowedWebHostnames=<allowed_web_host_names> ApacheServerAdminEmail=<Apache_Server_
admin_email_address>
The example specifies the server hostname as emshost.ems.com, appends emshost.ems.com to the allowed web
hostnames, and specifies [email protected] as the Apache server administrator email. This example changes the
HTTP and HTTPS ports to 1080 and 22443, respectively.
FortiClientEndpointManagement_7.0.0.XXXX_x64.exe ServerHostname=emshost.ems.com
ClientDownloadPort=1080 RemoteManagementPort=22443 AllowedWebHostnames=emshost.ems.com
[email protected]
By default, the FortiClient EMS installation also installs SQL Server Express. Using the CLI to install FortiClient EMS
allows you to customize the SQL Server Express install directory.
These instructions do not apply for SQL Server Enterprise or Standard, which you must install separately from
FortiClient EMS. For information on SQL Server Enterprise or Standard and FortiClient EMS, see Installing FortiClient
EMS to specify SQL Server Enterprise or Standard instance on page 37.
Use the following command to customize the SQL Server Express install to a local directory:
FortiClientEndpointManagement_7.0.0.XXXX_x64 SQLCmdlineOptions="/INSTANCENAME=FCEMS
/INSTANCEDIR=<desired_directory>"
The example installs FortiClient EMS, installing SQL Server to the C:\sqlserver directory:
FortiClientEndpointManagement_7.0.0.XXXX_x64 SQLCmdlineOptions="/INSTANCENAME=FCEMS
/INSTANCEDIR=c:\sqlserver"
Use the following command to customize the SQL Server Express install to a remote directory:
FortiClientEndpointManagement_7.0.0.XXXX_x64 InstallFolder=<desired_directory>
SQLServer=<SQL_Server_name> SQLServerInstance= SQLService=MSSQLSERVER
The example installs FortiClient EMS, installing SQL Server to the C:\sqlserver directory on a computer with DNS name
WIN-088:
FortiClientEndpointManagement_7.0.0.XXXX_x64 InstallFolder=c:/sqlserver SQLServer=WIN-0888
SQLServerInstance= SQLService=MSSQLSERVER
If you are using SQL Server Enterprise or Standard with FortiClient EMS, you must install FortiClient EMS using the CLI
to specify the correct SQL Server instance. Ensure you have already installed and configured SQL Server Enterprise or
Standard.
This section lists the CLI commands for when FortiClient EMS and SQL Server Enterprise or Standard are installed on
the same machine.
For example, consider installing FortiClient EMS and pointing to a local instance with the following attributes:
l Named "database000"
l Using SQL authentication
l SQL username "janedoe"
l SQL password "password123"
l Database initial size of 31 MB
l Database initial log size of 4 MB
l Database growth rate of 11 MB
l Database log growth rate of 11%
Prior to installing FortiClient EMS, create a backup directory on the database server. The SQL Server service that is
running on the EMS server and the Apache service that is running on the databaser server must both be able to access
the backup directory. You must configure the backup directory as a subdirectory of a shared directory.
1. On the database server, create a shared directory.
2. Create a backup directory inside the shared directory that you created.
3. Right-click the shared directory and select Properties.
4. On the Security tab, ensure all users have full control of the directory.
For remote instances using Windows authentication (domain user), do the following:
1. Join the EMS and database servers to the same domain.
2. Create a database user that maps to the domain user.
3. In Command Prompt on the EMS server, run gpedit to open the Local Group Policy Editor.
4. In Local Group Policy Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies
> User Rights Assignment.
5. Double-click the Log on as a service. In the dialog, add the desired username from the Active Directory domain.
For example, consider installing FortiClient EMS and pointing to a remote named instance with the following attributes:
l On a computer with DNS name WIN-088
l Using Windows authentication
l Domain name "forticlient.ca"
connection. FortiClient can connect to EMS using an IP address or fully qualified domain name (FQDN). An FQDN is
preferable for the following reasons:
l Easy to migrate EMS to a different IP address
l Easy to migrate to a different EMS instance
l Flexible to dynamically resolve the FQDN
The third reason is particularly valuable for environments where devices may be internal or external from day to day.
When using an FQDN, you can configure your internal DNS servers to resolve the FQDN to the EMS internal IP address
and register your external IP address with public DNS servers. You must then configure the device with your external IP
address to forward communication received on port 8013 to your EMS internal IP address. This allows your external
clients to leverage a virtual IP address on the FortiGate so that they can reach EMS, while allowing internal clients to use
the same FQDN to reach EMS directly.
Alternatively, you can use a private IP address for the connection. This configuration would require external clients to
establish a VPN connection to reach the EMS (VPN policies permitting). This configuration can be problematic if all
endpoints need an urgent update but some are not connected to VPN at that time.
You can also configure FortiClient EMS so that you can access it remotely using a web browser instead of the GUI.
There are several licensing options available with FortiClient EMS. You can use these licenses to manage Windows,
macOS, Linux, or Chromebook endpoints. For information on the different license types available, see License types on
page 19.
There are two ways to activate, upgrade, or renew a FortiClient EMS license:
l Licensing EMS by logging in to FortiCloud on page 41: You can log in to your FortiCloud account to activate
EMS using that account. Once an EMS license expires, EMS uses the FortiCloud account to obtain a new license
file, if available on that account. You can use this method to apply a trial or paid license to EMS. This is the primary
licensing method for EMS.
l Uploading a license file on page 45: You can upload a license file to EMS. This functions in the same way as
EMS versions prior to 6.2.0. You must use this backup licensing method only if you cannot license EMS by logging
into FortiCare.
You must activate an EMS license before you can manage and provision any endpoints with EMS.
You can license an EMS instance that is in an isolated environment and completely isolated from the Internet using an
Air-Gap license. To obtain an Air-Gap license, contact Fortinet Customer Service & Support.
Although the option to upload a license file is available in the EMS GUI, FortiCloud does not
provide EMS 7.0 license files. You cannot use this option to activate, upgrade, or renew an
EMS 7.0 license.
You must license FortiClient EMS to use it for endpoint management and provisioning.
The following steps assume that you have already acquired an EMS installation file from FortiCloud or a Fortinet sales
representative for evaluation purposes and installed EMS.
1. In EMS, in the License Information widget, click Add beside FortiCloud Account.
2. In the FortiCloud Registration dialog, enter your FortiCloud account credentials. If you do not have a FortiCloud
account, create one.
3. Read and accept the license agreement terms.
4. Click Login & Start Trial. If your FortiCloud account is eligible for an EMS trial license, the License Information
widget updates with the trial license information, and you can now manage three Windows, macOS, Linux, iOS, and
Android endpoints indefinitely.
The following steps assume that you have already purchased and acquired your EMS and FortiClient licenses from a
Fortinet reseller.
1. Log in to your FortiCloud account on Customer Service & Support.
2. Go to Register Product.
3. In the Registration Code field, enter the Contract Registration Code from your service registration document.
Configure other fields as required, then click Next.
ii. In the Serial Number field, enter the EMS serial number or select the EMS instance from the list. You can
find the serial number in Administration > Configure License in EMS. Click Next.
iii. Complete the registration, then click Confirm.
EMS reports the following information to FortiCare. FortiCloud displays this information in its dashboard and asset
management pages:
Using a second license to extend the license expiry date does not increase the number of
licensed clients. To increase the number of licensed clients, contact Fortinet Support for a co-
term contract.
If you previously activated another license with the same EMS hardware ID, you receive a
duplicated UUID error. In this case, contact Customer Support to remove the hardware ID from
the old license.
You may want to apply multiple paid licenses of the same type to FortiClient EMS at the same time. For example, if you
want EMS to manage 525 ZTNA endpoints, you can purchase two ZTNA licenses: one for 500 endpoints, and another
for 25 endpoints. In this scenario, you must register the licenses at the same time.
The following steps assume that you have already purchased and acquired your EMS and FortiClient licenses from a
Fortinet reseller.
1. Log in to your FortiCloud account on Customer Service & Support.
2. Go to Register Product.
3. In the Registration Code field, enter the Contract Registration Codes from your service registration documents.
Separate the codes with a comma. For example, to register the 3922U and 1057U codes in the following
screenshots, you would enter 3922U,1057U in the Registration Code field. Configure other fields as required, then
click Next.
ii. In the Serial Number field, enter the EMS serial number or select the EMS instance from the list. You can
find the serial number in Administration > Configure License in EMS. Click Next.
iii. Complete the registration, then click Confirm.
EMS reports the following information to FortiCare. FortiCloud displays this information in its dashboard and asset
management pages:
Using a second license to extend the license expiry date does not increase the number of
licensed clients. To increase the number of licensed clients, contact Fortinet Support for a co-
term contract.
If you previously activated another license with the same EMS hardware ID, you receive a
duplicated UUID error. In this case, contact Customer Support to remove the hardware ID from
the old license.
You must use this backup licensing method only if you cannot license EMS by logging into FortiCare.
Contact Fortinet Support to activate, upgrade, or renew your FortiClient EMS license. After you have the license file, you
can add it to FortiClient EMS.
If you are deploying EMS in an air-gapped or isolated network where EMS cannot access the Internet, you can configure
EMS to receive updates from FortiManager to deploy to FortiClient. In offline mode, FortiManager allows export and
import of FortiGuard packages from FortiManager for provisioning as a FortiGuard distribution server. You can export
FortiGuard packages from an online FortiManager to import to an offline FortiManager that will provide signature,
engine, and FortiClient installer updates to EMS. EMS receives AntiVirus, Web Filter, Application Firewall, Vulnerability
Scan, and Sandbox signatures and engines updates and FortiClient installers from FortiManager and deploys updates
to FortiClient while in an air-gapped or isolated network.
This feature is also useful if you have experienced hardware failure and must install EMS on another server. Fortinet
customer support can provide a key file to allow you to apply your original license to EMS on the new server.
1. Contact Fortinet Customer Service & Support. Provide them with your original EMS license file and the IP address
of the new machine where you will install EMS. They provide you with a key file.
2. Install EMS. See Installing FortiClient EMS.
3. Go to System Settings > EMS settings. Ensure that the value in the Listen on IP field matches the IP address that
you gave to Customer Service & Support in step 1. Otherwise, EMS will not be able to validate the key file.
4. In EMS, on the License Information widget, select Config License.
License status
The Dashboard > Status > License Information widget displays your license statuses. EMS supports multiple licenses,
including separate licenses for Telemetry and endpoint protection and management, for FortiSandbox Cloud integration,
and for Chromebook endpoint management. Each license's status can change. The options are:
Unlicensed If you just installed FortiClient EMS, EMS is unlicensed by default. Log in to your
FortiCloudaccount or upload a license file to update the license status.
Non-expired license You can upgrade the license on your FortiCloud account.
Expired license You can renew the license on your FortiCloud account.
You have ten days after the license expiry date to renew the license. During this
grace period, the License Information widget displays the expiry date, which has
already passed, and FortiClient EMS functions as if the license has not expired.
FortiClient EMS also displays a daily notification that the license has expired and
that you are currently using FortiClient EMS as part of the ten day grace period.
After ten days, FortiClient EMS reverts to unlicensed mode for that license.
After applying a trial license to EMS, you can purchase a license and register the EMS installation on your
FortiCloudaccount as described in To apply a paid license to FortiClient EMS: on page 41, then click Sync License Now
in Administration > Configure License to apply a paid license to EMS.
For licensing issues with FortiClient EMS, contact the licensing team at Fortinet Technical Assistance Center (TAC):
l Phone: +1-866-648-4638
l Technical support: support.fortinet.com/
In cases where there are pre-existing services running on default FortiClient EMS ports, you can specify another port
using the CLI to run the installer. You can use the following commands:
The FortiClient EMS installation also installs Microsoft SQL Server Express, which has a file size limit of 10 GB per
database. Log entries recorded in the database are rotated on a schedule of seven days (one week) by default. If the
FortiClient deployment is large, the database size may reach the 10 GB limit over time. The FortiClient EMS
administrator may upgrade the default SQL Server installation from Express to Standard or Enterprise edition. The
database file size limit for these editions is in the PB range, which is unlimited for most practical usage. When managing
more than 5000 endpoints, installing SQL Server Standard or Enterprise instead of SQL Server Express is
recommended.
Microsoft SQL Server Express is free. All other editions require a license from Microsoft.
See the following Microsoft documentation on upgrading between editions called Upgrade to a Different Edition of SQL
Server (Setup).
The EMS database is saved in the C:\Program Files\Microsoft SQL Server\MSSQL12.FCEMS\MSSQL\DATA\FCM_
root.mdf file in the EMS host server. This file's size should remain below the 10 GB limit for Microsoft SQL Server
Express.
The minimum SQL Server version that FortiClient EMS supports is 2017.
1. Attach the SQL Server 2017 installation media to the FortiClient EMS server.
The installation media is a DVD or ISO file. If using the DVD, insert the DVD into the EMS host computer (host
server). If your host server is a virtual machine, use the ISO file.
2. Run the SQL Server setup application wizard.
3. In the SQL Server Installation Center wizard, go to Installation > Upgrade from a previous version of SQL Server.
4. Enter the product key.
5. Accept the license terms, then click Next.
6. Under Select Instance, in the Specify the instance of SQL Server dropdown list, select FCEMS. Then, click Next.
7. Under Ready to upgrade edition, click Upgrade.
8. After the upgrade is complete, click Finish.
Running a short test on FortiClient EMS after the upgrade to verify proper operations is recommended. A simple test
may be to:
1. Connect FortiClient on one or two test endpoints to FortiClient EMS.
2. Create a new custom group in FortiClient EMS and add the test endpoints to it.
3. Create a new endpoint profile.
4. Create a new endpoint policy that is configured with the newly created profile. Assign the policy to the new custom
group.
5. Check that FortiClient on the test endpoints received the new profile.
Monitor the system closely over the first few days for any unusual behavior.
Use the Programs and Features pane of the Microsoft Windows Control Panel to uninstall FortiClient EMS.
FortiClient EMS installs the following dependencies. If other applications on the same computer are not using them, you
can uninstall them manually after removing FortiClient EMS.
l Browser for SQL Server 2017
l Microsoft ODBC Driver 13 for SQL Server
l Microsoft SQL Server 2012 Native Client
l Microsoft SQL Server 2017 (64-bit)
l Microsoft SQL Server 2017 Setup (English)
l Microsoft SQL Server 2017 T-SQL Language Service
l Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325.0
l Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325.0
l Microsoft VSS Writer for SQL Server 2017
To uninstall EMS:
The following sections only apply if you plan to use FortiClient EMS to manage Chromebooks:
This section describes how to add and configure the FortiClient Web Filter extension on Chromebooks enrolled in the
Google domain.
Following is a summary of how to set up the Google Admin console:
1. Log into the Google Admin console. See Logging into the Google Admin console on page 50.
2. Add the FortiClient Web Filter extension. See Adding the FortiClient Web Filter extension on page 50.
3. Configure the FortiClient Web Filter extension. See Configuring the FortiClient Web Filter extension on page 51.
4. Add the root certificate. See Adding root certificates on page 52.
If you are using another Chromebook extension that uses external rendering servers, the
FortiClient Web Filter settings may be bypassed. Check with the third-party extension vendor if
this is the case.
Log into the Google Admin console using your Google domain admin account. The Admin console displays.
FortiClient EMS software is not available for public use. You can only enable the feature using
the following extension ID: igbgpehnbmhgdgjbhkkpedommgmfbeao
1. In the Google Admin console, go to Devices > Chrome Management > Settings > User & browser settings >
Managed Guest Session Settings.
You must configure the FortiClient Chromebook Web Filter extension to enable the Google Admin console to
communicate with FortiClient EMS.
FortiClient EMS hosts the services that assign endpoint profiles of web filtering policies to groups in the Google domain.
FortiClient EMS also handles the logs and web access statistics that the FortiClient Web Filter extensions send.
1. In FortiClient EMS, locate the server name and port by going to System Settings > EMS Settings.
2. Create a text file that contains the following text:
{
"ProfileServerUrl": { "Value": "https://< ProfileServer >:< port for Profile Server
>"}
}
For example:
{
"ProfileServerUrl": { "Value": "https://ems.mydomain.com:8443"}
}
3. In the Google Admin console, go to Devices > Chrome management > User & browser settings.
4. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and
browsers, select the top-level organization. Otherwise, select a child.
The FortiClient Chromebook Web Filter extension communicates with FortiClient EMS using HTTPS connections. The
HTTPS connections require an SSL certificate. You must obtain an SSL certificate and add it to FortiClient EMS to allow
the extension to trust FortiClient EMS.
If you use a public SSL certificate, you only need to add the public SSL certificate to FortiClient EMS. See Adding an
SSL certificate to FortiClient EMS for Chromebook endpoints on page 232.
However, if you prefer to use a certificate not from a common CA, you must add the SSL certificate to FortiClient EMS
and push your certificate's root CA to the Google Chromebooks. Otherwise, the HTTPS connection between the
FortiClient Chromebook Web Filter extension and FortiClient EMS does not work. See Uploading root certificates to the
Google Admin console on page 54.
This section applies only if you are sending logs from FortiClient to FortiAnalyzer. If you are not sending logs, skip this
section.
Sending logs to FortiAnalyzer requires you enable ADOMs in FortiAnalyzer and add
FortiClient EMS to FortiAnalyzer. FortiClient EMS is added as a device to the FortiClient
ADOM in FortiAnalyzer. See the FortiAnalyzer Administration Guide.
FortiClient supports logging to FortiAnalyzer. If you have a FortiAnalyzer and configure FortiClient to send logs to
FortiAnalyzer, a FortiAnalyzer CLI command must be enabled and an SSL certificate is required to support
communication between the FortiClient Web Filter extension and FortiAnalyzer.
If you use a public SSL certificate, you only need to add the public SSL certificate to FortiAnalyzer. See Adding an SSL
certificate to FortiAnalyzer.
However, if you prefer to use a certificate not from a common CA, you must add the SSL certificate to FortiAnalyzer and
push your certificate's root CA to the Google Chromebooks. Otherwise, the HTTPS connection between the FortiClient
The FortiAnalyzer IP address should be specified in the SSL certificate. If you are using a
public SSL certificate, the FortiAnalyzer IP address can be assigned to Common Name or
Alternative Name. If you are using a self-signed (nonpublic) SSL certificate, your certificate's
Subject Alternative Name must include IP:<FortiAnalyzer IP>.
You must use the FortiAnalyzer CLI to add HTTPS-logging to the allow-access list in FortiAnalyzer. This command is
one step in the process that allows FortiAnalyzer to receive logs from FortiClient.
In FortiAnalyzer CLI, enter the following command:
config system interface
edit "port1"
set allowaccess https ssh https-logging
next
end
The following table summarizes where to add certificates to support communication with the FortiClient Web Filter
extension and FortiAnalyzer.
Allow the FortiClient Public SSL certificate l Add SSL certificate to FortiClient EMS.
Chromebook Web Filter
SSL certificate not from a l Add SSL certificate to FortiClient EMS.
extension to trust EMS
common CA l Add your certificate's root CA to the Google Admin
console.
1. In the Google Admin console, go to Device Management > Network > Certificates (root certificate) (crt certificate).
2. Add the root certificate.
3. Select the Use this certificate as an HTTPS certificate authority checkbox.
Do not forget to select the Use this certificate as an HTTPS certificate authority checkbox.
Disabling access to Chrome developer tools is recommended. This blocks users from disabling the FortiClient Web Filter
extension.
1. In the Google Admin console, go to Devices > Chrome Management > User & browser settings.
2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and
browsers, select the top-level organization. Otherwise, select a child.
3. For the Developer Tools option, select Never allow use of built-in developer tools.
When users browse in incognito mode, Chrome bypasses extensions. You should disallow incognito mode for managed
Google domains.
1. In the Google Admin console, go to Devices > Chrome management > User & browser settings.
2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and
browsers, select the top-level organization. Otherwise, select a child.
4. Click Save.
1. In the Google Admin console, go to Devices > Chrome management > Device settings.
2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and
browsers, select the top-level organization. Otherwise, select a child.
3. Under Sign-in settings, for Guest mode, select Disable guest mode.
4. Click Save.
You should block users from ending processes with the Chrome task manager for managed Google domains.
1. In the Google Admin console, go to Devices > Chrome Management > User & browser settings > Apps and
extensions.
2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and
browsers, select the top-level organization. Otherwise, select a child.
3. Under Task manager select Block users from ending processes with the Chrome task manager from the dropdown
list.
After you add the Google domain to FortiClient EMS, the Google Admin console automatically pushes the FortiClient
Web Filter extension to the Chromebooks when users log into the Google domain. You can verify the feature has
become available on the Chromebooks.
1. Open the Google Chrome browser.
2. Enter the following in the address bar: chrome://extensions
3. Visit any gambling site, such as https://www.777.com, and confirm the site is blocked.
FortiClient EMS requires service account credentials that the Google Developer console generates. You can use the
default service account credentials provided with FortiClient EMS or generate and use unique service account
credentials, which is more secure.
The service account credentials must be the same in FortiClient EMS and the Google Admin
console.
FortiClient EMS includes the following default service account credentials that the Google Developer console generates:
Service account certificate A certificate in .pem format for the service account FortiClient EMS
credentials
The service account credentials are a set. If you change one credential, you must change the
other two credentials.
To configure the default service account credentials, you must add the client ID's default value to the Google Admin
console. Service account credentials do not require other configuration. See Adding service account credentials to the
Google Admin console on page 61.
When using unique service account credentials for improved security, you must complete the following steps to add the
unique service account credentials to the Google Admin console and FortiClient EMS:
1. Create unique service account credentials using the Google Developer console. See Creating unique service
account credentials on page 57.
2. Add the unique service account credentials to the Google Admin console. See Adding service account credentials
to the Google Admin console on page 61.
3. Add the unique service account credentials to FortiClient EMS. See Adding service account credentials to EMS on
page 62.
Creating a unique set of service account credentials provides more security. Unique service account credentials include
the following:
c. Click ENABLE.
After you create the service account, a private key with the P12 extension is saved on your computer.
The private key with the P12 extension is the only copy you receive. Keep it in a safe
place. You should also remember the password prompted on the screen. At this time,
that password should be notasecret.
To use the private key in EMS, it needs to be converted to .pem format. You can use the
following openssl command to convert it. Remember to use the notasecret password.
C:\OpenSSL-Win64\bin>openssl pkcs12 -in demo-976b9d6e9328.p12 -out
serviceAccount-demo.pem -nodes -nocerts
Enter Import Password:
This section describes how to add the client ID from the service account credentials to the Google Admin console. These
settings allow Google to trust FortiClient EMS, which enables FortiClient EMS to retrieve information from the Google
domain.
1. In the Google Admin console, go to Security > Advanced settings > Manage API client access. You may need to
click show more to see Advanced settings.
The API scopes are case-sensitive and must be lowercase. You may need to copy the
string into a text editor and remove spaces created by words wrapping to the second
line in the PDF.
3. Click Authorize.
The section describes how to add the service account ID and service account certificate from the service account
credentials to FortiClient EMS.
1. In FortiClient EMS, go to System Settings > EMS Settings.
2. Enable EMS for Chromebooks Settings.
The default service account credentials display. Overwrite the default settings with the
unique set of service account credentials received from Fortinet.
3. The Service account field shows the configured email address provided for the service account credentials. Click
the Update service account button and configure the following information:
Service Account Email Enter a new email address for the service account credentials.
Private key Click Browse and select the certificate provided with the service account
credentials.
4. Click Save.
5. Update the client ID in the Google Admin console.
The service account credentials are a set. If you change one credential, you must change the
other two credentials.
On the EMS server, run the following CLI command to verify the services are bound to a port:
netstat -ano | find “<port number>”
You can confirm the process by finding that PID on the Task Manager Details tab:
If you want to deploy FortiClient to your domain-joined endpoints and have followed the Preparing the AD server for
deployment on page 114 instructions, you can use the same steps to verify the ports for SMB and RPC. See the
FortiClient Administration Guide.
In addition to the services running correctly, there must be connectivity between EMS and the endpoint. This section
defines connectivity as a route and traffic on a given port. You can use Command Prompt and the built-in Telnet
application to verify this. Ensure that Telnet is enabled on your device by going to Control Panel > Turn Windows
features on or off, and ensuring that the Telnet Client checkbox is selected. In this example, 192.168.1.200 is the
endpoint IP address, and 445 is the port that is being checked:
telnet 192.168.1.200 445
If the command is successful, Command Prompt returns _. Since the service on 445 is not Telnet, this is the expected
result.
If the command is unsuccessful, Command Prompt returns a warning that the connection could not be opened.
Banner
Option Description
Invitations You can configure invitation codes that endpoints users can use to connect to
EMS. See
Multitenancy site If multitenancy is enabled and you are logged into an account that can access
multiple sites, you can go to another site by selecting it from a dropdown list. If
you are logged in to the global site, you can also configure sites. See
Multitenancy on page 245.
Help icon
Getting Started Provides access to links to the FortiClient EMS Release Notes and other
resources.
FortiClient EMS
Create Support Create a support package to provide to the Fortinet technical support team for
Package troubleshooting.
FortiGuard View list of engine and signature versions for this version of FortiClient EMS.
Bell icon Click the bell icon to display all alert logs.
<Logged in username> Click the dropdown list beside the <logged in username> to do one of the
following:
l Change the password for this user. Enter a new password that complies
Option Description
Left pane
The left navigation pane displays content in the right pane. The following describes the left pane when multitenancy is
disabled. For descriptions of the left pane with multitenancy enabled, see Left pane with multitenancy enabled on page
248.
Option Description
Dashboard
Vulnerability Scan Displays the Current Vulnerabilities Summary chart that provides
a centralized vulnerability summary for all managed endpoints.
You can observe high-risk hosts and critical vulnerabilities
existing on endpoints. You can also access links on how to fix or
repair the vulnerabilities.
Endpoints
Group Assignment Rules Configure rules to automatically place endpoints into custom
groups based on their installer ID, IP address, or OS.
Google Domains Only available if the EMS for Chromebooks Settings option is
enabled in System Settings > EMS Settings.
Domains Manage users from specific Google domains. You can also add a
Google domain if none exist.
Option Description
Manage Policies Create endpoint policies and manage policy updates for
Windows, macOS, and Linux endpoints.
Chromebook Policy Create endpoint policies and manage policy updates for
Chromebook endpoints. Only available if the EMS for
Chromebooks Settings option is enabled in System Settings >
EMS Settings.
Endpoint Profiles
Manage Profiles Create profiles and manage profile updates for all profiles.
Fabric Device Monitor View all FortiGates connected to EMS for Zero Trust tagging and
the list of tags that are shared with each FortiGate.
Software Inventory
Quarantine Management
Allowlist View and delete allowlisted files from the Allowlist pane.
Administration
Admin Roles Add and manage FortiClient EMS admin roles and permissions.
User Settings Configure the inactivity timeout and other user settings.
Option Description
Log Viewer View log messages generated by FortiClient EMS and download
raw logs.
System Settings
EMS Settings Change the IP address and port and configure other EMS
settings for FortiClient EMS, including enabling Chromebook
management.
Log Settings Specify what level of log messages to capture in FortiClient EMS
logs and when to automatically delete logs and alerts.
Custom Messages Customize the message that displays on an endpoint when it has
been quarantined by FortiClient EMS
Content pane
The right pane displays the user interface controls that correspond to the selection made in the left pane. The status and
menu icons in the top-right display controls what you can use to configure additional settings for user management and
each individual endpoint.
You can use the Dashboard to view summary information about the system and endpoints. You can view summary
information about vulnerability scans on endpoints.
2. For most Status widgets, clicking a donut chart section leads to the Endpoints pane. The Endpoints pane displays
with more details about the endpoints that belong to the selected donut chart section. See Viewing the Endpoints
pane on page 87.
3. Click a section of the Endpoint Alerts widget. The Endpoint Event Summary displays with more details about the
endpoints that belong to that chart section. The endpoint details that display on this page depend on the endpoint
alert type. In the example, the selected alert was that the AV signature on the endpoint is out-of-date. Therefore,
Endpoint Event Summary displays the current installed AV signature version and the latest available AV signature
version that you can upgrade the endpoint to.
The following information displays in the System Information widget when multitenancy is disabled. If multitenancy is
enabled, this information displays in the global site System Information widget. See Global and per-site configuration on
page 246.
Option Description
Version Version number for FortiClient EMS. Also displays the build number. If the current
build is an interim build, also displays (Interim) beside the build number.
Database Options to back up and restore the database. See To back up the database: on
page 69 and To restore the database: on page 69.
System Time Time and date that the computer where you installed FortiClient EMS uses.
Uptime Number of days, hours, minutes, and seconds FortiClient EMS has been running.
EMS cannot create or restore database backups when using a remote SQL database server.
Option Description
FortiCloud Account FortiCloud account that this EMS server is registered to. If EMS is not registered
to a FortiCloud account, you can log into an existing FortiCloud account or create
a new FortiCloud account from this widget.
Zero Trust Security ZTNA license status. You can use this license for managing Windows, macOS,
Linux, iOS, Android, and Chromebook endpoints. When licensed, displays
number of licenses used out of the total number of available licenses and the
expiry date.
Next-Generation Endpoint EPP license status. You can use this license for managing Windows, macOS,
Security Linux, iOS, Android, and Chromebook endpoints. This license all features
included in the ZTNA license as well as more advanced features. When licensed,
displays number of licenses used out of the total number of available licenses and
the expiry date.
Chromebook Status of the Chromebook license for FortiClient EMS. You can use this license
for managing Chromebook endpoints. When licensed, displays number of
licenses used out of the total number of available licenses and the expiry date.
If you have just installed EMS, click Add beside FortiCloud Account to license by logging in to your FortiCloud account.
See License status on page 46.
For details on the features included with each license type, see Windows, macOS, and Linux endpoint licenses on page
21.
Status displays a number of pie charts. Each pie chart provides a summary of endpoint information. The sections in each
chart are links. You can click any section of the pie charts or any row in the table to display more details.
Available options may differ depending on the features you have enabled or disabled in
Feature Select. See Feature Select on page 241.
Option Description
Endpoint Charts
Option Description
Endpoint Alerts Shows the number of endpoints with alerts, including pending software updates, out-of-date
protection, and out-of-sync profiles.
l Offline
Managed Mac This chart indicates the percentage of macOS endpoints with each version of FortiClient installed.
FortiClient Sorting by version lists FortiClient versions from most recent to least recent. For example,
Versions FortiClient 6.2.0 is listed first, then FortiClient 6.0.0, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to
the version with the smallest number of endpoints. For example, if there are 600 endpoints with
FortiClient 6.0.0 installed and 40 endpoints with FortiClient 6.2.0 installed, FortiClient 6.0.0 is listed
first.
Managed This chart indicates the percentage of Windows endpoints with each version of FortiClient installed.
Windows You can sort the data by version or count.
FortiClient Sorting by version lists FortiClient versions from most recent to least recent. For example,
Versions FortiClient 6.2.0 is listed first, then FortiClient 6.0.0, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to
the version with the smallest number of endpoints. For example, if there are 600 endpoints with
FortiClient 6.0.0 installed and 40 endpoints with FortiClient 6.2.0 installed, FortiClient 6.0.0 is listed
first.
Managed Linux This chart indicates the percentage of Linux endpoints with each version of FortiClient installed.
FortiClient You can sort the data by version or count.
Versions
Endpoint This chart indicates how many endpoints are disconnected and connected.
Management
Mac Operating This chart indicates the number of endpoints running each version of the macOS operating system.
Systems You can sort the data by version or count.
Sorting by version lists macOS versions from most recent to least recent. For example,
macOS 10.13 High Sierra is listed first, then macOS 10.12 Sierra, OS X 10.11 El Capitan, and so
on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to
the version with the smallest number of endpoints. For example, if there are 600 endpoints with
macOS 10.12 Sierra installed and 40 endpoints with macOS 10.13 High Sierra installed,
macOS 10.12 Sierra is listed first.
Windows This chart indicates the number of endpoints running each version of the Windows operating
Operating system. You can sort the data by version or count.
Systems
Option Description
Sorting by version lists Windows versions from most recent to least recent. For example, Windows
10 is listed first, then Windows 8, Windows 7, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to
the version with the smallest number of endpoints. For example, if there are 600 endpoints with
Windows 7 installed and 40 endpoints with Windows 10 installed, Windows 7 is listed first.
Linux This chart indicates the number of endpoints running each version of the Linux operating system.
Operating You can sort the data by version or count.
Systems Sorting by version lists Linux versions from most recent to least recent. For example, Ubuntu 18.10
is listed first, then Ubuntu 17.10, Ubuntu 16.04, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to
the version with the smallest number of endpoints. For example, if there are 600 endpoints with
Ubuntu 16.04 installed and 40 endpoints with Ubuntu 18.10 installed, Ubuntu 16.04 is listed first.
Top 3 Lists
Antivirus This chart indicates the top three endpoints with AV alerts, including the number of AV alerts for
Detection each endpoint.
Sandbox This chart indicates the top three endpoints with FortiSandbox alerts, including the number of
Detection FortiSandbox alerts for each endpoint.
Vulnerability This chart indicates the top three endpoints with vulnerability alerts, including the number of
Detection vulnerabilities detected for each endpoint.
Web Filter This chart indicates the top three endpoints with web filter alerts, including the number of web filter
Detection alerts for each endpoint.
Go to Dashboard > Vulnerability Scan. Here you can view a variety of charts and widgets containing a summary of
vulnerability scan information from endpoints.
The Vulnerability Scan dashboard displays a number of charts. Each chart provides a summary of endpoint information.
The sections in each chart are links. You can click sections of the charts or any row in the table to display more details.
Chart Description
Top 10 Vulnerable Endpoints Displays the top ten vulnerable endpoints and the number of vulnerabilities
With High Risk Vulnerabilities detected on those endpoints, with associated severity levels.
Top 10 Vulnerabilities Displays the top ten vulnerabilities and the number of hosts where the
vulnerabilities have been detected. Click the vulnerability name to see information
about the vulnerability on FortiGuard.
4. You can click any tile to display details for vulnerabilities of that type. In this example, click View 20 on the Operating
System tile to display all OS vulnerabilities and details:
Patch All Click this button to patch all vulnerabilities currently displayed on the content
pane. The vulnerabilities are patched with the next Telemetry communication
between FortiClient EMS and the endpoint.
Clear Filters Click to clear all filters applied to the list of vulnerabilities.
FortiGuard ID Displays the FortiGuard ID. Click the link to see information about the
vulnerability on FortiGuard.
CVE ID Displays the vulnerability ID as determined by the Common Vulnerabilities and
Exposures (CVE) system. If available, you can click the link to see more
information about the vulnerability. Depending on the vulnerability, there may
be multiple CVE IDs listed.
Affected Endpoints Displays the number of endpoints that are affected by this vulnerability.
Patch Status You can click the Patch button to patch the selected vulnerability with the next
Telemetry communication between FortiClient EMS and the endpoint.
If a patch is already scheduled for the vulnerability, this column displays
Scheduled.
If the vulnerability must be patched manually, this column displays Manual
Patch.
FortiClient may be unable to automatically patch the vulnerability due to one of
the following reasons:
l Third-party application vulnerabilities: incorrect or missing installation
paths
l OS vulnerabilities: Windows update service is disabled
You can filter the list of vulnerabilities by any column by clicking the filter icon beside the desired heading. Enter the
value to include in the filter. You can toggle the All/Any/Not button for the following options:
l All: Display all files that match the set filter.
l Any: Display any file that matches the set filter.
l Not: Display only files that do not match the set filter.
5. Return to Dashboard > Vulnerability Scan. You can also click a colored circle to view all vulnerabilities of the
selected severity level. The following shows all medium severity third party application vulnerabilities:
2. Click the Vulnerable section to view all vulnerabilities detected on vulnerable endpoints:
Patch All Click this button to patch all vulnerabilities currently displayed on the content
pane. The vulnerabilities are patched with the next Telemetry communication
between FortiClient EMS and the endpoint.
Clear Filters Click to clear all filters applied to the list of vulnerabilities.
Username User that is currently logged into the endpoint where the vulnerability was
detected.
Patch Status You can click the Patch button to patch the selected vulnerability with the next
Telemetry communication between FortiClient EMS and the endpoint.
paths
l OS vulnerabilities: Windows update service is disabled
You can filter the list of vulnerable endpoints by any column by clicking the filter icon beside the desired heading.
Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
l All: Display all files that match the set filter.
l Any: Display any file that matches the set filter.
l Not: Display only files that do not match the set filter.
3. Click a hostname. You can view all vulnerabilities detected on that endpoint. You can filter the list of vulnerabilities in
the same way that you can filter the list of vulnerable endpoints in step 2.
4. Go back, then click one of the sections under the Vulnerability column to view all vulnerabilities detected on the
selected endpoint at the selected severity. The example displays all critical vulnerabilities for the selected endpoint.
You can filter the list of vulnerabilities in the same way that you can filter the list of vulnerable endpoints in step 2.
Patch Status You can click the Patch button to patch the selected vulnerability with the next
Telemetry communication between FortiClient EMS and the endpoint.
If a patch is already scheduled for the vulnerability, this column displays
Scheduled.
If the vulnerability must be patched manually, this column displays Manual
Patch.
1. Go to Dashboard > Vulnerability Scan. The Top 10 Vulnerable Endpoints With High Risk Vulnerabilities chart
displays vulnerabilities per endpoint in a segmented bar graph and organized by severity.
Patch Status You can click the Patch button to patch the selected vulnerability with the
next Telemetry communication between FortiClient EMS and the endpoint.
If a patch is already scheduled for the vulnerability, this column displays
Scheduled.
If the vulnerability must be patched manually, this column displays Manual
Patch.
FortiClient may be unable to automatically patch the vulnerability due to
one of the following reasons:
l Third-party application vulnerabilities: incorrect or missing
installation paths
l OS vulnerabilities: Windows update service is disabled
You can filter the list of vulnerable endpoints by any column by clicking the filter icon beside the desired
heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
lAll: Display all files that match the set filter.
lAny: Display any file that matches the set filter.
l Not: Display only files that do not match the set filter.
b. Click one of the sections of the vulnerability bar graph to view all vulnerabilities detected on the selected
endpoint at the selected severity. The example displays all critical vulnerabilities for the selected endpoint. You
can filter the list of vulnerabilities in the same way that you can filter the list of vulnerabilities in option a.
1. Go to Dashboard > Vulnerability Scan. The Top 10 Vulnerabilities widget displays the type of vulnerability and how
many hosts the vulnerability has been detected on.
b. Click the number of hosts that are affected by a vulnerability. You can view a list of endpoints where the
vulnerability has been detected.
Clear Filters Click to clear all filters applied to the list of vulnerabilities.
Username User that is currently logged into the endpoint where the vulnerability was
detected.
Last Seen Time of the last Telemetry communication between FortiClient EMS and
the endpoint.
You can filter the list of vulnerable endpoints by any column by clicking the filter icon beside the desired
heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
l All: Display all files that match the set filter.
l Any: Display any file that matches the set filter.
l Not: Display only files that do not match the set filter.
Here, you can also click the hostname to view all detected vulnerabilities on that endpoint. You can filter the list
of vulnerabilities in the same way that you can filter the list of endpoints above.
Patch Status You can click the Patch button to patch the selected vulnerability with the
next Telemetry communication between FortiClient EMS and the endpoint.
If a patch is already scheduled for the vulnerability, this column displays
Scheduled.
If the vulnerability must be patched manually, this column displays Manual
Patch.
FortiClient may be unable to automatically patch the vulnerability due to
one of the following reasons:
l Third-party application vulnerabilities: incorrect or missing
installation paths
l OS vulnerabilities: Windows update service is disabled
Chromebook Status displays a number of charts. Each chart provides a summary of Chromebook information. The
sections in each chart are links. You can click any chart section or table row to display details. Chromebook Status is
only available if you enabled System Settings > EMS Settings > EMS for Chromebooks Settings.
Option Description
User Charts
Webfilter Charts
Top 10 Violations by Category Displays the top ten web filter violations by category in the past few days. You can
configure the number of days. Go to System Settings > Logs.
Top 10 Violations by User Displays the top web filter violations by user in the past few days. You can
configure the number of days. Go to System Settings > Logs.
Most Searched Monitored Words Displays the top terms that users have searched that you have configured Web
Filter to monitor. See Web Filter on page 151.
Most Searched Blocked Words Displays the top terms that users have searched that you have configured Web
Filter to block. See Web Filter on page 151.
Others
You can configure invitation codes. End users can enter the invitation codes to connect FortiClient to EMS.
Sending individual invitation codes is considered best practice, as it can limit any
unexpected endpoints from connecting to FortiClient EMS.
c. Enable Send email notifications. You can only enable this option if you have configured SMTP settings. See
Configuring SMTP Server settings on page 237.
d. In the Email recipients field, enter the email addresses of the desired end users.
e. If desired, enable Send SMS notifications.
f. Click the Create a new installer button to include an installer with the invitation. End users can use this installer
to install FortiClient on their endpoint. See Adding a FortiClient deployment package on page 120.
g. If desired, enable Expiring.
h. In the Expiry date field, set the expiry date. Click Save.
End users can install FortiClient on their devices using the installer that you included, and use the invitation code to
connect to EMS if their FortiClient did not connect automatically.
FortiClient EMS needs to determine which devices to manage. For Windows, macOS, and Linux endpoints, device
information can come from an AD server, Windows workgroup, or manual FortiClient connection.
For Chromebooks, device information comes from the Google Admin console.
Device information can come from an AD server, Windows workgroup, or manual FortiClient connection. You can create
groups to organize endpoints.
Managing groups
You can create groups to organize endpoints. You can also rename and delete groups.
The LDAP connection is read-only. These groups are local to EMS and are not seen in your Active Directory.
To create groups:
1. Go to Endpoints.
2. Right-click a domain or workgroup and select Create group. The Create group dialog displays.
3. In the Required field, enter a name for the group, and click Confirm.
To rename groups:
1. Go to Endpoints.
2. Right-click the group, and select Rename group. The Rename the group dialog displays.
3. In the Required field, enter the new name, and click Confirm.
To delete groups:
1. Go to Endpoints.
2. Right-click the group, and select Delete group. A confirmation dialog displays.
3. Click Yes.
Adding endpoints
You can manually import endpoints from an AD server. You can import and synchronize information about computer
accounts with an LDAP or LDAPS service. You can add endpoints by identifying endpoints that are part of an AD domain
server.
The LDAP connection is read-only.
EMS does not support importing subdomains if you have already imported the parent domain
in to EMS.
Distinguished name Enter the distinguished name (DN) (optional). You must use only capital letters
when configuring the DN. You cannot import domains and OUs that have a DN
with more than 256 characters.
Bind type Select the bind type: Simple, Anonymous, or Regular. When you select
Regular, you must enter the Username and Password.
Username Available when Bind type is set to Regular. Enter the username.
Password Available when Bind type is set to Regular. Enter the user password.
Show Password Available when Bind type is set to Regular. Turn on and off to show or hide the
password.
LDAPS connection Enable a secure connection protocol when Bind Type is set to Regular.
Sync every Enter the sync schedule between FortiClient EMS and the domain in minutes.
The default is ten minutes.
After importing endpoints from an AD server, you can move them to custom created groups.
These groups are not seen in AD and EMS does not have the ability to modify the AD server in
any way. See Managing groups on page 85.
Endpoint users can manually connect FortiClient Telemetry to FortiClient EMS by specifying the IP address for
FortiClient EMS in FortiClient. This process is sometimes called registering FortiClient to FortiClient EMS.
The FortiClient Telemetry gateway port may be appended to the gateway list address on
FortiClient and separated by a colon. When the port is not provided, FortiClient attempts to
connect to the IP address given using the default port. The default connection port in
FortiClient 6.0 and 6.2 is 8013. By default, FortiClient EMS listens for connection on port 8013.
Viewing endpoints
After you add endpoints to FortiClient EMS, you can view the list of endpoints in a domain or workgroup in the Endpoints
pane. You can also view details about each endpoint and use filters to access endpoints with specific qualities.
1. Go to Endpoints, and select All Endpoints, a domain, or workgroup. The list of endpoints, a quick status bar, and a
toolbar display in the content pane.
Not Installed Number of endpoints that do not have FortiClient installed. Click to display the
list of endpoints without FortiClient installed.
Not Registered Number of endpoints that are not connected to FortiClient EMS. Click to
display the list of disconnected endpoints.
Out-Of-Sync Number of endpoints with an out-of-sync profile. Click to display the list of
endpoints with out-of-sync profiles.
Security Risk Number of endpoints that are security risks. Click to display the list of
endpoints that are security risks.
Quarantined Number of endpoints that EMS has quarantined. Click to display the list of
quarantined endpoints.
Endpoints Click the checkbox to select all endpoints displayed in the content pane.
Show/Hide Heading Click to hide or display the following column headings: Device, User, IP,
Configurations, Connections, and Alerts and Events.
Show/Hide Full Group Path Click to hide or display the full path for the group that the endpoint belongs to.
Search All Fields Enter a value and press Enter to search for the value in the list of endpoints.
Filters Click to display and hide filters you can use to filter the list of endpoints.
Device Visible when headings are displayed. Displays an icon to represent the OS on
the endpoint, the hostname, and the endpoint group.
User Visible when headings are displayed. Displays the name and icon of the user
logged into the endpoint. Also displays the status of the endpoint:
l Online: Endpoint has been seen within less than three keep alive
timeouts.
l Away: Endpoint has been offline for less than eight hours.
l Offline: Endpoint has been offline for more than eight hours.
Configurations Visible when headings are displayed. Displays the name of the policy
assigned to the endpoint and its synchronization status.
Connections Visible when headings are displayed. Displays the connection status between
FortiClient and FortiClient EMS. If the endpoint is connected to a FortiGate,
displays the FortiGate hostname.
Alerts and Events Visible when headings are displayed. Displays FortiClient alerts and events for
the endpoint.
2. Click an endpoint to display its details in the content pane. The following dropdown lists display in the toolbar for the
selected endpoint:
Patch Click to patch all critical and high vulnerabilities on the selected endpoint.
Choose one of the following options:
l Selected Vulnerabilities on Selected Clients
l Selected Vulnerabilities on All Affected Clients
l All Critical and High Vulnerabilities
Action Click to perform one of the following actions on the selected endpoint:
l Request FortiClient Logs
l Request Diagnostic Results
l Update Signatures
l Download Available FortiClient Logs
l Download Available Diagnostic Results
l Deregister
l Quarantine
l Un-quarantine
l Exclude from Management
l Revoke Client Certificate. This action is only available if the ZTNA or EPP
license is applied and for endpoints running FortiClient 7.0.0 and later
versions. See Windows, macOS, and Linux endpoint licenses on page
21. Revoke the certificate that FortiClient is using to securely encrypt and
tunnel TCP traffic through HTTPS to the FortiGate. You may want to
revoke a certificate if it becomes compromised and can no longer be
trusted. When a certificate is revoked, EMS prompts FortiOS and
FortiClient with a new certificate signing request. See FortiClient in the
Security Fabric on page 13.
l Clear Events
l Mark as Uninstalled
l Set Importance
l Set Custom Tags. This option is only available if you have already created
a custom tag.
l Delete Device
The following tabs are available in the content pane toolbar when you select an endpoint, depending on which
FortiClient features are installed on the endpoint and enabled via the assigned profile:
Summary
<user name> Displays the name of the user logged into the selected endpoint. Also
displays the user's avatar, email address, and phone number if these are
provided to FortiClient on the endpoint. If the user's LinkedIn, Google,
Salesforce, or other cloud app account is linked in FortiClient, the username
from the cloud application displays. Also displays the group that the endpoint
belongs to in EMS.
Device Displays the selected endpoint's hostname. You can enter an alias if desired.
Last Seen Displays the last date and time that FortiClient sent a keep-alive message to
EMS. This information is useful if FortiClient is offline because it indicates
when the last keep-alive message occurred.
Location Displays whether the selected endpoint is on- or off-fabric. You can also view
any on-fabric detection rules that the endpoint is applicable for. See On-
fabric Detection Rules on page 131.
Network Status This section only appears for endpoints running FortiClient 6.4.1 and later
versions.
Displays the following information for the networks that the endpoint is
connected to:
l MAC address
l IP address
l Gateway IP address
l Gateway MAC address
Hardware Displays the hardware model, vendor, CPU, RAM, and serial number
Details information for the endpoint device, if available.
Zero Trust Tags Displays which tags have been applied to the endpoint based on the Zero
Trust tagging rules. See Zero Trust Tags on page 188.
Connection Displays the connection status between the selected endpoint and
FortiClient EMS.
Classification Displays classification tags that are currently assigned to the endpoint. You
Tags can also assign a classification tag to the endpoint. Classification tags
include the default importance level tags (low, medium, high, or critical), and
custom tags. An endpoint can only have one default importance tag
assigned, but can have multiple custom tags assigned. You can also
unassign a tag from the endpoint, and create, assign, or delete a custom tag.
To create a new custom tag, click the Add button, enter the desired tag, the
click the + button. When you create a tag, it is available for assignment to all
endpoints in the current site.
You can assign a classification tag to multiple endpoints by selecting the
endpoints, then selecting Action > Set Importance or Set Custom Tags.
See Sending endpoint classification tags to FortiAnalyzer on page 96.
Antivirus Events
Date Displays the cloud-based malware detection event's date and time.
AntiExploit
Events
USB Device Events
Sandbox Events
Magnifying Click to view a more detailed report. See Viewing Sandbox event details on
glass page 95.
Firewall Events
Vulnerability Events
Vulnerability Displays the vulnerability's name. For example, Security update available for
Adobe Reader.
Category Displays the vulnerability's category. For example, Third Party App.
Patch Type Displays the patch type for this vulnerability: Auto or Manual.
FortiGuard Displays the FortiGuard ID number. If you click the FortiGuard ID number, it
redirects you to FortiGuard where further information is provided if available.
System Events
You can use the quick status bar to quickly display filtered lists of endpoints on the Endpoints content pane.
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup.
The list of endpoints and quick status bar display.
l Not Registered
l Out-Of-Sync
l Security Risk
l Quarantined
You can view each endpoint's details on the Endpoints content pane. For a description of the options on the Endpoints
content pane, see Viewing the Endpoints pane on page 87.
1. Go to Endpoints, and select All Domains, a domain, or workgroup. The list of endpoints for the selected domain or
workgroup displays.
2. Click an endpoint to display details about it in the content pane. Details about the endpoint display in the content
pane.
You can filter the list of endpoints displayed on the Endpoints content pane.
1. Go to Endpoints.
2. Click All Domains, a domain, or workgroup. The list of endpoints displays.
3. Click the Filters menu, and set filters. The filter options display. For text values, you can use a comma (,) to separate
values and an exclamation mark (!) to exclude a value. For buttons, hover the mouse over each button to view its
tooltip.
Tag Enter the tag(s) to include in the filter. This includes Zero Trust tagging and
classification tags. See Zero Trust Tags on page 188 and Viewing the
Endpoints pane on page 87.
Name Enter the name(s) of the deployment package to include in the filter.
Status Click one or more deployment status buttons to include in the filter.
Selected status buttons are green. Hover the mouse over each button to
view its tooltip. Clear the status button to exclude the status from the filter.
Excluded status buttons are gray.
Policy
Status Click the policy status to include in the filter. Selected status buttons are
green. Choose between Synced and Out-Of-Sync. Clear the status button
to exclude the status from the filter. Excluded status buttons are gray.
Profile
EMS
Status Click the status for FortiClient Telemetry connection to EMS to include in
the filter. Selected status buttons are green. Clear the status button to
exclude the status from the filter. Excluded status buttons are gray.
Events Select the events to include in the filter. The selected checkboxes beside
the events are included in the filter. Clear the checkbox beside the event to
exclude the event from the filter.
Features Enter the AV, Firewall, and/or vulnerability signature and/or engine to filter
for.
Bookmarks Displays the list of saved filter settings. Displays only after you have saved
a bookmark. Click the Bookmark button to name and save filter settings.
Click a bookmark to use the saved settings. Click the x beside a bookmark
to delete it.
Bookmark Click the Bookmark button to save the filter settings as a bookmark.
You can save filter settings as bookmarks, then select the bookmarks to use them.
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup. The list of endpoints displays.
3. Click the Filters menu, and set filters.
4. Click the Bookmark button.
5. In the New Bookmark field, enter a name for the filter settings, and press Enter.The bookmark displays under
Bookmarks.
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup. The list of endpoints displays.
3. Click the Filters menu.
4. In the Bookmarks list, click a bookmark. The bookmark settings are used to filter the list of endpoints.
You can view a detailed report about a Sandbox event. EMS retrieves the report from FortiSandbox.
1. Go to Endpoints, and select All Domains, a domain, or workgroup. The list of endpoints for the selected domain or
workgroup displays.
2. Click an endpoint to display details about it in the content pane. Details about the endpoint display in the content
pane.
3. On the Sandbox Events tab, click the magnifying glass icon beside the desired Sandbox event. EMS displays a
detailed report about the Sandbox event.
4. Click Process Tree. For some events, you can see a graphical representation of the processes that the malware
created on FortiSandbox.
You can use tags for grouping and classifying endpoints, which can help with assessing incident impact and prioritizing
incidents by SOC analysts or SOAR playbooks.
You can assign a classification tag to an endpoint. Classification tags include the following:
l Default importance level tags (low, medium, high, or critical) to specify an endpoint's importance in the organization.
You can tag critical endpoints accordingly and monitor them for security incidents.
l Custom tags. You can create a maximum of eight custom tags. You can assign multiple custom tags to an endpoint
or group of endpoints.
FortiAnalyzer Fabric View shows tags for each endpoint. FortiAnalyzer FortiSoC playbook pulls endpoint information
from EMS using an EMS connector.
The following describes the process for configuring a classification tag and viewing the data in FortiAnalyzer:
1. Configure and apply classification tags to endpoints in EMS.
2. Configure FortiAnalyzer to receive the tags:
a. Configure the EMS-FortiAnalyzer Fabric connection.
b. Run the FortiSoC playbook to retrieve endpoint information from EMS.
By default, EMS tags all newly registered endpoints with the Low default importance tag.
1. In EMS, go to Endpoints.
2. To apply tags to a single endpoint, go to the desired endpoint. Under Classification Tags, to create a new custom
tag, click the Add button, enter the desired tag, the click the + button. You can also assign a new importance tag to
the endpoint.
3. To apply tags to multiple endpoints, select all desired endpoints, then select Action > Set Importance or Set Custom
Tags.
3. Click the FortiClient EMS tile. The Create New Fabric Connector dialog opens.
4. In the Configuration tab, configure the connector settings, enter the EMS IP address and administrator credentials.
Managing endpoints
You can run a full or quick AV scan on endpoints. Scanning starts on the endpoints with the next FortiClient Telemetry
communication.
For the difference between full and quick AV scans, see AntiVirus Protection on page 140.
1. Go to Endpoints.
2. Right-click a domain or workgroup, and select Start full antivirus scan or Start quick antivirus scan.
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup.
3. Click an endpoint, and from the Scan menu, select Quick AV Scan or Full AV Scan.
1. Go to Endpoints.
2. Right-click a domain or workgroup, and select Start vulnerability scan. Vulnerability scanning starts on the
endpoints with the next FortiClient Telemetry communication.
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup.
3. Click an endpoint, and from the Scan menu, select Vulnerability Scan. Vulnerability scanning starts on the endpoint
with the next FortiClient Telemetry communication.
You can request FortiClient patch detected critical and high vulnerabilities on endpoints.
FortiClient can automatically patch many software. However, the endpoint user must manually patch some detected
software vulnerabilities. If a vulnerability requires the endpoint user to download and install software to patch a
vulnerability, FortiClient displays the information.
1. Go to Endpoints.
2. Right-click a domain or workgroup, and select Patch critical/high vulnerabilities. FortiClient initiates automatic
vulnerability patching with the next FortiClient Telemetry communication.
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup.
3. Click an endpoint, and from the Patch menu, select one of the following options:
l Selected Vulnerabilities on Selected Clients
FortiClient initiates automatic vulnerability patching with the next FortiClient Telemetry communication.
You can upload a FortiClient log file from one or several endpoints to FortiClient EMS. The log file is uploaded to the hard
drive on the computer on which you are running EMS. The uploaded log file is not visible in the FortiClient EMS GUI.
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup.
3. Click one or multiple endpoints, and from the Action menu, select Upload FortiClient logs. The <Endpoint
serial number>_<Endpoint hostname>_log file is uploaded to the following location on your
computer: <drive>\Program Files (x86)\Fortinet\FortiClientEMS\logs
You can use EMS to run the FortiClient diagnostic tool on one or multiple endpoints and export the results to the hard
drive on the computer on which you are running FortiClient EMS. The exported information is not visible in the FortiClient
EMS GUI.
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup.
3. Click one or multiple endpoints, and from the Action menu, select Request Diagnostic Results.
The <Endpoint serial number>_<Endpoint hostname>_Diagnostic_Result.cab file is uploaded to
the following location on your computer: <drive>:\Program Files
(x86)\Fortinet\FortiClientEMS\logs.
Updating signatures
You can use EMS to request FortiClient update signatures on the endpoints.
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup. The list of endpoints displays in the content pane.
3. Click an endpoint, and from the Action menu, select Update Signatures. FortiClient receives the request to update
signatures and downloads the signatures from the Internet.
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup. The list of endpoints displays in the content pane.
3. Click an endpoint, and from the Action menu, select Download Available FortiClient Logs. If you recently requested
FortiClient logs, you must wait at least five minutes before you can download them.
4. A confirmation dialog appears. Click Download.
5. Browse to the desired directory to download the logs to. Click Save. The logs are saved to your selected directory as
a .zip file.
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup. The list of endpoints displays in the content pane.
3. Click an endpoint, and from the Action menu, select Download Available Diagnostic Results. If you recently
requested diagnostic results, you must wait at least twenty minutes before you can download them.
4. A confirmation dialog appears. Click Download.
5. Browse to the desired directory to download the logs to. Click Save. The logs are saved to your selected directory as
a .zip file.
Reregistering endpoints
You can reregister an endpoint that is currently online and registered to EMS. For example, if a new Telemetry gateway
list is assigned to the endpoint but the endpoint did not automatically reregister, you could reregister the endpoint to
manually request the endpoint to reread and follow the new Telemetry gateway list while reregistering.
To reregister endpoints:
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup. A list of endpoints displays.
3. Click an endpoint, and from the Action menu, select Re-register. EMS reregisters the endpoint with the next
FortiClient Telemetry communication.
To disconnect endpoints:
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup.
3. Click an endpoint, and from the Action menu, select Deregister. EMS disconnects the endpoint with the next
FortiClient Telemetry communication. After the endpoint is disconnected from EMS, you can reconnect the endpoint
to EMS manually.
Quarantining an endpoint
You can quarantine an endpoint using EMS. Quarantined endpoints cannot access the network.
You must enable Application Firewall for this feature to function. See Feature Select on page 241.
To quarantine an endpoint:
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup. A list of endpoints displays.
3. Click an endpoint, and from the Action menu, select Quarantine.
The endpoint status changes to Quarantined, and EMS quarantines the endpoint with the next FortiClient Telemetry
communication.
You can remove an endpoint from quarantine by right-clicking the endpoint and selecting Unquarantine. EMS
removes the endpoint from quarantine with the next FortiClient Telemetry communication and restores network
access.
You can also provide the endpoint user with a one-time access code. The user can enter the code to access
FortiClient on a quarantined endpoint, then remove the endpoint from quarantine in FortiClient. The code is
available under Quarantine Access Code after selecting a quarantined endpoint.
The Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the
following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator
of Compromise (IoC) is detected. This requires the following network components:
l FortiGate
l FortiAnalyzer
l FortiClient EMS
l FortiClient
You must connect FortiClient to both the EMS and FortiGate. The FortiGate and FortiClient must both be sending logs to
the FortiAnalyzer. You must configure the EMS IP address on the FortiGate, as well as administrator login credentials.
This configuration functions as follows:
1. FortiClient sends logs to the FortiAnalyzer.
2. FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate.
3. FortiGate determines if the FortiClient is among its connected endpoints and if it has the login credentials for the
EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine
the endpoint.
4. EMS searches for the endpoint and sends a quarantine message to it.
5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint
notifies the FortiGate and EMS of the status change.
Prerequisites
The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate.
FortiClient
FortiClient must be installed on the endpoint and connected to EMS as part of a Security Fabric.
EMS
1. You must create a profile for the endpoint. See Creating a profile to configure FortiClient on page 136.
2. You must create and configure an endpoint policy that is configured with the desired profile and Telemetry gateway
list for the desired endpoint group. See Adding an endpoint policy on page 124.
3. Enable Remote HTTPS access. See Configuring EMS settings on page 228.
FortiGate
set minimum-interval 0
next
end
To create an EMS firewall address object, enter the following commands in the CLI:
There are separate instructions when using FortiOS 6.2.0 or a later version, and a version of FortiOS earlier than 6.2.0.
If using FortiOS 6.2.0 or a later version, do the following:
1. Go to Security Fabric > Settings.
2. Enable FortiClient Endpoint Management System (EMS).
3. In the Name field, enter the desired EMS name.
4. In the IP/Domain Name field, enter the EMS IP address or FQDN.
5. In the Serial Number field, enter the EMS serial number. You can find this in the System Information widget on the
EMS dashboard.
6. In the Admin User field, enter the EMS admin username.
7. In the Password field, enter the admin user's password.
8. Click Apply.
If using a FortiOS version earlier than 6.2.0, enter the following commands in the CLI. In the following commands,
<EMS_SERIAL_NUMBER> is the EMS serial number, <EMS_ADMIN> is the EMS administrator name, and
<PASSWORD> is the EMS administrator's password:
config endpoint-control forticlient-ems
edit "e01"
set address "EMS01"
set serial-number <EMS_SERIAL_NUMBER>
set rest-api-auth userpass
set https-port 443
set admin-username <EMS_ADMIN>
set admin-password <PASSWORD>
set admin-type Windows
next
end
Executing automation
Once prerequisites are met, you can trigger the automation process. The following procedure triggers the quarantine
action on the endpoint at <endpoint_ip_address>:
diag endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <endpoint_ip_address>
After this action, EMS and FortiOS both display that the endpoint is quarantined.
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup. A list of endpoints displays.
3. Click an endpoint, and from the Action menu, select Exclude from Management.
Deleting endpoints
You can delete disconnected endpoints from EMS. This option is only available for non-domain devices.
To delete endpoints:
1. Go to Endpoints.
2. Click All Endpoints or a workgroup. A list of endpoints displays.
3. If the endpoint has a status of Registered, disconnect the endpoint.
4. Click an endpoint, and from the Action menu, select Delete Device.
5. In the dialog, click Yes. The endpoint is deleted from FortiClient EMS.
You can use group assignment rules to automatically place endpoints into custom groups based on their installer ID, IP
address, OS, or AD group.
If a newly connected endpoint does not match any group assignment rule and belongs to an imported AD domain, EMS
moves the endpoint into the OU to which it belongs in the AD domain tree. If no AD domain has been imported, or the
endpoint also does not belong to the imported AD domain, EMS places it in the Other Endpoints group.
EMS automatically places endpoints that do not apply for any group assignment rule into the Other Endpoints group.
You can use group assignment rules to automatically place endpoints into custom groups based on their installer ID, IP
address, or OS.
Creating a FortiClient 6.0+ deployment package includes an option to specify an installer ID. For example, consider you
want all endpoints located in your company's headquarters to be placed in the same endpoint group. You can configure
a FortiClient 6.0.1 deployment package with an "HQ" installer ID, then deploy this deployment package to the desired
endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places them in the desired
group. In this situation, the process is as follows:
1. In FortiClient EMS, create an installer ID group assignment rule that requires endpoints with the installer ID "HQ" to
be placed into the HQ group. The installer ID and group name do not need to match. See Adding a group
assignment rule on page 107.
2. Create a FortiClient 6.0+ deployment package. Specify the "HQ" installer ID when creating or uploading the
installer. See Adding a FortiClient deployment package on page 120.
3. Deploy the deployment package to the desired endpoints or send the download link to the desired users.
4. The endpoints install FortiClient. When FortiClient connects to FortiClient EMS, EMS places the endpoint in the HQ
group.
If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group
assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.
You can create a group assignment rule to automatically place all endpoints within a specified subnet or IP address
range into the same custom group. In this situation, the process is as follows:
1. In FortiClient EMS, create an IP address group assignment rule that requires endpoints within a certain subnet or IP
address range to be placed into the desired group. See Adding a group assignment rule on page 107.
2. With the next FortiClient Telemetry communication, endpoints within the specified subnet or IP address range are
placed in the specified group.
You can create a group assignment rule to automatically place all endpoints that have a specific OS installed into the
same custom group. In this situation, the process is as follows:
1. In FortiClient EMS, create an OS group assignment rule that requires endpoints with a certain OS installed to be
placed into the desired group. See Adding a group assignment rule on page 107.
2. With the next FortiClient Telemetry communication, endpoints with the specified OS installed are placed in the
specified group.
An endpoint may be eligible for multiple group assignment rules. When an endpoint is eligible for multiple endpoint group
assignment rules, two factors determine which rule EMS applies to the endpoint:
1. EMS applies group assignment rules to endpoints only if the rules are enabled on the Endpoints > Group
Assignment Rules page.
2. If an endpoint is eligible for multiple enabled rules, the EMS applies the rule with the first priority level to the
endpoint.
However, if you disable the HQ rule, EMS places the endpoint in the West Coast/Seattle group, as per the
192.168.0.0/24 subnet rule.
You can reenable the HQ rule, then change the rule priority levels sot hat the 192.168.0.0/24 rule has priority level 1. In
this case, EMS places the endpoint in the West Coast/Seattle group.
An installer ID group assignment rule automatically places endpoints with the specified installer ID into the specified
endpoint group.
1. Go to Endpoints > Group Assignment Rules.
2. Click Add.
3. Under Type, select Installer ID.
4. In the Installer ID field, enter the desired installer ID.
An IP address group assignment rule requires all endpoints with an IP address in the specified subnet or IP address
range to be placed into the specified endpoint group.
1. Go to Endpoints > Group Assignment Rules.
2. Click Add.
3. Under Type, select IP Address.
4. In the Subnet/IP Range field, enter the desired subnet or IP address range. You must enter an IPv4 range, such as
192.168.1.1-192.168.1.5, or an IPv4 subnet with subnet mask, such as 192.168.0.0/28. You cannot enter an IPv6
range or subnet. EMS automatically places endpoints whose IP addresses belong to the specified subnet or
IP address range into the specified group.
5. In the Group field, do one of the following:
a. If you want to place the endpoints into an existing group, select the desired group from the dropdown list.
b. If you want to place the endpoints into a new group, click Create a new group and enter the desired group
name. FortiClient EMS creates the new group.
To create a new nested group, enter the desired group hierarchy. For example, to create a Seattle group
nested under a West Coast group, enter West Coast/Seattle. FortiClient EMS then dynamically creates any
group that does not exist. For example, if both the West Coast and Seattle groups do not exist, FortiClient EMS
creates both groups with the desired hierarchy. If the West Coast group exists, FortiClient EMS creates a new
Seattle group nested under it.
6. Enable or disable the rule by toggling Enable Rule on or off.
7. Click Save.
An OS group assignment rule requires all endpoints that have the specified OS installed to be placed into the specified
endpoint group.
1. Go to Endpoints > Group Assignment Rules.
2. Click Add.
3. Under Type, select OS.
4. In the OS field, enter the OS. EMS automatically places endpoints that have the specified OS installed into the
specified group. You can enter only the OS name or specify a version number. For example, you can enter
"Windows" to place endpoints with any version of Windows installed into the specified endpoint group. You can also
specify "Windows Server 2008" to only place endpoints that have Windows Server 2008 installed into the specified
endpoint group.
Google Domains
FortiClient EMS needs to determine which Chromebooks to manage. Device information comes from the Google Admin
console. Google Domains is only available if you enabled System Settings > EMS Settings > EMS for Chromebooks
Settings. This section only applies if you are using FortiClient EMS to manage Google Chromebooks.
1. Go to Google Domains > Manage Domains, and click the Add button. The Google Domain pane displays.
2. In the Admin Email field, enter your Google domain admin email.
3. In the Organization Unit Path field, enter the domain organization unit path.
4. Click Save. EMS imports the Google domain information and users.
Viewing domains
After you add domains to FortiClient EMS, you can view the list of domains in Google Domains. You can also view the list
of Google users in each domain and details about each Google user in the User Details, Client Statistics, and Blocked
Sites panes.
1. Go to Google Domains > Domains and click a domain. The list of Google users displays.
Last Login Date and time the user last logged into the domain.
Last Policy Retrieval Date and time that the Google Chromebook last retrieved the endpoint profile.
User Details
Field Information
Name Username.
Last Login Date and time the user last logged into the domain.
Last Policy Retrieval Date and time that the Google Chromebook last retrieved the endpoint profile.
Effective Policy Name of the Chromebook policy assigned to the user in the domain.
Client Statistics
Charts Information
Blocked Sites Distribution (past Displays the distribution of blocked sites in the past number of days. You can
<number> days) configure the number of days for which to display information. Go to System
Settings > Logs.
Top 10 Site Categories by Displays the distribution of top ten site categories in the past number of days. You
Distribution (Past <number> can configure the number of days for which to display information. Go to System
Days) Settings > Logs.
Fields Information
User Initiated Whether the user initiated visitation to the blocked site.
Editing a domain
To edit a domain:
Deleting a domain
To delete a domain:
You can use FortiClient EMS to deploy FortiClient on endpoints. Deploying FortiClient from FortiClient EMS requires the
following steps:
1. Prepare the AD server. See Preparing the AD server for deployment on page 114.
2. Prepare Windows endpoints for FortiClient. See Preparing Windows endpoints for FortiClient deployment on page
116.
3. Add the AD server to FortiClient EMS. See Adding endpoints using an AD domain server on page 85.
4. Add a profile and configure FortiClient features in the profile. See Creating a profile to configure FortiClient on page
136.
5. Create a deployment package with the profile in step 4 configured. See Adding a FortiClient deployment package
on page 120.
6. Create a deployment configuration. See Creating a deployment configuration on page 116.
After you deploy FortiClient on endpoints and endpoints connect to FortiClient EMS, you can update endpoints by editing
the associated profiles.
You can also use FortiClient EMS to uninstall and upgrade FortiClient on endpoints.
You cannot use FortiClient EMS to deploy an initial installation of FortiClient (macOS) to
endpoints. However, after FortiClient (macOS) is installed on endpoints and endpoints
connect to FortiClient EMS, you can use FortiClient EMS to uninstall and update FortiClient
(macOS) on endpoints.
Manage Deployment
Before you can successfully deploy a FortiClient installation, ensure you install and prepare the AD server as follows:
1. Configuring a group policy on the AD server on page 115
2. Configuring required Windows services on page 115
3. Creating deployment rules for Windows firewall on page 115
4. Configuring Windows firewall domain profile settings on page 115
1. In the Group Policy Management Editor, in the left panel, go to Computer Configuration > Policies > Windows
Settings > Security Settings > System Services.
2. In the right panel, select the following:
a. Task Scheduler: Automatic
b. Windows Installer: Manual
c. Remote Registry: Automatic
1. In the Group Policy Management Editor, in the left panel, go to Computer Configuration > Policies > Windows
Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules.
2. Right-click Inbound Rules and select New Rule.
3. Select Predefined from the dropdown list and select File and Printer Sharing. Click Next.
4. Ensure that the File and Printer Sharing (SMB-In) checkbox is selected and click Next.
5. Select Allow the connection and click Finish.
6. Repeat steps 1 to 2.
7. Select Predefined from the dropdown list and select Remote Scheduled Tasks Management and click Next.
8. Ensure that the Remote Scheduled Tasks Management (RPC) box is checked and click Next.
9. Select Allow the connection and click Finish.
1. In the Group Policy Management Editor, in the left panel, go to Computer Configuration > Policies > Administrative
Templates > Network > Network Connections > Windows Firewall > Domain Profile.
2. Select Allow inbound file and printer sharing exception:
a. Right-click and select Edit.
b. Enable the radio button.
c. Provide the FortiClient EMS server's IP address in the text box.
d. Allow unsolicited incoming messages from these IP addresses.
e. Click OK.
To deploy the group policy manually, execute gpupdate /force on the AD server to update the
group profile on all endpoints.
Execute gpresult.exe /H gpresult.html on any AD client to view the group policy deployed
on the endpoints.
You must enable and configure the following services on each Windows endpoint before deploying FortiClient:
l Task Scheduler: Automatic
l Windows Installer: Manual
l Remote Registry: Automatic
You must configure Windows Firewall to allow the following inbound connections:
l File and Printer Sharing (SMB-In)
l Remote Scheduled Tasks Management (RPC)
AD group deployments require an AD administrator account. For non-AD deployments, you can share the deployment
package URL with users, who can then download and install FortiClient manually. You can locate the deployment
package URL in Deployment & Installers > FortiClient Installer.
When adding endpoints using an AD domain server, FortiClient EMS automatically resolves
endpoint IP addresses during initial deployment of FortiClient. FortiClient EMS can deploy
FortiClient (Windows) to AD endpoints that do not have FortiClient installed, as well as
upgrade existing FortiClient installations if the endpoints are already connected to FortiClient
EMS.
Field Description
Endpoint Groups Optional. Select the desired endpoint group. The list includes device groups
for all imported domains and workgroups.
Deployment Package Select the desired deployment package from the dropdown list.
Start at a Scheduled Time Specify what time to start installing FortiClient on endpoints.
Unattended Installation When enabled, the end user cannot modify the installation schedule. If
needed, the device reboots without warning logged-in users.
Reboot When Needed Reboot the endpoint to install FortiClient when needed.
Reboot When No Users Are Allow the endpoint to reboot without prompt if no endpoint user is logged into
Logged In FortiClient.
Notify Users and Let Them Notify the end user if a reboot of the endpoint is needed and allow the user to
Decide When To Reboot When decide what time to reboot the endpoint. Disable to reboot the endpoint without
Users Are Logged In notifying the user.
Username Enter the username to perform deployment on AD. You must enter the admin
credentials for the AD. The credentials allow FortiClient EMS to install
FortiClient on endpoints using AD. If the credentials are wrong, the installation
fails, and an error displays in FortiClient EMS.
4. Click Save.
An endpoint may be eligible for multiple deployment configurations. When an endpoint is eligible for multiple endpoint
deployment configurations, two factors determine which configuration EMS applies to the endpoint:
1. EMS applies deployment configurations to endpoints only if the configurations are enabled on the Deployment >
Manage Deployment page.
2. If an endpoint is eligible for multiple enabled configurations, EMS applies the configuration with the first priority level
to the endpoint.
In the example, consider an endpoint that belongs to the Legacy group. The endpoint applies for two configurations. In
this case, EMS applies the HQ 6.2.6 deployment configuration to the endpoint, since the HQ 6.2.6 configuration has a
higher priority level than the Legacy configuration.
However, if you disable the HQ 6.2.6 configuration, EMS applies the Legacy deployment configuration to the endpoint in
the Legacy group.
You can reenable the HQ 6.2.6 rule, then change the configuration priority levels so that the Legacy configuration has
priority level 1. In this case, EMS applies the Legacy configuration to the endpoint.
You cannot use FortiClient EMS to deploy initial installations of FortiClient (macOS). You can deploy an initial installation
of FortiClient (macOS) by doing one of the following:
l Create a custom FortiClient (macOS) deployment package on FortiClient EMS with the FortiClient EMS IP address
embedded. Send the deployment package download link to users so they can install FortiClient manually on the
endpoint. Once installed, FortiClient (macOS) automatically connects to FortiClient EMS and supports future
deployments from FortiClient EMS directly.
l Use a third party application to perform initial deployment of FortiClient (macOS) to endpoints.
After FortiClient (macOS) is installed on endpoints and has connected FortiClient Telemetry to FortiClient EMS, you can
use FortiClient EMS to replace, upgrade, and uninstall FortiClient (macOS).
You can deploy a FortiClient software update from FortiClient EMS. A prompt appears on the FortiClient endpoint when
a deployment package requests to be deployed. The prompt requests the user to do one of the following:
1. Upgrade Now: If you select this option, FortiClient performs the upgrade and automatically restarts your computer.
2. Upgrade Later: If you select this option, you can indicate the time to start the upgrade. The default is 8:00 PM. Your
computer automatically restarts after the upgrade has finished.
3. No Option: If you do not select an option, the upgrade occurs by default at 8:00 PM. After FortiClient EMS uninstalls
the previous version, it asks if the user wants to reboot. The prompt requests the user to do one of the following:
a. Reboot: Select this option to have the reboot occur immediately.
b. Reboot later: Select this option to reboot the computer later. You cannot select a specific reboot time. Use this
option at your discretion.
Deploying different installer IDs to endpoints using the same deployment package
As described in Installer ID group assignment rules on page 106, you can include an installer ID in a FortiClient
deployment package. After FortiClient installation, the endpoint connects to EMS and EMS groups the endpoint
according to the installer ID group assignment rule. You can configure one installer ID for each deployment package.
In an environment with a large number of endpoints, you may have dozens of installer IDs that you want to use to group
endpoints automatically in EMS after installation. Since you can configure each deployment package with only one
installer ID, it may be inefficient to create a deployment package for each installer ID.
Instead, you can create a deployment package without an installer ID in EMS, then install FortiClient on the endpoint
using the CLI, providing the installer ID as one of the CLI options. You can use the same deployment package on
multiple endpoints, providing different installer IDs in the CLI depending on which group you want EMS to place the
endpoint in. When these endpoints connect to EMS, EMS groups them according to the installer ID provided in the CLI.
This process consists of the following:
1. Create a deployment package in EMS. Do not configure an installer ID. See Adding a FortiClient deployment
package on page 120.
2. Create installer ID group assignment rules to automatically move endpoints into the desired groups. See To add an
installer ID group assignment rule: on page 107.
3. Install FortiClient on endpoints using the following CLI commands:
For example, consider that you want to deploy the same deployment package but different installer IDs for the HR,
Marketing, and Office Management teams at your organization. In this scenario, you would use EMS to create an
deployment package without an installer ID and an installer ID group assignment rule for each endpoint group. Then, you
can install FortiClient on the HR, Marketing, and Office Management endpoints using the same deployment package
and the following CLI commands, respectively:
FortiClientSetup.exe /v"GROUP_TAG=<HR>"
FortiClientSetup.exe /v"GROUP_TAG=<Marketing>"
FortiClientSetup.exe /v"GROUP_TAG=<OM>"
After the endpoints connect to EMS, EMS automatically places them into groups based on their different installer IDs
(HR, Marketing, and OM).
FortiClient Installer
You can create deployment packages to deploy FortiClient to endpoints. Deployment packages include the FortiClient
installer, which determines the FortiClient release and patch to install on the endpoint. Deployment packages can also
include a Telemetry gateway list for connection to a FortiGate.
After you add a FortiClient deployment package to FortiClient EMS, you cannot edit it. You can
delete the deployment package from FortiClient EMS, and edit the deployment package
outside of FortiClient EMS. You can then add the edited deployment package to FortiClient
EMS.
Keep updated to the latest Enable EMS to repackage EMS created FortiClient deployment package to
patch the latest patch release.
Available options may differ depending on the features you have enabled or disabled in
Feature Select. See Feature Select on page 241.
Zero Trust Telemetry Enabled by default and cannot be disabled. Installs FortiClient with Telemetry
enabled.
Secure Access Architecture Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and
Components IPsec VPN support from the FortiClient deployment package.
If you enable this feature for a deployment package and include a
preconfigured VPN tunnel in the included endpoint profile, users who use this
deployment package to install FortiClient can connect to this preconfigured
VPN tunnel for three days after their initial FortiClient installation. This is useful
for remote users, as it allows them to connect to the corporate network to
activate their FortiClient license. If the user does not activate their FortiClient
license within the three days, all FortiClient features, including VPN, stop
working on their device.
See VPN on page 162 for details on configuring a VPN tunnel.
Vulnerability Scan Enabled by default and cannot be disabled. Installs FortiClient with
Vulnerability Scan enabled.
Advanced Persistent Threat Install FortiClient with APT components enabled. Disable to omit APT
(APT) Components components from the FortiClient deployment package. Includes FortiSandbox
detection and quarantine features.
If you enable a feature in the deployment package that is disabled in Feature Select on page 241, the feature is
installed on the endpoint, but is disabled and does not appear in the FortiClient GUI. For example, when Web Filter
is disabled in Feature Select, if you enable Web Filtering in a deployment package, the deployment package installs
Web Filter on the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the
FortiClient GUI.
6. Click Next. On the Advanced tab, set the following options:
Enable desktop shortcut Configure the FortiClient deployment package to create a desktop shortcut on
the endpoint.
Enable start menu shortcut Configure the FortiClient deployment package to create a Start menu shortcut
on the endpoint.
Enable Installer ID Configure an installer ID. Select an existing installer ID or enter a new installer
ID. If creating an installer ID, select a group path or create a new group in the
Group Path field. FortiClient EMS automatically groups endpoints according to
installer ID group assignment rules. See Group assignment rules on page 105.
If you manually move the endpoint to another group after EMS places it into
the group defined by the installer ID group assignment rule, EMS returns the
endpoint to the group defined by the installer ID group assignment rule.
In an environment with a large number of endpoints, since you can configure
each deployment package with only one installer ID, it may be inefficient to
create a deployment package for each installer ID. See Deploying different
installer IDs to endpoints using the same deployment package on page 119.
Enable Endpoint Profile Select an endpoint profile to include in the installer. EMS applies the profile to
the endpoint once it has installed FortiClient. This option is necessary if it is
required to have certain security features enabled prior to contact with EMS, or
if users require VPN connection to connect to EMS.
7. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which will
manage FortiClient once it is installed on the endpoint.
8. Click Finish. The FortiClient deployment package is added to FortiClient EMS and displays on the Deployment
Installers > FortiClient Installer pane. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg
files depending on the configuration. The following shows an example of a deployment package that includes .exe,
.msi, and .dmg files. The end user can download these files to install FortiClient on their machine with the desired
configuration.
If the Sign software packages option is enabled in System Settings > EMS Settings, Windows
deployment packages display as being from the publisher specified in the certificate file. See
Configuring EMS settings on page 228.
After you add FortiClient deployment packages to FortiClient EMS, you can view them on the Deployment & Installers >
FortiClient Installer pane.
The Deployment Packages pane displays the following information about each deployment package:
l Name of the FortiClient deployment package
l Operating system (Windows and/or macOS)
l Version of FortiClient software for each OS
l Whether Auto Update is enabled or disabled
l Location of the FortiClient deployment package FortiClient EMS. Endpoint users can access this location to
download and install FortiClient on endpoints.
Selecting a deployment package displays the following additional information:
l Enabled FortiClient features
l Configured endpoint profile
l Connection to FortiClient EMS
l Auto registration enabled/disabled
l Desktop shortcut enabled/disabled
l Start menu shortcut enabled/disabled
l Configured installer ID
l Notes included when creating the deployment package
You can also create or delete a deployment package and refresh the deployment package list.
You can create endpoint policies to assign endpoint profiles and on-fabric detection rules to groups of Windows, macOS,
and Linux endpoints. The Endpoint Policy & Components > Manage Policies page provides a comprehensive summary
of which endpoint policies are applied to which endpoint groups.
Manage Policies
Endpoint Policy Name Enter the desired name for the endpoint policy.
Endpoint Groups Select the device and/or user group to apply the policy to. You can select a
group from all imported domains and workgroups.
Users Search for and select desired domain users to apply the policy to.
Profile Include an endpoint profile in the policy. From the dropdown list, select the
desired endpoint profile.
Profile (Off-Fabric) Include an endpoint profile in the policy to apply to the endpoint when it is off-
fabric according to the on-fabric detection rules configured in this policy. For
example, you may want to apply a more restrictive profile to the endpoint when
it is determined to be off-fabric. From the dropdown list, select the desired
endpoint profile.
If including an off-fabric profile in a policy, also including on-fabric detection
rules in the policy is recommended. Otherwise, EMS may not apply on-fabric
and off-fabric profiles as desired.
On-Fabric Detection Rules Select the on-fabric detection rules to include in the policy. You can select
multiple rules.
You must have already created on-fabric detection rules to include them in an
endpoint policy. See On-fabric Detection Rules on page 131.
Enable the Policy Toggle to enable or disable the endpoint policy. You can enable or disable the
policy at a later time from Endpoint Policy & Components Manage Policies.
4. Click Save. You can view the newly created policy on the Endpoint Policy & Components > Manage Policies page.
EMS pushes these settings to the endpoint with the next Telemetry communication.
An endpoint may be eligible for multiple endpoint policies. When an endpoint is eligible for multiple endpoint policies, the
following factors determine which endpoint policy EMS applies to the endpoint:
1. EMS only applies endpoint policies to endpoints if they are enabled on the Endpoint Policy & Components Manage
Policies page.
2. If an endpoint is eligible for multiple enabled endpoint policies, EMS determines which policy to apply using the
following order:
a. If there is a policy directly assigned to the user (configured in the Users field for the endpoint policy), EMS
assigns that policy to the endpoint.
b. If there are policies assigned to the group container and/or user group, EMS assigns the policy with the highest
priority level to the endpoint.
c. If there are inherited policies for group container and/or user group (policies assigned to a parent container or
group), EMS assigns the policy with the highest priority level to the endpoint.
In this example, all three policies are enabled. The All Groups/Seattle/HR subgroup is eligible for both the Seattle_
general and Seattle_HR policies. In this scenario, EMS applies the first eligible endpoint policy, Seattle_general, to the
All Groups/Seattle/HR subgroup.
In this example, the Seattle_general endpoint policy has been disabled. The All Groups/Seattle/HR group is still eligible
for both policies. Since the Seattle_general policy is disabled, EMS applies Seattle_HR to the All Groups/Seattle/HR
group.
l Enable Seattle_general
l Move policies so that they have the following priorities:
l SF_general: 1
l Seattle_HR: 2
l Seattle_general: 3
In this example, the All Groups/Seattle/HR group is eligible for two policies: Seattle_HR and Seattle_general. Since
Seattle_HR comes before Seattle_general in the priority list, EMS applies Seattle_HR to All Groups/Seattle/HR.
Even though SF_general is set to priority 1, EMS does not apply it to All Groups/Seattle/HR, since All Groups/Seattle/HR
is not eligible for that policy.
You can select columns to display in Endpoint Policy & Components Manage Policies.
You can assign FortiClient policies based on endpoint devices in organizational units.
CA Certificates
After uploading or importing a certificate, you must configure it in a profile using the Install CA Certificate on Client option
to provision it to endpoints. See System Settings on page 178.
Uploading certificates
Importing certificates
IP address/Hostname Enter the server IP/hostname in the following format: <ip address> :
<port>.
You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-
fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in
the applied endpoint policy. See Adding an endpoint policy on page 124.
When a user switches accounts between a local non-domain account and a domain account on the same machine,
FortiClient EMS may not apply the correct policy to the endpoint.
On-fabric detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier
versions. Endpoints running FortiClient 6.2.1 and earlier versions determine on-/off-fabric
status as Determining on-fabric/off-fabric status on page 133 describes.
DHCP Server On the IP/MAC Address tab, configure the IP and/or MAC address for the
desired DHCP server. On the DHCP Code tab, configure the DHCP code for
the desired DHCP server. You can configure just the IP/MAC Address tab, just
the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the
MAC Address field is optional.
The DHCP code is synonymous with the old option 224, which FortiClient
would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It
used to be the FortiGate serial number. Now, it can be any string configured in
the DHCP server as option 224. You may still use FortiGate serial number as
the DHCP code if desired.
EMS considers the endpoint as satisfying the rule if it is connected to a DHCP
server that matches the specified configuration. You can configure multiple IP
and MAC addresses and DHCP codes using the + button on each tab.
DNS Server Configure at least one IP address for the desired DNS server. EMS considers
the endpoint as satisfying the rule if it is connected to a DNS server that
matches the specified configuration. You can configure multiple IP addresses
using the + button.
EMS Connection The only available option for this detection type is that EMS considers the
endpoint as satisfying the rule if it is online with EMS.
Local IP/Subnet In the IP Range field, enter a range of IP addresses. In the Default Gateway
MAC Address field, optionally enter the default gateway MAC address. EMS
considers the endpoint as satisfying the rule if its Ethernet or wireless IP
address is within the range specified and if its default gateway MAC address
matches the one specified, if it is configured. Configuring the MAC address is
optional. You can configure multiple addresses using the + button.
This is the only detection type that applies to endpoints running FortiClient
6.4.0 and earlier versions. Other detection types do not apply to these
endpoints.
Default Gateway In the IP Address field, enter the default gateway IP address. In the
MAC Address field, optionally enter the default gateway MAC address. EMS
considers the endpoint as satisfying the rule if its default gateway configuration
matches the IP address specified and MAC address, if it is configured.
Configuring the MAC address is optional. You can configure multiple
addresses using the + button.
Ping Server In the IP Address field, enter the server IP address. EMS considers the
endpoint as satisfying the rule if it can access the server at the specified IP
address. You can configure multiple addresses using the + button.
Public IP In the IP Address field, enter the desired IP address. EMS considers the
endpoint as satisfying the rule if its public (WAN) IP address matches the one
specified. You can configure multiple addresses using the + button.
Connection Media From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not
Connected. EMS considers the endpoint as satisfying the rule if its network
settings match all configured fields.
VPN Tunnel In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the
endpoint as satisfying the rule if it is connected to a VPN tunnel with a
matching name. You can configure tunnels using the + button.
This section only applies to endpoints running FortiClient 6.2.1 and earlier versions.
There are two settings in EMS that affect FortiClient on-fabric/off-fabric status:
l DHCP on-fabric/off-fabric
l On-fabric detection rules configured for the endpoint's assigned policy
The table shows how the DHCP on-fabric/off-fabric setting, on-fabric detection rules, and Option 224 serial number
affect the endpoint's on-fabric/off-fabric status. DHCP on-fabric/off-fabric only applies when the endpoint is connected to
EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a
FortiGate and on-fabric with that FortiGate.
An endpoint has an offline off-fabric status when it cannot connect FortiClient Telemetry to EMS and is outside any of the
on-fabric networks.
An endpoint has an offline on-fabric status when it cannot connect FortiClient Telemetry to EMS but is inside one of the
on-fabric networks, or if no on-fabric rules are configured within the assigned policy.
You can create Chromebook policies to assign endpoint profiles to domains of Chromebook endpoints. The
Chromebook Policy > Manage Chromebook Policies page provides a comprehensive summary of which policies are
applied to which groups within the Google domain.
This option is only available if you enable the EMS for Chromebooks Settings option in System Settings > EMS Settings.
Chromebook policies function identically to Windows, macOS, and Linux endpoint policies except that you apply them to
Chromebook endpoints and can only include a Chromebook profile. For details on configuring a Chromebook policy,
refer to the equivalent sections in Endpoint Policy & Components on page 124.
You can use the default endpoint profile or create endpoint profiles for many configurations and situations. You can also
import FortiOS and FortiManager Web Filter profiles to EMS.
You can edit the default profile to add or remove settings. You can revert to default settings by clicking Revert to Default.
This section describes how to create a profile that excludes any installation or uninstallation of FortiClient software on
endpoints. You can use this profile type to configure FortiClient software on endpoints.
1. Go to Endpoint Profiles > Manage Profiles, and click the Add button. To create a Chromebook profile, click Add
Chrome.
2. In the Profile Name field, enter the profile name.
3. Configure the settings on the remaining tabs.
4. Click Save to save the profile.
When you install FortiClient EMS, a default profile is created. EMS applies this profile to any Google domains you add to
FortiClient EMS.
1. Go to Endpoint Profiles > Manage Profiles, and click the Add Chrome button.
2. In the Profile Name field, enter the profile name.
3. On the Web Filter tab, enable Web Filter, and set the web filtering options.
4. On the System Settings tab, set the logging options.
5. Click Save.
Viewing profiles
When you create endpoint profiles, they are listed under Endpoint Profiles in the left pane. You can view endpoint
profiles and their settings.
To view profiles:
1. Go to Endpoint Profiles > Manage Profiles. The content pane displays the list of profiles.
2. Click a profile name, then click Edit. The settings display in the content pane.
Managing profiles
Editing a profile
When you edit a profile that is assigned to endpoints or domains as part of an endpoint policy, FortiClient EMS
automatically pushes the changes to the endpoints or Chromebooks with the next Telemetry communication after you
save the profile.
To edit a profile:
Cloning a profile
To clone a profile:
For profiles imported from FortiGate or FortiManager, you can manually sync profiles so that they are updated with the
latest changes from the FortiGate or FortiManager that you imported them from.
1. Go to Endpoint Profiles > Import from FortiGate / FortiManager.
2. Select the desired profile.
3. Click Sync Now.
For profiles imported from FortiGate or FortiManager, you can edit the sync schedule.
1. Go to Endpoint Profiles > Manage Profiles.
2. Select the desired profile.
3. Click Edit Sync Schedule.
4. In the Synchronization Settings window, configure the following options:
a. One Time Pull: If selected, FortiClient EMS does not automatically sync profile changes from the FortiGate or
FortiManager. You can manually sync profile changes after importing the profile. See Syncing profile changes
on page 138.
b. Group Schedule: Select to configure a group synchronization schedule for all selected profiles. Select the next
date and time to automatically update the profiles, and the profile update interval in days, hours, or seconds.
c. Individual Schedule: Select to configure an individual synchronization schedule for each selected profile.
Select the next date and time to automatically update each profile, and the profile update interval in days,
hours, or seconds.
Deleting profiles
Profile Name
Option Description
Advanced Select to configure the profile using XML on the XML Configuration tab. Displays advanced options for
configuration. This option is only available for Windows, macOS, and Linux profiles.
Malware Protection
The Malware Protection tab contains options for configuring AV, anti-ransomware, anti-exploit, cloud-based malware
detection, removable media access, exclusions list, and other options. Some options only display if you enable
Advanced view.
Only features that FortiClient EMS is licensed for are available for configuration. For example, if you have only applied
the ZTNA license, you can only enable and configure the Removable Media Access section. See Windows, macOS, and
Linux endpoint licenses on page 21 for details on which features each license type includes.
Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
AntiVirus Protection
Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.
Options Description
Block Known Communication Channels Used Enable Command and Control (C&C) detection using IP reputation
by Attackers database signatures. Check network traffic against known C&C IP
address plus port number combinations.
Block Access to Malicious Websites Block all access to malicious websites. You must select FortiProxy
(Disable Only When Troubleshooting) on the System Settings tab
before you can enable this option.
If you are syncing the profile's Web Filter settings from a Web Filter
profile imported from FortiOS or FortiManager, you cannot configure
actions for the security risk site categories in EMS. EMS synchronizes
these settings from the FortiOS or FortiManager Web Filter profile.
See Web Filter on page 151.
Security Risk Configure an action for the security risk site category by selecting one
of the following:
l Block
l Warn
l Allow
l Monitor
You can also click the + button beside the site category to view all
subcategories and configure individual actions (Block, Warn, Allow,
Monitor) for each subcategory. The security risk category contains
the following subcategories:
l Dynamic DNS
l Malicious Websites
Options Description
l Phishing
l Spam URLs
Use the Exclusion If you enable this option, EMS uses the exclusion list on the Web
List Defined in the Filter tab. If you disable this option, you must define exclusions under
Web Filter Profile Exclusions.
Delete Malware Files After Enter the number of days after which to delete malware files from the
client.
Action On Virus Discovery l Quarantine Infected Files. You can use FortiClient to view the
quarantined file, virus name, and logs, as well as submit the file
to FortiGuard.
l Deny Access to Infected Files
l Ignore Infected Files
Alert When Viruses Are Detected Displays the Virus Alert dialog when RTP detects a virus while
attempting to download a file via a web browser. The dialog allows
you to view recently detected viruses, their locations, and statuses.
Identify Malware and Exploits Using Uses signatures from FortiSandbox to identify malware and exploits.
Signatures Received from FortiSandbox This option is available only if the Sandbox Detection tab is enabled.
Enter the number of minutes after which to update signatures.
Scan Compressed Files Scan archive files, including zip, rar, and tar files, for threats. RTP
exclusions list default file extensions.
Max Size Only scan files under the specified size. To allow scanning
compressed files of any size, enter 0.
Scan Files Accessed by User Process Configure when RTP should scan files that a user-initiated process
accesses. Select one of the following:
l Scan Files When Processes Read or Write Them
l Scan Files When Processes Read Them
l Scan Files When Processes Write Them
Scan Network Files Scan network files for threats when a user-initiated process accesses
them.
System Process Scanning Enable system process scanning. Select one of the following:
l Scan Files When System Processes Read or Write Them
l Scan Files When System Processes Read Them
l Scan Files When System Processes Write Them
l Do Not Scan Files When System Processes Read or Write Them
Enable Windows Antimalware Scan Interface Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is
only available for Windows 10 endpoints. AMSI scans memory for the
following malicious behavior:
l User Account Control (elevation of EXE, COM, MSI, or
ActiveX installation)
Options Description
l PowerShell (scripts, interactive use, and dynamic code
evaluation)
l Windows Script Host (wscript.exe and script.exe)
l JavaScript and VBScript
l Office VBA macros
Enable Machine Learning Analysis Enable or disable machine learning (ML). This feature uses the new
FortiClient AV engine, which incorporates smarter signature-less ML-
based advanced threat detection. The antimalware solution includes
ML models static and dynamic analysis of threats.
From the Action On Virus Discovery With Machine Learning Analysis
dropdown list, select one of the following:
l Log detection and warn the User: detect the sample, display a
On Demand Scanning
Action On Virus Discovery Select one of the following from the dropdown list:
l Warn the User If a Process Attempts to Access Infected Files
l Quarantine Infected Files. You can use FortiClient to view the
quarantined file, virus name, and logs, as well as submit the file
to FortiGuard.
l Ignore Infected Files
Integrate FortiClient into Windows Explorer's Adds a Scan with FortiClient AntiVirus option to the Windows
Context Menu Explorer right-click menu.
Hide AV Scan from Hide AV scan option from Windows Explorer's context menu.
Windows Explorer's
Context Menu
Hide AV Analyse Hide option to submit file for AV analysis from Windows Explorer's
from Windows context menu.
Explorer's Context
Menu
Pause Scanning When Running on Battery Pause scanning when the computer is running on battery power.
Power
Allow Admin Users to Terminate Scheduled Control whether the local administrator can stop a scheduled or on-
and On-Demand Scans from FortiClient demand AV scan initiated by the EMS administrator. A user who is
Console not a local administrator cannot stop a scheduled or on-demand
AV scan regardless of this setting.
Options Description
Automatically Submit Suspicious Files to Automatically submit suspicious files to FortiGuard for analysis. You
FortiGuard for Analysis. do not receive feedback for files submitted for analysis. The
FortiGuard team can create signatures for any files that are submitted
for analysis and determined to be malicious.
Scan Compressed Files Scan archive files, including zip, rar, and tar files, for threats.
Max Size Only scan files under the specified size (in MB). To allow scanning
compressed files of any size, enter 0.
Max Scan Speed on Computers With Select the minimum amount of memory that must be installed on a
computer to maximize scan speed. AV maximizes scan speed by
loading signatures on computers with a minimum amount of memory:
l 4 GB
l 6 GB
l 8 GB
l 12 GB
l 16 GB
Enable Machine Learning Analysis Enable or disable machine learning (ML). This feature uses the new
FortiClient AV engine, which incorporates smarter signature-less ML-
based advanced threat detection. The antimalware solution includes
ML models static and dynamic analysis of threats.
From the Action On Virus Discovery With Machine Learning Analysis
dropdown list, select one of the following:
l Log detection and warn the User: detect the sample, display a
Scan On If Weekly is selected, select the day of the week to perform the scan.
If Monthly is selected, select the day of the month to perform the scan.
If you configure monthly scans to occur on the 31st of each month,
the scan occurs on the first day of the month for months with fewer
than 31 days.
rootkits. The quick scan only scans executable files, DLLs, and
drivers that are currently running for threats.
l Full: Runs the rootkit detection engine to detect and remove
Options Description
l Custom: Runs the rootkit detection engine to detect and remove
rootkits. In the Scan Folder field, enter the full path of the folder
on your local hard disk drive to scan.
Scan Priority Set to Low, Normal, or High. This refers to the amount of processing
power that the scan uses and its impact on other processes.
Scan Removable Media Scan connected removable media, such as USB drives, for threats, if
present.
Scan Network Drives Scan attached or mounted network drives for threats.
Enable Scheduled Scans Even When a Enable scheduled scans even when a third party AV product is
Third-Party AV Product Is Present present.
Anti-Ransomware
Enable anti-ransomware to protect specific files, folders, or file types on your endpoints from unauthorized changes.
Options Description
Protected Folders Select the desired folders from the list, or click Add Folder to add a custom directory.
FortiClient anti-ransomware protects all content in the selected folders against unauthorized
changes. To remove a folder, select it then click the Remove Folder button.
Protected File Types Enter the desired file types to protect from suspicious activity, separating each file type with
a comma. Do not include the leading dot when entering a file type. For example, to include
text files, you would enter txt, as opposed to .txt.
Action When anti-ransomware detects suspicious activity, it displays a popup asking the user if
they want to terminate the process:
l If the user selects Yes, FortiClient terminates the suspicious process.
l If the user does not select an option, FortiClient waits for the configured action timeout,
Bypass Valid Signer Enable FortiClient to exclude a process from the selected anti-ransomware action if it has a
valid signer.
Anti-Exploit
Enable anti-exploit engine to detect suspicious processes (payload) running from legitimate applications. You must
enable Real-Time Protection for the Anti-Exploit feature to function.
Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints
from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine
whether files are malicious. The following describes the process for cloud-based malware protection:
1. A high risk file is downloaded or executed on the endpoint.
2. FortiClient generates a SHA1 checksum for the file.
3. FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
4. If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By
default, FortiClient quarantines the file.
This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types
is the same as the list of file types submitted to Sandbox by default.
Options Description
Server
Wait for Cloudscan Results before Allowing Have the endpoint user wait for cloud scanning results before being
File Access allowed access to files. Set the timeout in seconds.
Deny Access to File When There is No Deny access to downloaded files if there is no cloud scan result. This
Cloudscan Result may happen if FortiClient EMS cannot reach FortiGuard.
All Files Executed from Removable Media Submit all files executed on removable media, such as USB drives, to
FortiSandbox for analysis.
All Files Executed from Mapped Network Submit all files executed from mapped network drives.
Drives
Exclude Files from Trusted Sources Exclude files signed by trusted sources from cloud-based malware
protection submission.
Remediation Actions
Action Choose Quarantine or Alert & Notify for malicious files. The user can
access the file depending on Wait for Cloudscan Results before
Allowing File Access and Deny Access to File When There Is No
Cloudscan Result configuration. Whether FortiClient quarantines the
file depends on if FortiGuard reports the file as malicious.
Control access to removable media devices, such as USB drives. You can configure rules to allow or block specific
removable devices.
For the class, manufacturer, vendor ID, product ID, and revision, you can find the desired values for the device in one of
the following ways:
l Microsoft Windows Device Manager: select the device and view its properties.
l USBDeview
Options Description
Show bubble Display a bubble notification when FortiClient takes action with a removable media device.
notifications
Action Configure the action to take with removable media devices connected to the endpoint that
match this rule. Available options are:
l Allow: Allow access to removable media devices connected to the endpoint that
rule.
Move this rule up/down Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient
applies the highest rule to the device.
Default removable media Configure the action to take with removable media devices that do not match any
access configured rules. Available options are:
l Allow: Allow access to removable media devices connected to the endpoint that do
Exclusions
Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and
folders to exclude from scanning. EMS supports the following wildcards and variables:
l Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
l Using wildcards to exclude all files with a specified extension, such as *.jrs
l Path variable %allusersprofile%
l Path variable %appdata%
l Path variable %localappdata%
l Path variable %systemroot%
l Path variable %systemdrive%
l Path variable %userprofile%
l Path variable %windir%
Combinations of wildcards and variables are not supported.
Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.
When excluding a network share, you may enter the path using drive letters (Z:\folder\) or the
UNC path (\\172.17.60.193\fileserver\folder).
Options Description
Paths to Excluded Enter fully qualified excluded folder paths in the provided text box to exclude these folders
Folders from RTP and on-demand scanning.
Paths to Excluded Files Enter fully qualified excluded files in the provided text box to exclude these files from RTP
and on-demand scanning.
File Extensions Excluded RTP skips scanning files with the specified extensions.
from Real-Time
Protection
File Extensions Excluded On-demand AV protection skips scanning files with the specified extensions.
from On Demand
Scanning
Other
Options Description
Scan for Rootkits Scan for files implementing advanced OS hooks used by malware to protect themselves
from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable
administrator-level access to a computer or computer network. Typically a rootkit is
installed on a computer after first obtaining user-level access by exploiting a known
vulnerability or cracking a password.
Scan for Adware Scan for adware. Adware is a form of software that downloads or displays unwanted ads
when a user is online.
Scan for Riskware Scan for riskware. Riskware refers to legitimate programs which, when installed and
executed, presents a possible but not definite risk to the computer.
Enable Advanced Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics
Heuristics to detect complex malware.
Scan Removable Media Scan removable media (CDs, DVDs, Blu-ray disks, USB keys, etc.) on insertion.
on Insertion
Scan Email Scan emails for threats with SMTP and POP3 protocols.
Scan MIME Files (Inbox Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types.
Files) MIME is an Internet standard that extends the format of the email to support the following:
l Text in character sets other than ASCII
l Non text attachments (audio, video, images, applications)
l Message bodies with multiple parts
Sandbox Detection
Enable Sandbox Detection. Some options only display if you enable Advanced view.
Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud
feature. For example, if you have only applied the ZTNA license, the FortiSandbox Cloud options are unavailable. See
Windows, macOS, and Linux endpoint licenses on page 21 for details on which features each license type includes.
This feature does not rely on FortiClient real-time protection and can be used alongside other
real-time antimalware applications such as Windows Defender. Files that these applications
have quarantined cannot be sent to FortiSandbox.
Options Description
Server
IP Enter the FortiSandbox's IP address or hostname. Click Test Connection to ensure that
address/Hostname EMS can communicate with FortiSandbox. This option is only available for a FortiSandbox
appliance.
Username Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox
appliance. When using a FortiSandbox appliance, the username is necessary to view detailed
FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details on
page 95.
Password Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox
appliance. When using a FortiSandbox appliance, the password is necessary to view detailed
FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details on
page 95.
Region FortiSandbox Cloud region. See Configuring FortiGuard Services settings on page 233.
Time Zone FortiSandbox Cloud time zone. See Configuring FortiGuard Services settings on page 233.
License Status Displays the Sandbox Cloud license status. Using FortiSandbox Cloud requires an additional
license. See FortiClient EMS on page 20.
Options Description
Excluded File Select a file extension to exclude from FortiSandbox scanning. You can select multiple file
Extensions extensions.
Wait for Have the endpoint user wait for FortiSandbox scanning results before being allowed access
FortiSandbox Results to files. Set the timeout in seconds.
before Allowing File
Access
Deny Access to File Deny access to downloaded files if there is no FortiSandbox result. This may happen if
When There Is No FortiSandbox is offline.
Sandbox Result
All Files Executed Submit all files executed on removable media, such as USB drives, to FortiSandbox for
from Removable analysis.
Media
All Files Executed Submit all files executed from mapped network drives.
from Mapped
Network Drives
Remediation Actions
Action Choose Quarantine or Alert & Notify for infected files. The user can access the file depending
on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When
There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends
on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level
setting.
FortiSandbox Select the desired detection verdict level. For FortiClient to apply the action selected in the
Detection Verdict Action field to an infected file, FortiSandbox must detect the file as this level or higher. For
Level example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is
configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as
Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which
FortiSandbox returns a verdict below this level (Low Risk or Clean).
Exceptions
Options Description
Exclude Files from Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of
Trusted Sources sources that FortiSandbox trusts:
l Microsoft
l Fortinet
l Mozilla
l Windows
l Google
l Skype
l Apple
l Yahoo!
l Intel
Exclude Specified Exclude specified folders/files from FortiSandbox submission. You must also create the
Folders/Files exclusion list.
Inclusions
Include Specified Include specified folders/files in FortiSandbox submission. You must also create the inclusion
Folders/Files list.
Other
Hide Sandbox Scan Hide Sandbox scan option from Windows Explorer's right-click context menu.
from Windows
Explorer's Context
Menu
In addition to the configuration above, you must also configure the connection to EMS on the
FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize
EMS using its serial number. You can find the EMS serial number on the System Information
widget on the Dashboard.
Web Filter
For Windows, macOS, and Linux profiles, you must enable FortiProxy (Disable Only When Troubleshooting) on the
System Settings tab to use the Web Filter options.
Configuration Description
Sync web filter profile from FortiGate / From the dropdown list, select the desired FortiOS or FortiManager
FortiManager in the fabric. Web Filter profile. When this option is enabled, you cannot modify the
profile's Web Filter settings in EMS. Instead, EMS synchronizes Web
Filter settings for this profile from the configured FortiGate or
FortiManager depending on the synchronization schedule configured
in Importing a Web Filter profile from FortiOS or FortiManager on
page 158. You can still modify the profile's settings for other features,
such as VPN or AV, from EMS.
This option is only available if you have previously imported a Web
Filter profile from FortiOS or FortiManager. See Importing a Web
Filter profile from FortiOS or FortiManager on page 158.
General
Enable WebFiltering on FortiClient Select Always On to enable client web filtering when on-fabric.
Select Only When Endpoint is Off-Fabric to enable Web Filter on
endpoints only when the endpoint is considered off-Fabric. See On-
fabric Detection Rules on page 131.
This setting affects the Block Access to Malicious Websites setting in
Malware Protection on page 140.
Log All URLs Log all URLs. When this setting is disabled, FortiClient EMS only logs
URLs as specified by per-category or per-URL settings.
Enable Web Browser Plugin for HTTPS Web Enable a web browser plugin for HTTPS web filtering. This improves
Filtering detection and enforcement of Web Filter rules on HTTPS sites. After
this option is enabled, the user must open the browser to approve
installing the new plugin. EMS only installs the web browser plugin for
the Google Chrome, Mozilla Firefox, and Microsoft Edge browsers on
Windows platforms.
Sync Mode When this option is enabled, the web browser waits for a response
from an HTTPS request before sending another HTTPS request.
Check User Initiated Use the web browser plugin for only user-initiated traffic. This allows
Traffic Only for faster processing. When this option is disabled, the plugin checks
all URL requests.
Configuration Description
Enable Safe Search For Windows endpoints and Chromebooks, when enabling Safe
Search, you can configure the Restriction Level to Strict or Moderate.
This setting affects the content that endpoint users can access via
YouTube and search engine, including Google and Bing. For
Chromebooks, to set YouTube access to Unrestricted, you can
disable Safe Search and configure Google Search and YouTube
access with the Google Admin Console instead of FortiClient EMS.
For macOS endpoints, enabling Safe Search sets the endpoint's
Google search to Restricted mode and YouTube access to Strict
Restricted access.
Site Categories Enable site categories from FortiGuard. When you disable site
categories, the exclusion list protects FortiClient.
See the FortiGuard website for descriptions of the available
categories and subcategories.
For all categories, you can configure an action for the entire site
category by selecting one of the following:
l Block
l Warn
l Allow
l Monitor
You can also click the + button beside the site category to view all
subcategories and configure individual actions (Block, Warn, Allow,
Monitor) for each subcategory. The following lists each site category's
subcategories.
Configuration Description
l Streaming Media and Download
Configuration Description
Configuration Description
Unrated
Rate IP Addresses Have FortiClient request the rating of the site by URL and IP address
separately, providing additional security against attempts to bypass
the FortiGuard Web Filter.
If the rating determined by the domain name and the rating
determined by the IP address differ, a weighting assigned to the
different categories determines the action that FortiClient enforces.
The higher weighted category takes precedence in determining the
action. This has the side effect that sometimes the Action is
determined by the classification based on the domain name and other
times it is determined by the classification that is based on the IP
address.
FortiGuard Web Filter ratings for IP addresses are not updated as
quickly as ratings for URLs. This can sometimes cause FortiClient to
allow access to sites that should be blocked, or to block sites that
should be allowed.
An example of how this works is if a URL's rating based on the
domain name indicates that it belongs in the category Lingerie and
Swimsuit, which is allowed but the category assigned to the IP
address was Pornography which has an action of Block, because the
Pornography category has a higher weight, the effective action is
Block.
Use HTTPS Rating Server By default, Web Filter sends URL rating requests to the FortiGuard
rating server via UDP protocol. You can instead enable Web Filter to
send the requests via TCP protocol.
Configuration Description
Allow websites when rating error occurs Configure the action to take with all websites when FortiGuard is
temporarily unavailable. This may occur when an endpoint is forced
to access a network via a captive portal. FortiClient takes the
configured action until contact is reestablished with FortiGuard.
Available options are:
l Block: Deny access to any websites. This may prevent endpoints
FortiGuard Server Location Configure the FortiGuard server location. If FortiGuard Anycast is
selected for the Server field, you can select from global, U.S., or
Europe. If FortiGuard is selected for the Server field, you can select
from global or U.S. When Global is selected, FortiClient uses the
closest FortiGuard server.
FortiClient connects to FortiGuard to query for URL ratings.
The URLs connected to for each server location are as follows:
l FortiGuard:
l Global: fgd1.fortigate.com
l U.S.: usfgd1.fortigate.com
l FortiGuard Anycast:
l Global: fctguard.fortinet.net
l U.S.: fctusguard.fortinet.net
l Europe: fcteuguard.fortinet.net
Keyword Scanning on Search Engine Use rating categories from FortiGuard to allow, block, or monitor
searches for certain terms. This feature is only available for
Chromebooks.
Banned Word Search Enable to configure actions (block or monitor) to take when the user
searches for terms that belong to the following categories:
l Violence/Terrorism
l Extremist
l Pornography
l Cyber Bullying
l Self Harm
Custom Banned Words Configure actions for individual terms. Enable Custom Banned
Words, type the desired term in the Add Word field, then click Add
Word. Configure the action for the term (Block, Monitor, or Allow),
then toggle the Status to On.
You can remove a term from the Custom Banned Word list by
selecting the checkbox beside the term, then clicking the Remove
Word button.
Configuration Description
Exclusion List
URL Enter specific URLs to allow, block, or monitor. You can provide the
full URL or only the domain name.
Referrer/Host Enter a specific referrer or host to allow, block, or monitor. You can
provide the full URL or only the domain name.
If the end user visits the URL through the referrer provided,
EMS considers the rule a match and applies the specified action.
If the end user visits the URL directly or through a different referrer,
EMS does not consider the rule a match and does not apply the
specified action.
Move this rule up/Move this rule down Move the exclusion rule up/down in the list. If multiple exclusion rules
are applicable, EMS applies the first applicable exclusion rule.
You can import a Web Filter profile from FortiOS or FortiManager into FortiClient EMS, then synchronize the Web Filter
profile settings to an endpoint profile in FortiClient EMS.
This feature is only available if Web Filter is enabled in Feature Select. See Feature Select on page 241.
IP address/Hostname Enter the IP address and port of the FortiGate or FortiManager from which you
are importing the profile, in the format: <ip address>:<port>.
Password Enter the password for the user account entered above.
The list of Web Filter profiles configured on the FortiGate or FortiManager displays.
You can click the </> icon beside each profile to preview the settings in XML format.
5. Select the profiles to import into FortiClient EMS and click Next.
6. Under Synchronization Mode, select one of the following options.
a. One Time Pull: FortiClient EMS does not automatically sync profile changes from the FortiGate or
FortiManager. You can manually sync profile changes after importing the profile. See Syncing profile changes
on page 138.
b. Group Schedule: Configure a group synchronization schedule for all selected profiles. Select the next date and
time to automatically update the profiles, and the profile update interval in days, hours, or minutes.
c. Individual Schedule: Configure an individual synchronization schedule for each selected profile. Select the next
date and time to automatically update each profile, and the profile update interval in days, hours, or minutes.
7. Click Import. EMS imports the selected profiles and displays them in Endpoint Profiles > Import from
FortiGate/FortiManager in a group named after the FortiGate or FortiManager that you imported them from. You can
now configure an EMS endpoint profile to synchronize Web Filter settings from the imported FortiGate or
FortiManager Web Filter profile. See Web Filter on page 151.
The search engine provides a Safe Search feature that blocks inappropriate or explicit images from search results. The
Safe Search feature helps avoid most adult content. FortiClient EMS supports Safe Search for most common search
engines, such as Google, Yahoo, and Bing.
The profile in FortiClient EMS controls the Safe Search feature.
Following are examples of search results with the Safe Search feature disabled and enabled. Notice the difference
between the number of results. Here are the search results when the Safe Search feature is disabled, which has about
285000000 results:
Here are the search results when the Safe Search feature is enabled, which has about 256000000 results.
1. In FortiClient EMS, in the Endpoint Profiles > Manage Profiles area, click the Default - Chromebooks profile or
another profile.
2. On the Web Filter tab, enable or disable Enable Safe Search.
Application Firewall
FortiClient does not include SSL deep inspection. As FortiClient cannot apply signatures marked as "Deep Inspection",
do not use these signatures in a profile.
Configuration Description
Configuration Description
Enable or disable the eye icon to show or hide this feature from the
end user in FortiClient.
General
Notification Bubbles on User's Desktop When Enable notification bubbles when applications are blocked.
Applications Are Blocked
Detect & Block Exploits Inspect network traffic for intrusions attempting to exploit known
vulnerabilities.
VPN
Configuration Description
General
Allow Personal VPN Allow users to create, modify, and use personal VPN configurations.
Disable Connect/Disconnect Disable the Connect/Disconnect button when using Auto Connect
with VPN.
Show VPN before Logon Allow users to select a VPN connection before logging into the
system.
Use Windows If allowing users to select a VPN connection before logging into the
Credentials system, enable this option to allow them to use their current Windows
username and password.
Minimize FortiClient Console on Connect Minimize FortiClient after successfully establishing a VPN
connection.
Suppress VPN Notifications Block FortiClient from displaying any VPN connection or error
notifications.
Use Vendor ID Use vendor ID. Enter the vendor ID in the Vendor ID field.
Auto Connect Select a VPN tunnel for endpoints to automatically connect to when
the end user logs into the endpoint. The end user must have
established VPN connection manually at least once from FortiClient
GUI.
Auto Connect Only Autoconnect to the selected VPN tunnel only when EMS considers
When Off-Fabric the endpoint off-fabric. See On-fabric Detection Rules.
Always Up Max Tries Maximum number of attempts to retry a VPN connection lost due to
network issues. If set to 0, it retries indefinitely.
SSL VPN
Configuration Description
Configuration Description
DNS Cache Service Control FortiClient disables Windows DNS cache when an SSL VPN tunnel is
established. The DNS cache is restored after the SSL VPN tunnel is
disconnected. If it is observed that FSSO clients do not function correctly
when an SSL VPN tunnel is up, use Prefer SSL VPN DNS to control the
DNS cache.
Prefer SSL VPN DNS When disabled, EMS does not add the custom DNS server from SSL VPN
to the physical interface. When enabled, EMS prepends the custom DNS
server from SSL VPN to the physical interface.
Do Not Accept Invalid Server Certificate FortiClient does not complete the requested VPN connection when an
invalid SSL VPN server certificate is used.
Enable Invalid Server Certificate FortiClient displays a warning to the user when an invalid
Warning SSL VPN certificate is used.
When you click the Add Tunnel button in the VPN Tunnels section, you can create an SSL VPN tunnel using manual
configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available
for manual SSL VPN tunnel creation:
Basic Settings
Name Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols
or accented characters.
Remote Gateway Enter the remote gateway IP address/hostname. You can configure multiple remote
gateways by clicking the + button. If one gateway is not available, the tunnel connects
to the next configured gateway.
Prompt for Username Prompt for the username when accessing VPN.
Split Tunnel
Application Based Enable application-based split tunnel. FortiClient (Windows) supports source
application-based split tunnel, where you can specify which application traffic to
exclude from or include in the VPN tunnel. You can exclude high bandwidth-
consuming applications for improved performance. For example, you can exclude
applications like the following from the VPN tunnel:
l Microsoft Office 365
l Microsoft Teams
l Skype
l GoToMeeting
l Zoom
l WebEx
l YouTube
Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the
physical interface.
Local You can only exclude local applications from the VPN tunnel. Click Add. In the Add
Applications Application(s) field, specify which application traffic to exclude from the VPN tunnel
and redirect to the endpoint physical interface. You can specify an application using
its process name, full path, or the directory where it is installed. When entering the
directory, you must end the value with \. You can enter file and directory paths using
environment variables, such as %LOCALAPPDATA%, %programfiles%, and
%appdata%. Do not use spaces in the tail or head, or add double quotes to full paths
with spaces. You can add multiple entries by separating them with a semicolon.
For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can
enter any of the following combinations:
l Application Name: teams.exe;firefox.exe
l Full Path:
C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Pr
ogram Files\Mozilla Firefox\firefox.exe
l Directory:
C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program
Files\Mozilla Firefox\
To find a running application's full path, on the Details tab in Task Manager, add the
Image path name column.
Select the application checkbox, then click Remove to remove it from the list.
Cloud You can exclude or include cloud applications. Click Add. In the list, select the desired
Applications applications, then click Add.
Select the application checkbox, then click Remove to remove it from the list.
Domain You can exclude or include domains. After you exclude a domain, any associated
traffic will not go through the VPN tunnel when accessed through a popular browser
such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the
desired domains, using ; to configure multiple entries.
For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com
and *.youtube.com are excluded from the tunnel.
Select the application checkbox, then click Remove to remove it from the list.
Advanced
Settings
Show Passcode Display Passcode instead of Password in the VPN tab in FortiClient.
Enable Invalid Server Display a warning to the user that the certificate is invalid before attempting VPN
Certificate Warning connection.
Enforce Acceptance of Enable and enter a disclaimer message that appears when the user attempts VPN
Disclaimer Message connection. The user must accept the message to allow connection.
Failover If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL
SSL VPN Connection VPN tunnel.
Enable SAML Login Enable SAML SSO login for this VPN tunnel. See SAML SSO.
Redundant Sort Method How FortiClient determines the order in which to try connection to the SSL VPN
servers when more than one is defined. FortiClient calculates the order before each
SSL VPN connection attempt.
When Server is selected, FortiClient tries the order explicitly defined in the server
settings.
When Ping Speed is selected, FortiClient determines the order by the ping response
speed.
When TCP Round Trip Time is selected, FortiClient determines the order by the TCP
round trip time.
Show "Remember Show option to have the VPN tunnel remember the password. You must also enable
Password" Option this option on the FortiGate.
Show "Always Up" Option Show option to have the VPN tunnel always up. You must also enable this option on
the FortiGate.
Show "Auto Connect" Option Automatically connect the VPN tunnel. You must also enable this option on the
FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up
with a user profile set to automatic logon.
IPsec VPN
Configuration Description
Beep If Connection Fails PC beeps if connection to the IPsec VPN tunnel fails.
Configuration Description
Show Auth Certificates Only Only shows certificates with authentication in certificate features.
Check for Certificate Private Key Does not show certificates if the private key is not directly accessible,
such as for smartcards.
Enhanced Key Usage Mandatory Lists only certificates with private keys that allow enhanced key
usage.
When you click the Add Tunnel button in the VPN Tunnels section, you can create an IPsec VPN tunnel using manual
configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available
for manual IPsec VPN tunnel creation:
Basic Settings
Name Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols
or accented characters.
Remote Gateway Enter the remote gateway IP address/hostname. You can configure multiple remote
gateways by clicking the + button. If one gateway is not available, the tunnel connects
to the next configured gateway.
Pre-Shared Key Enter the preshared key required. Available if you selected Pre-Shared Key for
Authentication Method.
Prompt for Username Prompt for the username when accessing VPN.
Split Tunnel
Application Based Enable application-based split tunnel. FortiClient (Windows) supports source
application-based split tunnel, where you can specify which application traffic to
exclude from or include in the VPN tunnel. You can exclude high bandwidth-
consuming applications for improved performance. For example, you can exclude
applications like the following from the VPN tunnel:
l Microsoft Office 365
l Microsoft Teams
l Skype
l GoToMeeting
l Zoom
l WebEx
l YouTube
Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the
physical interface.
Local You can only exclude local applications from the VPN tunnel. Click Add. In the Add
Applications Application(s) field, specify which application traffic to exclude from the VPN tunnel
and redirect to the endpoint physical interface. You can specify an application using
its process name, full path, or the directory where it is installed. When entering the
directory, you must end the value with \. You can enter file and directory paths using
environment variables, such as %LOCALAPPDATA%, %programfiles%, and
%appdata%. Do not use spaces in the tail or head, or add double quotes to full paths
with spaces. You can add multiple entries by separating them with a semicolon.
For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can
enter any of the following combinations:
l Application Name: teams.exe;firefox.exe
l Full Path:
C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Pr
ogram Files\Mozilla Firefox\firefox.exe
l Directory:
C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program
Files\Mozilla Firefox\
To find a running application's full path, on the Details tab in Task Manager, add the
Image path name column.
Select the application checkbox, then click Remove to remove it from the list.
Cloud You can exclude or include cloud applications. Click Add. In the list, select the desired
Applications applications, then click Add.
Select the application checkbox, then click Remove to remove it from the list.
Domain You can exclude or include domains. After you exclude a domain, any associated
traffic will not go through the VPN tunnel when accessed through a popular browser
such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the
desired domains, using ; to configure multiple entries.
For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com
and *.youtube.com are excluded from the tunnel.
Select the application checkbox, then click Remove to remove it from the list.
VPN Settings
Specify DNS Server (IPv4) Specify the DNS server for the VPN tunnel. Available if you selected Manual Set.
Assign IP Address (IPv4) Enter the IP address to assign for the VPN tunnel. Available if you selected Manual
Set.
Split Table Enter the IP address and subnet mask for the VPN tunnel. Available if you selected
Manual Set or DHCP over IPsec.
Phase 1 Select the encryption and authentication algorithms used to generate keys for
protecting negotiations and add encryption and authentication algorithms as required.
You must select a minimum of one and a maximum of two combinations. The remote
peer or client must be configured to use at least one of the proposals that you define.
DH Groups Select one or more Diffie-Hellman (DH) groups from groups 1, 2, 5, 14, 15, 16, 17, 18,
19, 20, and 21. At least one of the selected groups on the remote peer or client must
match one of the selections on the FortiGate. Failure to match one or more DH groups
results in failed negotiations.
Key Life Enter the time (in seconds) that must pass before the IKE encryption key expires.
When the key expires, a new key is generated without interrupting service. The key
life can be from 120 to 172,800 seconds.
Enable Implied SPDO Enable implied SPDO. Enter the timeout in seconds.
Dead Peer Detection Select this checkbox to reestablish VPN tunnels on idle connections and clean up
dead IKE peers if required.
NAT Traversal Select the checkbox if a NAT device exists between the client and the local FortiGate.
The client and the local FortiGate must have the same NAT traversal setting (both
selected or both cleared) to connect reliably.
Allow non-administrators to Allow non-administrator users to use local machine certificates to connect IPsec VPN.
use machine certificates
Phase 2 Select the encryption and authentication algorithms that to propose to the remote
VPN peer. You can specify up to two proposals. To establish a VPN connection, at
least one of the proposals that you specify must match configuration on the remote
peer.
DH Group Select one DH group (1, 2, 5, 14, 15, 16, 17, 18, 19, 20, or 21). This must match the
DH group that the remote peer or dialup client uses.
Key Life Set a limit on the length of time that a phase 2 key can be used. The default units are
seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of
processed data, or both. If you select both, the key expires when the time has passed
or the number of KB have been processed. When the phase 2 key expires, a new key
is generated without interrupting service.
Enable Replay Detection Replay detection enables the unit to check all IPsec packets to see if they have been
received before. If any encrypted packets arrive out of order, the unit discards them.
Enable Perfect Forward Enable PFS. PFS forces a new DH exchange when the tunnel starts and whenever
Secrecy (PFS) the phase 2 key life expires, causing a new key to be generated each time.
Advanced
Settings
Enable XAuth When IKEv1 is selected, enable IKE Extended Authentication (xAuth).
When IKEv2 is selected, enable Extensible Authentication Protocol (EAP).
XAuth Only available if Enable XAuth is enabled. Configure the timeout in seconds. Default
Timeout value is two minutes if not configured. Enter a value between 120 and 300 seconds.
Show Passcode Display Passcode instead of Password in the VPN tab in FortiClient.
Enforce Acceptance of Enable and enter a disclaimer message that appears when the user attempts VPN
Disclaimer Message connection. The user must accept the message to allow connection.
Failover If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL
SSL VPN Connection VPN tunnel.
Enable SAML Login Enable SAML SSO login for this VPN tunnel. See SAML SSO.
Redundant Sort Method How FortiClient determines the order in which to try connection to the SSL VPN
servers when more than one is defined. FortiClient calculates the order before each
SSL VPN connection attempt.
When Server is selected, FortiClient tries the order explicitly defined in the server
settings.
When Ping Speed is selected, FortiClient determines the order by the ping response
speed.
When TCP Round Trip Time is selected, FortiClient determines the order by the TCP
round trip time.
Show "Remember Show option to have the VPN tunnel remember the password. You must also enable
Password" Option this option on the FortiGate.
Show "Always Up" Option Show option to have the VPN tunnel always up. You must also enable this option on
the FortiGate.
Show "Auto Connect" Option Automatically connect the VPN tunnel. You must also enable this option on the
FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up
with a user profile set to automatic logon.
FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to
exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications. For example, you can exclude
applications like the following from the VPN tunnel:
l Microsoft Office 365
l Microsoft Teams
l Skype
l GoToMeeting
l Zoom
l WebEx
l YouTube
You must configure these settings in the endpoint profile in EMS. The following instructions assume that you have
already configured a remote SSL or IPsec VPN server in FortiOS. See the FortiOS documentation.
This feature does not support explicitly including traffic in the VPN tunnel.
Configuration Description
l Microsoft Teams
l Skype
l GoToMeeting
l Zoom
Configuration Description
l WebEx
l YouTube
Once the VPN tunnel is up, FortiClient binds the specified excluded
applications to the physical interface.
Local You can only exclude local applications from the VPN tunnel. Click Add. In
Applications the Add Application(s) field, specify which application traffic to exclude
from the VPN tunnel and redirect to the endpoint physical interface. You
can specify an application using its process name, full path, or the
directory where it is installed. When entering the directory, you must end
the value with \. You can enter file and directory paths using environment
variables, such as %LOCALAPPDATA%, %programfiles%, and
%appdata%. Do not use spaces in the tail or head, or add double quotes
to full paths with spaces. You can add multiple entries by separating them
with a semicolon.
For example, to exclude Microsoft Teams and Firefox from the
VPN tunnel, you can enter any of the following combinations:
l Application Name: teams.exe;firefox.exe
l Full Path:
%localappdata%\Microsoft\Teams\current\Teams.exe;C:\Program
Files\Mozilla Firefox\firefox.exe
l Directory: %localappdata%\Microsoft\Teams\current\;C:\Program
Files\Mozilla Firefox\
To find a running application's full path, on the Details tab in Task
Manager, add the Image path name column.
Select the application checkbox, then click Remove to remove it from the
list.
Cloud You can exclude cloud applications. Click Add. In the list, select the
Applications desired applications, then click Add.
Select the application checkbox, then click Remove to remove it from the
list.
Domain You can exclude domains. After you exclude a domain, any associated
traffic will not go through the VPN tunnel when accessed through a
popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add
Domain(s) field, enter the desired domains, using ; to configure multiple
entries.
For example, if you configure the VPN tunnel to exclude youtube.com,
youtube.com and *.youtube.com are excluded from the tunnel.
Select the application checkbox, then click Remove to remove it from the
list.
This example shows excluding the Microsoft Teams using the application name, full path, and directory. It also
excludes Teams and other web conferencing cloud applications, such as Zoom and Cisco WebEx:
4. Assign the profile to the desired endpoints. When VPN is up on those endpoints, FortiClient excludes the application
traffic specified in the profile from the VPN tunnel as configured.
You can configure FortiClient to connect to a preconfigured SSL VPN tunnel instead when connection to a configured
IPsec VPN tunnel fails. This feature is convenient for connecting to VPN when the IPsec VPN tunnel is blocked or if a
public router or gateway is not preforming IPsec VPN NAT correctly.
This guide assumes that the EMS administrator has already configured an SSL VPN tunnel and IPsec VPN tunnel on the
desired endpoint profile.
<vpn>
<ipsecvpn>
<connections>
<connection>
<ike_settings>
<failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection>
<ike_settings>
<connection>
<connections>
<ipsecvpn>
<vpn>
<forticlient_configuration>
This is a balanced but incomplete XML configuration fragment. It includes all closing tags but omits some
important elements to complete the IPsec VPN configuration.
3. After FortiClient receives the next update from EMS, on the Remote Access tab, from the VPN Name dropdown list,
select the IPsec VPN tunnel.
4. Select View the selected connection.
5. Verify that the Failover SSL VPN field specifies the SSL VPN tunnel configured in step 2.
6. Attempt connection to the IPsec VPN tunnel when you know that it will fail. FortiClient automatically connects to the
configured SSL VPN tunnel instead.
Vulnerability Scan
If you enable both Automatic Maintenance and Scheduled Scan, FortiClient EMS only uses
the Automatic Maintenance settings.
Configuration Description
Scanning
Scan on Vulnerability Signature Update Scan endpoints upon updating a vulnerability signature.
Enable Proxy Enable using proxy settings configured in when downloading updates
for vulnerability patches.
Configuration Description
Scan On Configure the day the scan will run. This only applies if the schedule
type is configured to Weekly or Monthly. Select a day of the week
(Sunday through Monday) or a day of the month (1st through the
31st).
Automatic Patching
Patch Level Patches are installed automatically when vulnerabilities are detected.
Select one of the following:
l Critical: Patch critical vulnerabilities only
l High: Patch high severity and above vulnerabilities
l Medium: Patch medium severity and above vulnerabilities
l Low: Patch low severity and above vulnerabilities
l All: Patch all vulnerabilities.
Automatic patching may require the endpoint to reboot.
Exclusions
Exempt Application Vulnerabilities Requiring All applications that require the endpoint user to manually patch
Manual Update from Vulnerability vulnerabilities are excluded from vulnerability compliance check.
Compliance Check This option does not exclude applications from vulnerability scanning.
Exclude Selected Applications from In the <number> Applications list, click the applications to exclude
Vulnerability Compliance Check from vulnerability compliance check, and they are automatically
moved to the <number> Excluded Applications list.
In the <number> Excluded Applications list, click the applications to
remove from the exclusion list.
Applications on the exclusion list are exempt from needing to install
software patches within the time frame specified in FortiGate
compliance rules to maintain compliant status and network access.
Applications on the list are not excluded from vulnerability scanning.
Disable Automatic Disable automatic patching for the applications excluded from
Patching for These vulnerability compliance check.
Applications
System Settings
The majority of these configuration options are only available for Windows, macOS, and Linux profiles. The table
indicates which options are available for Chromebook profiles, such as Upload Logs to FortiAnalyzer/FortiManager.
Some options are only available when Advanced view is enabled.
Configuration Description
Require Password to Disconnect from EMS Turn on password lock for FortiClient.
Password Enter a password. The endpoint user must enter this password to
disconnect FortiClient from FortiClient EMS.
Do Not Allow User to Back Up Configuration Disallow users from backing up the FortiClient configuration.
Allow User to Shutdown When Registered to Allows user to shut down FortiClient while registered to EMS.
EMS
Hide User Information Hide the User Details panel where the user can provide user details
(avatar, name, phone number, email address), and link to a social
media (LinkedIn, Google, Salesforce) account.
Hide System Tray Icon Hide the FortiClient system tray icon.
Show Host Tag on FortiClient GUI Show the applied host tag on the FortiClient GUI. See Zero Trust
Tags on page 188.
Configuration Description
Configuration Description
Client-Based Logging When On-Fabric Include local log messages when FortiClient is on-fabric. FortiClient
hides the Export log and Clear log options from the GUI when the
endpoint is off-fabric. FortiClient still sends logs to FortiAnalyzer, if
one is configured. If the FortiAnalyzer is unreachable because
endpoint is off-fabric, FortiClient retains the logs until it can reach
FortiAnalyzer and forward the logs. See On-fabric Detection Rules
on page 131.
Upload Logs to FortiAnalyzer/FortiManager This option and all nested options are available for Chromebook
profiles. Configure endpoints to sends logs to the FortiAnalyzer or
FortiManager at the specified address or hostname.
Upload Event Logs Upload event logs to FortiAnalyzer or FortiManager. This option only
applies to FortiClient 6.4.2 and earlier versions.
Upload System Event Upload system events to FortiAnalyzer or FortiManager. This option
only applies to FortiClient 6.4.3 and later versions. This includes logs
for endpoint control, update, and FortiClient events.
Configuration Description
This feature requires the EPP license. See FortiClient EMS on page
20.
Proxy
Use Proxy for Updates Access FortiGuard using the configured proxy.
Use Proxy for Virus Submission Use the configured proxy to submit viruses to FortiGuard.
Port Enter the proxy server's port number. The port range is from 1 to
65535.
Username If the proxy requires authentication, enter the username. Enter the
encrypted or non-encrypted username.
Password If the proxy requires authentication, enter the password. Enter the
encrypted or non-encrypted username. Enable Show Password to
show the password in plain text.
Configuration Description
Use FortiManager for Client Signature Update Enable FortiClient EMS to obtain AV signatures from the
FortiManager at the specified IP address or hostname.
FortiGuard Server Location Configure the FortiGuard server location. If FortiGuard Anycast is
selected for the Server field, you can select from global, U.S., or
Europe. If FortiGuard is selected for the Server field, you can select
from global or U.S. When Global is selected, FortiClient uses the
closest FortiGuard server.
FortiClient connects to FortiGuard to query for AV and vulnerability
scan engine and signature updates.
The URLs connected to for each server location are as follows:
l FortiGuard:
l Global: forticlient.fortinet.net
l U.S.: usforticlient.fortinet.net
l FortiGuard Anycast:
l Global: fctupdate.fortinet.net
l U.S.: fctusupdate.fortinet.net
l Europe: fcteuupdate.fortinet.net
HTTP Timeout Enter the HTTP connection timeout interval in seconds. FortiProxy
determines if the remote server is available based on this timeout
value. Lower this timeout value if your client requires a faster fail
response.
Configuration Description
POP3 Client Comforting Enable POP3 client comforting. Client comforting helps to prevent
POP3 clients from complaining that the server has not responded in
time.
POP3 Server Comforting Enable POP3 server comforting. Server comforting helps to prevent
POP3 servers from complaining that the client has not responded in
time. You may use this in a situation where FortiClient is installed on
a mail server.
SMTP Client Comforting Enable SMTP client comforting. SMTP comforting helps to prevent
SMTP clients from complaining that the server has not responded in
time.
Self Test FortiProxy can detect if other software is disrupting internal traffic
between FortiProxy's internal modules. It does this by sending
packets periodically to 1.1.1.1, which are intercepted by FortiClient
and dropped (they never leave the computer). If the packets are not
detected, then it is deemed highly likely that third party software is
intercepting the packets, signaling that FortiProxy cannot perform
regular traffic filtering.
Enable self tests. FortiProxy periodically checks its own connectivity
to determine if it is able to proxy other applications' traffic.
Last Port Enter the last port number used. This is the highest port number you
want to allow FortiProxy to listen on. Use to prevent FortiProxy from
binding to another port that another service normally uses.
The available port range is 65535 to 10000.
Endpoint Control
Show Bubble Notifications Show bubble notifications when FortiClient installs new policies on
endpoints.
Log off When User Logs Out of Windows Log off FortiClient when the endpoint user logs out of Windows. Turn
off to remain logged in.
Disable Disconnect Forbid users from disconnecting FortiClient from FortiClient EMS.
Configuration Description
Send Software Inventory Send installed application information to FortiClient EMS. If the
Upload Logs to FortiAnalyzer/FortiManager option is enabled, the
endpoint also sends the software inventory information to
FortiAnalyzer. See Software Inventory on page 208.
This feature requires the EPP license. See FortiClient EMS on page
20.
Allow Users to Specify Identity Using Enable users to specify their identity in FortiClient using the following
methods:
l Manually entering their details in FortiClient
services:
l LinkedIn
l Google
l Salesforce
By default, EMS obtains user details from the endpoint OS. If the
user provides their details using one of the methods above, EMS
obtains the user-specified details instead.
If this option is disabled, EMS obtains and displays user details from
the endpoint OS.
Notify Users to Submit User Identity Displays a notification on the endpoint for the user to specify their
Information identity. If the user closes the notification without specifying their
identity, the notification displays every ten minutes until the user
submits their identity information.
Other
Install CA Certificate on Client Turn on to select and install a CA certificate on the FortiClient
endpoint.
You can add certificates by going to Endpoint Policy & Components
> CA Certificates.
FortiClient Single Sign-On Mobility Agent Enable Single Sign-On Mobility Agent for FortiAuthenticator. To use
this feature you must apply a FortiClient SSO mobility agent license
to your FortiAuthenticator.
Configuration Description
Pre-Shared Key Enter the preshared key. The preshared key should match the key
configured on your FortiAuthenticator.
iOS
Distribute Configuration Profile Enable and browse for your .mobileconfig file to distribute the
configuration profile.
Privacy
Send Usage Statistics to Fortinet Submit virus information to FDS. Fortinet uses this information to
improve product quality and user experience.
You can assign different user identification options to different endpoints. These options, visible in FortiClient, include:
l User Input
l OS
l LinkedIn
l Google
l Salesforce
EMS sends a notification to the endpoint where the user must enter their login information. If the user closes the
notification without entering any information, the notification appears again within 10 minutes.
1. In EMS, go to Endpoint Profiles. Select the desired profile, or create a new one.
2. On the System Settings tab, under User Identity Settings, enable the desired user identification method.
3. If desired, enable Notify Users to Submit User Identity Information.
4. Click Save.
When Notify Users to Submit User Identity Information is enabled, the user sees the following notification on the
endpoint. If Manually Enter User Details is enabled, the user can enter their information manually.
XML Configuration
Configuration Description
XML editor Configure the endpoint profile using the XML editor. See the
FortiClient XML Reference Guide.
You can configure FortiClient profile settings in FortiClient EMS by using XML or a custom XML configuration file. The
custom XML file must include all settings required by the endpoint at the time of deployment. For information about how
to configure a profile with XML, see the FortiClient XML Reference.
1. Go to Endpoint Profiles > Manage Profiles, and click the Add button.
2. In the Profile Name field, enter a name for the profile.
3. Click the Advanced button. The XML Configuration tab displays, and the profile configuration displays in XML.
4. Click the XML Configuration tab, and click the Edit button.
5. Edit the XML.
6. Click Test XML.
7. Click Save to save the profile.
You can create Zero Trust tagging rules for endpoints based on their OS versions, logged in domains, running
processes, and other criteria. EMS uses the rules to dynamically group endpoints. FortiOS 6.2.0 and later versions can
use the dynamic endpoint groups to build dynamic policy rules.
You can create, edit, and delete Zero Trust tagging rules for Windows, macOS, and Linux endpoints. You can also view
and manage the tags used to dynamically group endpoints.
The following occurs when using Zero Trust tagging rules with EMS and FortiClient:
1. EMS sends Zero Trust tagging rules to endpoints via Telemetry communication.
2. FortiClient checks endpoints using the provided rules and sends the results to EMS.
3. EMS receives the results from FortiClient.
4. EMS dynamically groups endpoints together using the tag configured for each rule. You can view the dynamic
endpoint groups in Zero Trust Tags > Zero Trust Tag Monitor. See Zero Trust Tag Monitor on page 194.
1. Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add.
2. In the Name field, enter the desired rule name.
3. In the Tag Endpoint As dropdown list, select an existing tag or enter a new tag. EMS uses this tag to dynamically
group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.
4. Toggle Enabled on or off to enable or disable the rule.
5. (Optional) In the Comments field, enter any desired comments.
6. Click Add Rule.
7. Configure the rule:
a. For OS, select Windows, Mac, or Linux. This affects what rule types are available.
b. From the Rule Type dropdown list, select the rule type and configure the related options. Ensure that you click
the + button after entering each criterion. See Zero Trust tagging rule types on page 190 for descriptions of the
rule types.
c. Click Save.
8. Configure additional rules as desired by repeating steps 6-7. Click Save.
For some rule types, such as the Running Process rule type, the endpoint must satisfy all
conditions to satisfy the rule. There may be situations where you want endpoints that satisfy
different conditions to be in the same dynamic group. Consider that you want endpoints that
are running Process A or Process B in the "RP" dynamic group. In this case, you can create
two rule sets: one for endpoints running Process A and another rule for endpoints running
Process B. You can configure both rule sets to apply the "RP" tag to place endpoints running
either process in the same dynamic group.
You can use a Zero Trust tagging rule as a predefined rule for FortiGuard outbreak alerts by uploading rule signatures.
To configure a Zero Trust tagging rule as a predefined rule for outbreak alerts by uploading rule
signatures:
3. In the Import FortiGuard Outbreak Alert Signatures dialog, upload a JSON file. The JSON file should contain an
array of alert objects, each with a tag name and array of signatures. Each signature should have the following
properties: os (windows, mac, linux, ios, android), type (file, registry, process), and
content. If the import succeeds, EMS displays a FortiGuard outbreak alert signatures imported successfully
message. If the file is formatted incorrectly, EMS shows an Invalid JSON error.
4. View tagged endpoints in Zero Trust Tags > Zero Trust Tag Monitor.
Managing tags
The Manage Tags window displays all configured tags and the rules that apply that tag to endpoints that satisfy the rule.
You can delete tags that do not have any rules attached.
To manage tags:
3. To delete a tag with no rules attached, click the X beside the corresponding tag. In this example, the Server 2012
tag does not have any rules attached.
4. In the confirmation dialog, click Yes.
The following table describes Zero Trust tagging rule types and the OSes that they are available for. For all rule types,
you can configure multiple conditions using the + button.
AD Group l Windows From the AD Group dropdown list, select the desired AD group. EMS
l macOS considers the endpoint as satisfying the rule if the logged in user
belongs to the selected AD group. The rule considers the logged-in
user's group membership, not the computer's attributes.
You can also use the NOT option to indicate that the rule requires that
the logged in user does not belong to certain AD groups. You cannot
use the NOT option to indicate that the rule requires that the logged in
user does not belong to any AD group. EMS does not support a rule to
dynamically group all endpoints that do not belong to a domain.
To use this option, you must configure your domain under Endpoints.
See Adding endpoints using an AD domain server on page 85.
Only FortiClient 6.2.2+ endpoints support this rule type.
AntiVirus Software l Windows From the AV Software dropdown list, select the desired conditions. You
l macOS can require that an endpoint have AV software installed and running
l Linux and that the AV signature is up-to-date. You can also use the NOT
option for the rule to require that the endpoint does not have AV
software installed or running or that the AV signature is not up-to-date.
This rule applies for FortiClient AV and third-party AV software that
registers to the Windows Security Center. The third-party software
notifies the Windows Security Center of the status of its signatures.
FortiClient queries the Windows Security Center to determine what third
party AV software is installed and if the software reports signatures as
up-to-date.
The endpoint must satisfy all configured conditions to satisfy this rule.
Only FortiClient 6.2.2+ endpoints support this rule type.
Certificate l Windows In the Subject CN and Issuer CN fields, enter the certificate subject and
l macOS issuer. You can also use the NOT option to indicate that the rule
l Linux requires that a certain certificate is not present for the endpoint.
FortiClient checks certificates in the current user personal store and
local computer personal store. It does not check in trusted root or other
stores.
The endpoint must satisfy all conditions to satisfy this rule. For example,
if the rule is configured to require certificate A, certificate B, and NOT
certificate C, then the endpoint must have both certificates A and B and
not certificate C.
EMS Management l Windows EMS considers the endpoint as satisfying the rule if the endpoint has
l macOS FortiClient installed and Telemetry connected to EMS.
l Linux
l iOS
l Android
File l Windows In the File field, enter the file path. You can also use the NOT option to
l macOS indicate that the rule requires that a certain file is not present on the
l Linux endpoint.
The endpoint must satisfy all configured conditions to satisfy this rule.
For example, if the rule is configured to require file A, file B, and NOT file
C, then the endpoint must have both files A and B and not file C.
Logged in Domain l Windows In the Domain field, enter the domain name. If the rule is configured for
l macOS multiple domains, EMS considers the endpoint as satisfying the rule if it
belongs to one of the configured domains.
OS Version l Windows From the OS Version field, select the OS version. If the rule is
l macOS configured for multiple OS versions, EMS considers the endpoint as
l Linux satisfying the rule if it has one of the configured OS versions installed.
l iOS
l Android
Registry Key l Windows In the Registry Key field, enter the registry path or value name. End the
path with \ to indicate a registry path, or without \ to indicate a registry
value name. You can also use the NOT option to indicate that the rule
requires that a certain registry path or value name is not present on the
endpoint. This rule does not support using the value data.
For example, the following shows a system where Firefox is installed. In
this example, the registry path is Computer\HKEY_LOCAL_
MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\88.0 (x64
en-US)\Main. The value name is Install Directory, and the
value data is C:\Program Files\Mozilla Firefox. You can
configure a registry key rule to match Computer\HKEY_LOCAL_
MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\88.0 (x64
en-US)\Main as the path or Install Directory as the registry
value name, but you cannot configure a rule to match C:\Program
Files\Mozilla Firefox.
The endpoint must satisfy all configured conditions to satisfy this rule.
For example, if the rule is configured to require registry key A, registry
key B, and NOT registry key C, then the endpoint must have both
registry keys A and B and not registry key C.
Running Process l Windows In the Running Process field, enter the process name. You can also use
l macOS the NOT option to indicate that the rule requires that a certain process is
l Linux not running on the endpoint.
The endpoint must satisfy all configured conditions to satisfy this rule.
For example, if the rule is configured to require process A, process B,
and NOT process C, then the endpoint must have both processes A and
B running and process C not running.
Sandbox Detection l Windows From the Sandbox Detection dropdown list, select the desired
l macOS condition. You can require that Sandbox detected malware on the
endpoint in the last seven days. You can also use the NOT option for
the rule to require that Sandbox did not detect malware on the endpoint
in the last seven days.
Only FortiClient 6.2.2+ endpoints support this rule type.
Vulnerable Devices l Windows From the Severity Level dropdown list, select the desired vulnerability
l macOS severity level. If the rule is configured for multiple severity levels, EMS
l Linux considers the endpoint as satisfying the rule if it has a vulnerability of
one of the configured severity levels or higher.
Security l macOS Select the checkbox to require that File Vault is enabled on the
endpoint. You can also use the NOT option to indicate that the rule
requires that File Vault is disabled on the endpoint.
Windows Security l Windows From the Windows Security dropdown list, select the desired
conditions. You can require that an endpoint have Windows Defender,
Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or
Windows Firewall enabled. You can also use the NOT option for the rule
to require that the endpoint have Windows Defender, Bitlocker Disk
Encryption, Exploit Guard, Application Guard, and/or Windows firewall
disabled.
The endpoint must satisfy all configured conditions to satisfy this rule.
Only FortiClient 6.2.2+ endpoints support this rule type.
You can view all dynamic endpoint groups in Zero Trust Tags > Zero Trust Tag Monitor. EMS creates dynamic endpoint
groups based on the tag configured for each rule.
Refresh Click to refresh the list of tagged endpoints in the content pane.
IP Endpoint's IP address.
Tagged on Date and time that EMS added the endpoint to the dynamic endpoint group.
After defining Zero Trust tagging rules in EMS, you can configure FortiOS to receive the dynamic endpoint groups from
EMS using the FortiClient EMS Fabric connector which supports SSL and imports trusted certificates. When a change to
the dynamic endpoint groups occurs, such as an endpoint being added to or removed from a group, EMS sends the
update to FortiOS, and FortiOS updates its dynamic policies accordingly, providing dynamic access control based on
endpoint status.
EMS supports this feature with FortiOS 6.4 and 6.2. Configuration differs depending on the FortiOS version that you use:
l Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups on page 195
l Configuring FortiOS 6.2 dynamic policies using EMS dynamic endpoint groups on page 199
FortiOS only receives endpoint information and enforces compliance for directly connected
endpoints. Directly connected endpoints are the ones that have FortiGate as the default
gateway.
This feature does not work for endpoints that are connected to a VPN tunnel.
Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups
FortiOS 6.4 uses an EMS connector to retrieve dynamic endpoint groups from EMS. The following instructions only
apply when using FortiOS 6.4. Configuring this feature requires the following steps:
1. Checking prerequisites on page 195
2. Configuring the EMS connector on page 196:
a. Uploading certificates to EMS and FortiOS on page 196
b. Creating the EMS connector in FortiOS on page 196
c. Authorizing the FortiOS EMS connector in EMS on page 197
d. Verifying the FortiOS-EMS connection in FortiOS on page 198
3. Creating a dynamic firewall policy using dynamic endpoint groups from EMS on page 198
If you configure a connection between EMS and a FortiGate that is part of a Security Fabric
with multiple FortiGates, the root FortiGate can also obtain Zero Trust tags from EMS.
However, the root FortiGate does not have any IP addresses to associate with the received
tags.
Checking prerequisites
You must ensure that the following prerequisites are met before configuring this feature:
l Create Zero Trust tagging rules. See Adding a Zero Trust tagging rule set on page 188.
l After FortiClient connects Telemetry to EMS, confirm that EMS dynamically groups endpoints based on the Zero
Trust tagging rules. See Zero Trust Tag Monitor on page 194.
l Export a certificate authority (CA)-signed certificate to upload to FortiOS and web server certificate to upload to
EMS. For details on configuring a server certificate using the Microsoft Certification Authority Management
Console, see Configure the Server Certificate Template. You can use another CA as desired.
Certificates are required to set up a secure connection between EMS and FortiOS. Uploading the CA-signed certificate
to FortiOS allows FortiOS to trust the certificate that you upload to EMS.
1. Upload the server certificate to EMS:
a. Go to System Settings > EMS Settings.
b. Under Shared Settings, click the Upload new SSL certificate button.
c. Upload the server certificate and private key. Click Test.
d. Click Save.
2. Upload the certificate to FortiOS:
a. Go to System > Certificates.
b. From the Import dropdown list, select CA Certificates.
c. Upload the CA-signed certificate.
7. Click OK.
1. EMS must authorize the Fabric connector created in FortiOS. Do one of the following:
a. Log in to EMS. A prompt displays to authorize the FortiGate. Click Authorize.
b. Go to Administration > Fabric Devices. Select the desired FortiGate, then click Authorize.
You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. See Fabric Devices on
page 223.
Creating a dynamic firewall policy using dynamic endpoint groups from EMS
To create a dynamic firewall policy using dynamic endpoint groups from EMS:
1. In FortiOS, go to Policy & Objects > Firewall Policy. Click Create New.
2. In the Source field, click +. The Select Entries pane appears. On the Address tab, select the address based on the
desired dynamic endpoint group from EMS.
3. Configure other options as desired. Click OK.
4. Go to Policy & Objects > Firewall Policy to ensure the policy was created. FortiOS updates this policy when it
receives updates from EMS.
FortiOS 6.2 uses the FSSO protocol to retrieve dynamic endpoint groups from EMS. The following instructions only
apply when using FortiOS 6.2.
The following configuration is necessary for this feature:
1. In FortiClient EMS, create Zero Trust tagging rules. See Adding a Zero Trust tagging rule set on page 188.
2. After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically
grouped endpoints based on the Zero Trust tagging rules. See Zero Trust Tag Monitor on page 194.
3. In FortiOS, create the EMS Fabric connector.
4. Configure FSSO settings.
5. In FortiOS, create a user group based on EMS dynamic endpoint groups.
6. In FortiOS, create a dynamic firewall policy for the user group.
EMS can be connected to a maximum of three FortiGates at a time via the FSSO protocol.
You can create the EMS Fabric connector in the FortiOS GUI or CLI. If desired, you can optionally configure the Fabric
connector with an SSL certificate and a password for FSSO. If configured, you must configure the same certificate and
password in EMS to ensure a successful connection.
1. Go to Security Fabric > Fabric Connectors.
2. Click Create New, then select FortiClient EMS.
3. In the Name field, enter the desired name.
4. For Type, select FortiClient EMS.
5. In the Primary Server IP field, enter the EMS IP address. If EMS multitenancy is enabled, you must enter the FQDN
instead of the IP address. You must enter the FQDN in the format side.fqdn to integrate the FortiGate to the a
specific EMS multitenancy site. For example, if the site name is site A, enter sitea.ems.example.com. See
Multitenancy on page 245.
6. (Optional) From the Trusted SSL certificate dropdown list, select the certificate.
7. (Optional) In the Password field, enter the desired password.
8. Click Apply & Refresh.
If you configured a certificate and/or password in To create the EMS Fabric connector in FortiOS: on page 199, you must
configure the same certificate and password in EMS.
1. If you configured a certificate for the EMS Fabric connector in FortiOS, do the following:
a. In FortiOS, go to System > Certificates.
b. Right-click the configured certificate, then select Download.
2. In EMS, go to System Settings > EMS Settings.
3. For SSL certificate, browse to and upload the certificate downloaded in step 1.
4. In the Configure FSSO Password field, enter the password.
5. Click Save.
5. Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group
will be members of this FortiOS user group.
6. Click OK.
You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user
group.
1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured
above.
3. Configure other options as desired. Click OK.
4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS
will update this policy when it receives updates from EMS.
The following guide provides instructions on configuring the Security Fabric to restrict VPN access to rogue/non-
compliant devices using EMS and FortiOS 6.4. You can configure this feature with IPsec and SSL VPN. Configuring this
feature consists of the following steps:
1. Create two Zero Trust tagging rules in EMS: one rule for compliant endpoints and one rule for non-compliant
endpoints. In this example, one rule tags endpoints as "AV-Running" if they have antivirus software installed and
running. The second rule tags endpoints as "RED-Alert" if they have the risk.txt file present. You must also configure
the EMS connector in FortiOS. See Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups
on page 195
2. Configuring VPN settings:
a. IPsec VPN
b. SSL VPN
3. Verify the configuration in FortiClient:
a. IPsec VPN
b. SSL VPN
e. Edit the second pasted policy to restrict access to high-risk managed endpoints:
i. In the Source field, select the tag that you configured to apply to non-compliant endpoints in Restricting
VPN access to rogue/non-compliant devices with Security Fabric on page 200.
ii. Set the Action to DENY.
f. Configure the third policy to permit only compliant endpoints to access resources:
i. In Source, select the tag that you configured to apply to compliant endpoints in Restricting VPN access to
rogue/non-compliant devices with Security Fabric on page 200.
ii. Set the Action to ALLOW.
iii. Enable, then save the policy.
8. Ensure that the policies are in the correct sequence and enabled.
3. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
a. On the user details page, ensure that EMS has applied the appropriate tag. In this example, the AV-Running
tag should be applied.
5. Ensure that EMS and FortiOS apply the correct tags and policies for a rogue endpoint:
a. Delete the risk.txt file, and stop AV services.
b. Ensure that the user details page does not display any tags. The endpoint should lose network access.
c. Ping the EMS server. The endpoint should be unable to access internal resources.
d. In FortiOS, go to Monitor > Firewall User Monitor. Ensure that there is no tag attribute for the user/device.
4. Ensure that EMS and FortiOS apply the correct tags and policies for a compliant endpoint:
a. Ensure that AV services are running.
b. Go to the user details page to ensure that the appropriate tag has been applied. In this example, only AV-
Running should be applied.
c. Ping the EMS server again. The endpoint should be able to access internal resources.
5. Ensure that EMS and FortiOS apply the correct tags and policies for a non-compliant endpoint:
a. Change the endpoint condition so that it becomes non-compliant. In this example, that would be creating the
risk.txt file on the endpoint. After a few minutes, the ping becomes denied.
b. Go to the user details page to ensure that the appropriate tag has been applied. Both tags, in this example
RED-Alert and AV-Running, should be applied.
On the Fabric Device Monitor page, you can view all FortiGates that are connected to EMS. For information on
connecting a FortiGate to EMS, see FortiOS dynamic policies using EMS dynamic endpoint groups on page 195.
For each connected FortiGate, you can view the following information:
l Serial number
l IP address
l FortiOS version installed
l Last sync time between FortiClient EMS and the FortiGate
l Dynamic endpoint groups shared with the FortiGate and the number of endpoints in each group
You can centrally view a list of software installed on all endpoints. The list includes details for each application such as
vendor and version information. You can view this information by application or vendor on the Applications pane or by
host on the Hosts pane. FortiClient sends installed application information to FortiClient EMS.
EMS sends software inventory logs to FortiAnalyzer for real-time and historic logging and reporting. FortiClient sends the
software inventory information to EMS when it first registers to EMS. If software changes occur on the endpoint, such as
installing new software, updating existing software, or removing existing software, FortiClient sends an updated
inventory to EMS and EMS sends the changes to FortiAnalyzer. See System Settings on page 178.
This feature requires the EPP license. See FortiClient EMS on page 20.
Applications
The FortiClient EMS administrator can view installed application information for all managed endpoints on the
Applications pane.
You can view information about installed applications on the Applications content pane.
1. Go to Software Inventory > Applications. The list of applications, a quick status bar, and a toolbar display in the
content pane.
Total Applications Number of applications that have been installed on all managed endpoints. Click to
display the list of installed applications.
Total Vendors Number of vendors whose applications have been installed on managed endpoints.
Click to display the list of installed applications sorted by vendor.
New Detections Number of applications that have been detected as newly installed since the last
Telemetry communication. Click to display newly detected applications sorted by date
detected.
Clear Filters Click to clear all filters applied to the list of files.
First Detected Date the application was first detected as installed on the endpoint.
To filter applications:
You can filter the list of applications displayed on the Applications content pane.
1. Go to Software Inventory > Applications. The list of applications displays.
2. You can apply filters by application name, vendor name, and version number. Click the filter icon beside the desired
heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
l All: Display all files that match the set filter.
l Not: Display only files that do not match the set filter.
3. To remove a filter, click the X icon beside the filter. To remove all filters, click the Clear Filters icon on the toolbar.
Hosts
The FortiClient EMS administrator can view installed application information for all managed endpoints by host on the
Hosts pane.
You can view information about installed applications by host on the Hosts content pane.
1. Go to Software Inventory > Hosts. The list of hosts, a quick status bar, and a toolbar display in the content pane.
Applications Number of applications that have been installed on all managed endpoints.
View Details Displays list of software installed on the selected endpoint. For details on the
application list headings, see To view the Applications content pane: on page 208.
Clear Filters Click to clear all filters applied to the list of files.
Host Hostname.
Last Installation Date of the most recent application installation on the endpoint.
To filter hosts:
You can filter the list of hosts displayed on the Hosts content pane.
1. Go to Software Inventory > Hosts. The list of hosts displays.
2. You can apply filters by hostname, user name, OS name, and IP address. Click the filter icon beside the desired
heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
l All: Display all files that match the set filter.
l Not: Display only files that do not match the set filter.
3. To remove a filter, click the X icon beside the filter. To remove all filters, click the Clear Filters icon on the toolbar.
To filter the list of applications installed on an endpoint, select the endpoint and click View
Details. See To filter applications: on page 209 for details on filtering the list of applications.
Quarantine Management
You can view and allowlist files that FortiSandbox or AV has quarantined from a central management Files pane. You
can also view and delete allowlisted files from the Allowlist pane.
Files
FortiClient sends quarantined file information to FortiClient EMS. The FortiClient EMS administrator can view
quarantined file information for all managed endpoints on the Files pane and allowlist files from FortiClient EMS if
needed.
After FortiClient quarantines files on endpoints and sends the quarantined file information to FortiClient EMS, you can
view the list of quarantined files on the Files pane. You can also view details about each quarantined file and use filters to
access quarantined files with specific qualities.
You can view information about quarantined files on the Files content pane.
1. Go to Quarantine Management > Files. The list of quarantined files, a quick status bar, and a toolbar display in the
content pane.
Quarantined Files Number of files that FortiClient has quarantined on endpoints. Click to display the list
of quarantined files.
Restored Files Number of files that have been restored on endpoints. Click to display the list of
restored files.
Affected Hosts Number of hosts where FortiClient has quarantined files. Click to display the list of
quarantined files sorted by hostname.
New Detections Number of new detections. Click to display the list of newly detected threats sorted by
date detected.
Display by Select to display the list of files by instance, host, threat, or date.
Search All Fields Enter a value and press Enter to search for the value in the list of files.
Filters Click to display and hide filters you can use to filter the list of files.
Clear Filters Click to clear all filters applied to the list of files.
Host Hostname of the endpoint. Also shows the group the endpoint belongs to.
l Email Scan
l Startup Scan
l Manual Scan
l Realtime Scan
l Sandbox Scan
Status Status of the file: Quarantined, Quarantined & Allowlisted, Restored, or Deleted. Also
shows the time that FortiClient quarantined the file.
Summary Displays the number of threat instances and number of affected hosts.
You can filter the list of files displayed on the Files content pane.
1. Go to Quarantine Management > Files. The list of files displays.
2. Click the Filters menu, and set filters.
The filter options display.
For text values, you can use a comma (,) to separate values and an exclamation mark (!) to exclude a value.
Threat Enter the threat(s) to include in the filter. You can also select the desired
threat(s) from the dropdown list.
Source Enter the source(s) to include in the filter. You can also select the desired
source(s) from the dropdown list.
Status Enter the status(es) to include in the filter. You can also select the desired
statuse(s) from the dropdown list.
Host Enter the host(s) to include in the filter. You can also select the desired host
(s) from the dropdown list.
Group Enter the endpoint group(s) to include in the filter. You can also select the
desired group(s) from the dropdown list.
You can allowlist and restore quarantined files. This releases the files from quarantine and makes them accessible on
the endpoint with the next Telemetry communication between FortiClient EMS and FortiClient.
You can configure EMS to delete quarantine records after a configured number of days.
You cannot use EMS to delete quarantined files from endpoints. To configure EMS to delete quarantined files from an
endpoint after a specified duration, configure the <cullage> XML option.
EMS deletes the quarantine record 180 days after the file was last updated.
Allowlist
You can view the list of allowlisted files in the Allowlist pane. You can also view details about each allowlisted file and use
filters to access allowlisted files with specific qualities:
Go to Quarantine Management > Allowlist. The list of allowlisted files and a toolbar display in the content pane.
Clear Filters Click to clear all filters applied to the list of files.
Advanced Information Click to view the FortiSandbox and AV signature and engine versions.
l Not: Display only files that do not match the set filter.
You can edit an allowlisted file's description. By default, the file description is blank.
You can delete files from the allowlist. This reverts the file's status to quarantined on the endpoint with the next Telemetry
communication.
Administrators
This section describes how to configure Windows and LDAP users, create new user accounts, and activate disabled
user accounts:
Viewing users
You can view the default admin user and all users added to FortiClient EMS.
Go to Administration > Administrators. The following information displays:
admin user.
l Windows: User accounts derived from Windows user accounts on the host
server.
l LDAP: User accounts derived from users belonging to a configured AD
domain.
l EMS: User accounts created in FortiClient EMS.
Role Admin role assigned to the user. See Admin roles on page 219.
Last login or activation Date and time of the user's last login or activation. Also shows if the account has
been disabled due to inactivity. See Activating a disabled account on page 218.
You can configure Windows and LDAP users to have no access or administrator access to FortiClient EMS. You can
also create a new user account in EMS.
EMS derives the Windows users from the host server that it is installed on. If you want to add more Windows users, you
must add them to the host server. EMS derives the list of LDAP users from those in the AD domain imported into
FortiClient EMS. If you want to add more LDAP users, they must already exist in the AD domain configured as the user
server:
Option Description
Port Enter the port for EMS to use to connect to the user server.
Distinguished name Enter the user server's DN. You must use only capital letters when
configuring the DN.
Bind type Select Simple, Anonymous or Regular for the bind type.
Username Appears only when the Regular bind type is selected. Enter the username.
Password Appears only when the Regular bind type is selected. Enter the password.
Option Description
Role Select the desired admin role for this user. See Admin roles on page 219.
Restrict When this option is enabled, users can only log into this account from a trusted host machine.
Login to In the Trusted Hosts field, enter a trusted host machine's IP address. Use the + button to add
Trusted multiple trusted host machines.
Hosts
7. Click Save.
When an admin user from an AD domain logs into EMS, they must provide the domain name
as part of their username to log in successfully. For example, if the domain name is "example-
domain" and the username is "admin", the user must enter "example-domain/admin" when
logging into EMS.
FortiClient EMS disables user accounts that have been inactive for the period configured in User Settings > Allowed
inactive days. See Configuring User Settings on page 223.
When EMS disables an account, the user cannot log into FortiClient EMS and sees an error message that reads "Your
account has been disabled due to inactivity. Please contact an EMS admin for assistance."
An FortiClient EMS super administrator can activate the disabled account. After the super administrator activates the
account, the user can log in as usual.
The built-in admin user account is always active. The Allowed inactive days setting does not
affect the admin account.
1. Go to Administration > Administrators. EMS shows the deactivated user with a lock icon beside their name. The
Last login or activation shows that EMS has disabled the account.
2. Click Activate. The user's status updates and they can log in as usual.
Admin roles
You can use admin roles to define the permissions each administrator account has in FortiClient EMS. You can use one
of the default admin roles in FortiClient EMS or create a new admin role to assign to an administrator account. Each
admin role can include permissions from three categories: endpoint permissions, policy permissions, and settings
permissions.
The following describes the default admin roles in FortiClient EMS. You cannot edit or delete these admin roles.
Name Description
Super administrator Most privileged admin role. Complete access to all FortiClient EMS permissions,
including modification, user permissions, approval, discovery, and deployment.
Only built-in role that has access to the Administration section of the GUI. Has
access to all configured Windows and LDAP servers and users and has the
authority to configure user privileges and permissions.
The default admin account is a Super Administrator. You cannot assign another
admin role to the admin account.
Standard administrator Includes all endpoint and policy permissions, and read-only permissions to
settings permissions.
Endpoint administrator Includes all endpoint permissions and read-only permissions to policy and
settings permissions.
Read-only administrator Includes read-only permissions to endpoint, policy, and settings permissions.
For admin roles that are not authorized for certain tasks or devices, EMS hides or disables the related menu items, items
in content pages, and buttons.
The following tables list the permissions available when configuring an admin role. The tables also include a description
of what the permission allows the user to do and a link to the relevant section in this guide.
Permissions that apply to Chromebook management are denoted with an asterisk (*).
Endpoint permissions
Manage custom groups Create, rename, and edit groups to manage endpoints. See
Managing groups on page 85.
Manage and assign endpoint policies See Endpoint Policy & Components on page 124.
View group assignment rules View group assignment rules. See Group assignment rules
on page 105.
Manage group assignment rules Create, delete, and edit group assignment rules. See Group
assignment rules on page 105.
View endpoint filter bookmarks View endpoint filter bookmarks. See Using bookmarks to
filter the list of endpoints on page 95.
Manage endpoint filter bookmarks Create, delete, and edit endpoint filter bookmarks. See
Using bookmarks to filter the list of endpoints on page 95.
View quarantine management View lists of quarantined and allowlisted files. See
Quarantine Management on page 211.
Manage quarantine management Allowlist and restore quarantined files and remove files from
the allowlist. See Quarantine Management on page 211.
Policy permissions
View endpoint View endpoint policies. See Endpoint Policy & Components on page 124.
policies*
View endpoint View endpoint profiles. See Endpoint Profiles on page 136.
profiles*
Manage Create, delete, and edit endpoint profiles. See Endpoint Profiles on page 136.
endpoint
profiles*
View Zero Trust View Zero Trust tagging rules. See Zero Trust Tagging Rules on page 188.
tagging rules
Manage Zero Create, delete, and edit Zero Trust tagging rules. See Zero Trust Tagging Rules on page 188.
Trust tagging
rules
Manage Create, delete, and edit installers. See FortiClient Installer on page 120.
installers
Manage Upload, import, and delete CA certificates. See CA Certificates on page 129.
CA certificates
View on-fabric View on-fabric detection rules. See On-fabric Detection Rules on page 131.
detection rules
Manage on- Create, delete, and edit on-fabric detection rules. See On-fabric Detection Rules on page 131.
fabric detection
rules
Setting permissions
View server View Server settings. See Configuring EMS settings on page 228
settings*
Manage server Modify Server settings. See Configuring EMS settings on page 228.
settings*
View Fortinet View FortiGuard Services settings. See Configuring FortiGuard Services settings on page 233.
services
settings
Manage Modify FortiGuard Services settings. See Configuring FortiGuard Services settings on page 233.
Fortinet
services
settings
View endpoint View Endpoints settings. See Configuring EMS settings on page 228.
settings
View login View login banner settings. See Configuring EMS settings on page 228.
banner
settings*
Manage login Modify login banner settings. See Configuring EMS settings on page 228.
banner
settings*
View custom View endpoint quarantine message settings. See Customizing the endpoint quarantine message on
message page 239.
settings
Manage Modify endpoint quarantine message settings. See Customizing the endpoint quarantine message
custom on page 239.
message
settings
View feature View feature select settings. See Feature Select on page 241.
select settings
Manage Modify feature select settings. See Feature Select on page 241.
feature select
settings
Inactivity timeout Specify how long to keep inactive users logged into FortiClient EMS. When the
time expires, EMS automatically logs the user out. Enter 0 to keep inactive
users logged into FortiClient EMS indefinitely.
Allowed inactive days Specify the number of days of inactivity after which to disable a user account.
For example, if this field is specified to 10 and a user does not log into
FortiClient EMS for ten days, EMS disables their account so that they cannot
log into FortiClient EMS. A super administrator can reactivate their account.
See Activating a disabled account on page 218.
Maximum password age Specify the number of days after which to force the user to change their
password. Enter 0 to disable this setting. This setting only applies to built-in
users such as the admin user and EMS users.
3. Click Save.
Fabric Devices
You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. You can also deny or
authorize a FortiGate.
SAML SSO
You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an Identity Provider (IdP).
You can only use the SAML SSO feature in EMS with a FortiGate as the IdP. EMS does not
support using FortiAuthenticator as an IdP or custom IdPs.
1. Configure SAML SSO in FortiOS. See Configuring single-sign-on in the Security Fabric. Ensure that you download
the IdP certificate and copy the SP prefix to use when configuring SAML SSO on EMS.
Setting Description
SP Address Enter the EMS IP address. You can also click the Use Current Browser
Address button to autopopulate the field. Your browser must be able to access
this IP address.
Setting Description
5. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:
Setting Description
IdP Address Enter the FortiGate IP address. Your browser must be able to access this IP
address.
IdP Certificate Click Upload new certificate to upload the IdP certificate.
Upload the same certificate that you configured for the IdP (the FortiGate) in
FortiOS in step 1.
6. Click Save.
7. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See
Configuring EMS settings on page 228.
When an administrator logs in to EMS with SSO for the first time, they have restricted
permissions. An EMS super administrator can adjust permissions for the new administrator.
Licenses
Log Viewer
To view logs:
To download logs:
You can mark all endpoints as uninstalled, which erases their historical event data.
This option is mainly useful for customers using virtual desktop infrastructure environments, where temporary desktop
instances are used for a short duration, then terminated. After you use this option to mark all endpoints as uninstalled,
only active instances will reconnect to EMS. This conveniently frees up the licenses that the terminated instances were
using, and you can provision these licenses to active unlicensed endpoints.
FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and
configure other server settings for FortiClient EMS.
When you enable multitenancy, you must configure some EMS settings at the global level, and other settings at the site
level. See Global and per-site configuration on page 246.
Listen on IP Displays the IP addresses for the FortiClient EMS server. FortiClient connects
to FortiClient EMS on the specified IP address.
You can generate a QR code for the specified IP address. See Generating a
QR code for centrally managing FortiClient (Android) and (iOS) endpoints on
page 244.
The third reason is particularly valuable for environments where devices may
be internal or external from day to day. When using an FQDN, you can
configure your internal DNS servers to resolve the FQDN to the EMS internal
IP address and register your external IP address with public DNS servers. You
must then configure the device with your external IP address to forward
communication received on port 8013 to your EMS internal IP address. This
allows your external clients to leverage a virtual IP address on the FortiGate so
that they can reach EMS, while allowing internal clients to use the same FQDN
to reach EMS directly.
Alternatively, you can use a private IP address for the connection. This
configuration would require external clients to establish a VPN connection to
reach the EMS (VPN policies permitting). This configuration can be
problematic if all endpoints need an urgent update but some are not
connected to VPN at that time.
FQDN Enter the FortiClient EMS server FQDN. FortiClient can connect using the
specified IP address in the Listen on IP Addresses option or the specified
FQDN.
Remote HTTPS access Specify settings for remote administration access to FortiClient EMS.
Turn remote HTTPS access to FortiClient EMS on and off. When enabled,
enter a hostname in the Custom hostname field to let administrators use a
browser and HTTPS to log into FortiClient EMS. When disabled,
administrators can only log into FortiClient EMS on the server.
HTTPS port Available when Remote HTTPS Access is enabled. Displays the predefined
HTTPS port. You cannot change the port.
Custom Available when Remote HTTPS Access is turned on. Displays the predefined
hostname hostname of the server on which FortiClient EMS is installed. You can
customize the hostname. When you change the hostname, the web server
restarts.
Redirect Available when Remote HTTPS Access is turned on. If this option is enabled,
HTTP request if you attempt to remotely access FortiClient EMS at http://<server_name>,
to HTTPS this automatically redirects to https://<server_name>.
SSL certificate Displays the currently imported SSL certificate. If you have already uploaded
an SSL certificate, a Replace button displays.
Show FortiGate Server List When this option is enabled, you can configure FortiGate IP addresses in a
Telemetry server list to allow FortiClient to connect directly to FortiOS.
FortiClient 6.4.0 and later versions cannot directly connect Telemetry to
FortiOS. FortiClient 6.4.0 only connects Telemetry to EMS, which then sends
FortiClient data to FortiOS. Only endpoints with FortiClient versions older than
6.4.0 installed can connect Telemetry directly to FortiOS.
When this option is disabled, you can only configure EMS IP addresses in a
Telemetry server list.
EMS CA certificate (ZTNA) This feature requires the ZTNA or EPP license and only applies for endpoints
running FortiClient 7.0.0 and later versions. See Windows, macOS, and Linux
endpoint licenses on page 21.
Displays the EMS CA certificate expiry. EMS sends this certificate to FortiOS.
See FortiClient in the Security Fabric on page 13.
Click the Revoke and Update button to revoke and update the certificate. You
may want to revoke a certificate if it is compromised and can no longer be
trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient
with a new certificate signing request. This may affect existing connections.
Reset Stalled Deployment Enter number of hours after which to reset stalled deployments.
Interval
3. Configure the following options under EMS Settings. FortiClient EMS uses these settings when managing
Windows, macOS, and Linux endpoints:
Listen on port Displays the FortiClient EMS server default port. You can change the
port by typing a new port number. FortiClient connects using the
specified port number.
Enable TLS 1.0/1.1 Enable TLS 1.0 and 1.1 for file downloads.
You must enable this option when upgrading FortiClient on a
Windows 7 device via FortiClient EMS.
FortiClient download URL FortiClient deployment packages created in FortiClient EMS are
available for download at this URL.
Open port 10443 in Open port 10443 or close port 10443. Port 10443 is used to
Windows Firewall download FortiClient.
Enforce invitation-only registration for Select the desired endpoints to enforce invitation-only registration
for. See Invitations on page 84. Modifying this setting causes any
endpoints that do not meet the new setting to deregister from EMS.
Sign software packages Enable this option to have Windows FortiClient software installers
created by or uploaded to FortiClient EMS digitally signed with a
code signing certificate.
Timestamp server Enter the server address to timestamp software installers with.
Certificate Upload the desired code signing certificate. This must be a .pfx file.
After a certificate has been uploaded, its expiry date is also
displayed.
Password Enter the certificate password. This is required for FortiClient EMS to
sign the software installers with the certificate.
Enable Managed by EMS Select an option from the dropdown list. Users can configure this
IP address in Shared Settings > Listen on IP.
Notify FortiGate Enter the FortiGates IP address(es) or hostname(s). You can also
use an FQDN.
Press the Enter key to add additional entries.
This option is only available if you enable Show FortiGate Server
List.
Use connection key Enable the connection key endpoints can use to connect to
FortiGates. Enter and reenter the connection key.
Enable login banner When you enable the login banner, a message appears prior to a
user logging into FortiClient EMS. In the Message field, type your
message. The Preview section displays a preview of the message.
4. If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after
enabling this option.
5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS
managing Chromebook endpoints:
Listen on port Displays the default port for the FortiClient EMS server
for Chromebooks. You can change the port by typing a
new port number. The FortiClient Web Filter extension
on Chromebooks connects to FortiClient EMS using
the specified port number.
User inactivity timeout Enter the number of hours of inactivity after which to
timeout the user.
Profile update interval Specify the profile update interval (in seconds).
Update service account Update the service account with new credentials.
Reset service account In the event your service account is broken, you can
revert back to the default service account by clicking
the Reset button. This restores the default service
account. You must Save the settings for the change to
take effect.
FortiClient telemetry connection Add the FortiClient Telemetry connection key for FortiClient EMS. FortiClient
key must provide this key during connection.
You can generate a QR code for the specified key. See Generating a QR code
for centrally managing FortiClient (Android) and (iOS) endpoints on page 244.
Keep alive interval Each connected FortiClient endpoint sends a short keep-alive (KA) message
to FortiClient EMS at the specified interval.
Offline timeout Configure the number of KA intervals after which EMS considers the endpoint
to be offline.
Delete timeout Configure the number of days after which EMS deletes a deregistered
endpoint. For example, if you configure this value to be 45 days, EMS deletes
the endpoint 45 days after its deregistration.
License timeout Configure the number of days after which EMS deregisters an endpoint.
Automatically upload avatars FortiClient uploads user avatars to all FortiGates, FortiAnalyzers, and
FortiClient EMS servers it is connected to.
Enable endpoint snapshot Enable endpoint snapshot reports and enter the interval at which to take
reports reports in seconds. The interval must be between 300 and 86400 seconds.
7. Enable Manage Multiple Customer Sites. This enables multitenancy for EMS.
8. Configure the following options under EMS FSSO Settings. These settings add SSL encryption to the
FSSO protocol between EMS and FortiOS.
SSL certificate Displays the SSL certificate currently imported. If you have already uploaded
an SSL certificate, a Replace button displays.
9. Click Save.
You must add an SSL certificate to FortiClient EMS to allow Chromebooks to connect to FortiClient EMS.
If you are using a public SSL certificate, add the certificate to FortiClient EMS. You do not need to add the certificate to
the Google Admin console.
If you are not using a public SSL certificate, you must add the SSL certificate to FortiClient EMS, and the root certificate
to the Google Admin console. See Adding root certificates on page 52.
1. In FortiClient EMS, go to System Settings > EMS Settings > EMS for Chromebooks Settings.
2. Do one of the following:
a. To replace an existing SSL certificate, beside SSL certificate, click Update SSL certificate.
b. If no SSL certificate has been added yet, click the Upload new SSL certificate button.
3. Click Browse and locate the certificate file (<name>.pfx).
4. In the Password field, enter the password.
5. Click Test.
6. Click Save.
If the SSL certificate expires in less than three months, the expiry date label is yellow. If it is
expired, the label is red. Otherwise, it is green.
You can specify what level of log messages to capture in the logs for FortiClient EMS. You can also specify when to
automatically delete logs and alerts.
Log level Select the level of messages to include in FortiClient EMS logs. For example, if
you select Info, all log messages from Info to Emergency are added to the
FortiClient EMS logs.
Clear logs older than Enter the number of days that you want to store logs. For example, if you enter
30, EMS stores logs for 30 days. EMS automatically deletes any logs older
than 30 days.
Clear alerts older than Enter the number of days that you want to keep alerts. For example, if you
enter 30, EMS keeps alerts for 30 days. EMS automatically deletes any alerts
older than 30 days.
Clear events older than Enter the number of daysthat you want to keep events. For example, if you
enter 30, EMS keeps events for 30 days. EMS automatically deletes any
events older than 30 days.
Clear Chromebook events older Enter the number of days that you want to keep Chromebook events. For
than example, if you enter 30, EMS keeps Chromebook events for 30 days.
EMS automatically deletes any Chromebook events older than 30 days.
Clear now Click to immediately delete all FortiClient EMS logs or alerts.
3. Click Save.
FortiClient relies on several signature databases to identify and stop malware. Keeping these database up-to-date to
remain protected from new threats as they are identified is imperative.
In some situations, FortiClient may fail to update these signatures. In these situations, the EMS administrator must be
able to readily identify these endpoints so corrective action can be taken.
EMS can detect when an endpoint is out-of-date by downloading a list of the current versions for signatures and engines
and comparing that to the versions reported from FortiClient status updates. EMS can also send an email when this
happens. See Configuring Endpoint Alerts.
You can verify if EMS has up-to-date signatures by going to System Settings > FortiGuard Services > View Signature
List, and comparing that to FortiGuard.com > Services > Service of interest, such as AV.
FortiGuard
Server Location Configure FortiGuard server location to Global, US, or Europe. Europe is only
available if you have selected the Enable SSL checkbox.
Port Enter the desired port number to communicate to the FortiGuard server.
Enable SSL Enable SSL to connect to FortiGuard using HTTPS, or disable SSL to connect using
HTTP. HTTPS must be enabled to use the FortiGuard Europe server.
Use FortiManager for Turn on to use FortiManager for updating FortiClient software or signatures. You must
client specify the IP address or hostname for FortiManager as well as the port number.
software/signature
updates
FortiCloud
Time Offset Select the FortiCloud time offset from the dropdown list.
4. Click Save.
Alerts
You can set up an SMTP server to enable alerts for FortiClient EMS or endpoint events. When an alert is triggered, EMS
sends an email notification.
To configure EMS Alerts:
Version Alerts
Remind me Remind you when a new FortiClient EMS version is available everyday for two
everyday for 2 weeks.
weeks
Remind me Remind you when a new FortiClient version is available for deployment
everyday for 2 everyday for two weeks.
weeks
FortiClient Alerts
EMS fails to sync with LDAP FortiClient EMS does not sync with LDAP domains.
domains
Less than 10% of client licenses Be notified when there are less than 10% of client licenses left.
are left
Client licenses have run out Be notified when you run out of client licenses.
EMS license for Chromebooks Expiring or expired FortiClient EMS license for Chromebooks.
is expired or about to expire
Less than 10% of the client Be notified when there are less than 10% of client licenses left for
licenses for Chromebooks are Chromebooks.
left
Client licenses for Be notified when you run out of client licenses for Chromebooks.
Chromebooks have run out
3. Click Save. If you have not already set up an SMTP server, the GUI automatically prompts you to configure SMTP
server settings. See Configuring SMTP Server settings on page 237.
You can set up an SMTP server to enable alerts for EMS and endpoint events. When an alert is triggered, EMS sends an
email notification to the configured email address(es).
Security Select None, STARTTLS, or SMTPS for the security type, or select
the Auto Detect button to automatically select the security type. If
STARTTLS or SMTPS is selected, the Username and Password
fields become available.
Recipients Enter email address(es) to send alerts to. Press Enter to add more
email addresses.
Send Test Email Click the button to test the configured email settings.
3. Click Save.
To confirm that the EMS server can verify the SMTP server certificate:
When using STARTTLS or SMTPS, the SMTP server presents a certificate to prove its identity. If the server hosting
EMS does not have the corresponding CA in its certificate store, EMS cannot trust the SMTP server certificate and the
connection fails to establish.
You can verify this using tools on the server hosting EMS to establish a secure connection to the SMTP server. Using
openssl as an example, you can run the following from the Windows command line:
openssl s_client -starttls smtp -crlf -connect <smtp_url:port>
You can view alerts that FortiClient EMS generates. Examples of events that generate an alert include:
l A new version of FortiClient is available.
l FortiClient deployment failed.
l Failed to check for signature updates.
l Error encountered when downloading AD server entries.
l Error encountered when scanning for local computers.
A red label is associated with the Alert icon when new notifications are available or received. EMS clears the label when
you view the alert.
1. Click the Alert icon (a bell) in the toolbar.
2. Click the Filter icon in each column heading to apply filters.
3. Click Clear Filters to remove the filters.
Custom Messages
You can customize messages that display on endpoints in certain situations, such as if EMS has quarantined the
endpoint. For example, you can customize the message to include your organization's help desk phone number so that
users can contact the network administration about their machine.
You can customize the message that displays on an endpoint when FortiClient EMS has quarantined it.
You can customize the messages that display on an endpoint in in-browser Web Filter result pages.
l Blocked page
l Warning page
Some customization fields apply to all messages, while others apply to only specific messages. This is indicated
beside the field name.
3. In the left pane, enable/disable the fields and enter the desired messages. You can also upload images for logo and
icon fields. The right pane displays previews of the messages.
4. Click Save.
In Feature Select, you can choose which features to show and hide in EMS. Only features that are enabled in Feature
Select are available for configuration in other areas of EMS. For example, disabling Web Filter in Feature Select results
in the following:
l Endpoint profiles:
l The Web Filter tab is not available for configuration.
l The option to enable Web Filter logs on the System Settings tab is not available.
l If you enable Web Filter in a deployment package, the deployment package installs Web Filter on the endpoint.
However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.
l The Web Filter Detection widget is not available on the Status dashboard.
l Importing a profile from FortiGate/FortiManager is not available.
Only an EMS superadministrator can enable and disable features in Feature Select. Other EMS users can view which
features are enabled and disabled on the Feature Select page, but cannot modify the configuration.
If an endpoint previously had a feature enabled, but you later disable the feature in Feature Select, EMS then disables
the feature on the endpoint.
The following table provides details on features that you must enable for certain functionalities to be available in
FortiClient. You must enable the feature in Feature Select, then configure on the applicable endpoint profile for the
functionality to be available in FortiClient. Note that this table is not exhaustive:
Only features that FortiClient EMS is licensed for are available for enablement in Feature Select. For example, if you
have only applied the ZTNA license, you cannot enable Application Firewall. See Windows, macOS, and Linux endpoint
licenses on page 21 for details on which features each license type includes.
You cannot disable Web Filter if you have enabled the Chromebook feature in Feature Select.
3. Click Save. The Web Filter tab is not available for configuration in an endpoint profile. The Import from
FortiGate/FortiManager option under Endpoint Profiles in the left pane is also not available.
When creating a deployment package, a warning displays beside Web Filtering that the feature is disabled. You
cannot create a deployment package that installs the Web Filter feature on endpoints while Web Filter is disabled in
Feature Select.
You can create a QR code to distribute to FortiClient (Android) and (iOS) users. FortiClient (Android) and (iOS) users
can scan the QR code from their device to automatically enable FortiTelemetry and attempt connection to the specified
FortiClient EMS server.
QR codes can optionally contain the FortiClient telemetry connection key, if desired.
With EMS multitenancy, you can create multiple sites to provide granular access to different sites for different
administrators and separate endpoint data and configuration into different sites. The site are completely separate from
each other and cannot share data between them. For example, if an administrator only has access to Site A, they cannot
view data from any other site. EMS supports up to 500 multitenancy sites.
The following sections detail how to enable multitenancy and multitenancy-specific setings.
When multitenancy is enabled, Fabric connectors must use an FQDN to connect to EMS, where the FQDN hostname
matches a site name in EMS (including "Default"). The following are examples of FQDNs to provide when configuring the
connector to connect to the default site and to a site named SiteA, respectively: default.ems.yourcompany.com,
sitea.ems.yourcompany.com.
To configure multitenancy:
4. Select Configure Sites from the site selection list. You can also go to Administration > Configure Sites. This page
displays all sites and their license usage.
5. Click Add.
6. In the Add FortiClient EMS Site dialog, enter the desired site name.
7. Select the checkboxes to assign the desired number of licenses to this site. The dialog displays how many licenses
are available for assignment. Click Save. The newly created site appears in the FortiClient Sites list. You can go to
the site using the site selection list in the upper right corner.
When multitenancy is enabled, you can configure some settings only from the global level, and other settings only from
the site level. You cannot view site-level settings from the global site. For descriptions of the settings, see the relevant
section in this document.
Global configuration
The following lists settings you must configure from the global site:
l System Settings > EMS Settings:
l Shared Settings:
l Hostname
l Listen on IP
l Use FQDN
l SSL certificate
l EMS Settings:
l Listen on port
l Enable login banner. This login banner only shows when you sign in to the global site.
l Listen on port
l SSL certificate
l Service account
l Administrators with multi-site access. See Adding a multitenancy administrator on page 251.
l Database backup and restoration
l (On-premise EMS-only) License management: You must license EMS from the global site. You can then assign the
licenses to other sites. For example, consider that you have three other sites: Sites A, B, and C. If you then activate
500 ZTNA licenses on the global site, you could assign 200 ZTNA licenses to Site A, 150 to Site B, and 150 Site C.
See Editing a site on page 251.
l EMS Alerts
l SMTP Server
On the global site Dashboard, you can only view the System and License Information widgets. The other widgets, which
display endpoint information, are available at the site level.
The following lists settings you must configure separately for each site:
l System Settings > EMS Settings:
l Shared Settings > Reset Stalled Deployment Interval
l EMS Settings:
l Enable login banner. This login banner only shows when you sign in to the current specified site.
l Endpoints Settings
l EMS FSSO Settings
The left navigation pane displays content in the right pane. The following describes the left pane for the global site when
multitenancy is enabled:
Option Description
Dashboard
Administration
User Settings Configure the inactivity timeout and other user settings.
Log Viewer View log messages generated by FortiClient EMS and download
raw logs.
System Settings
EMS Settings Change the IP address and port and configure other EMS
settings for FortiClient EMS, including enabling Chromebook
management.
Log Settings Specify what level of log messages to capture in FortiClient EMS
logs and when to automatically delete logs and alerts.
The following describes the left pane at the site level when multitenancy is enabled. For all options at the site-level, you
can only view and manage endpoints and settings for the current selected site:
Option Description
Dashboard
Option Description
Vulnerability Scan Displays the Current Vulnerabilities Summary chart that provides
a centralized vulnerability summary for all managed endpoints.
You can observe high-risk hosts and critical vulnerabilities
existing on endpoints. You can also access links on how to fix or
repair the vulnerabilities.
Endpoints
Group Assignment Rules Configure rules to automatically place endpoints into custom
groups based on their installer ID, IP address, or OS.
Google Domains Only available if the EMS for Chromebooks Settings option is
enabled in System Settings > EMS Settings.
Domains Manage users from specific Google domains. You can also add a
Google domain if none exist.
Manage Policies Create endpoint policies and manage policy updates for
Windows, macOS, and Linux endpoints.
Chromebook Policy Create endpoint policies and manage policy updates for
Chromebook endpoints. Only available if the EMS for
Chromebooks Settings option is enabled in System Settings >
EMS Settings.
Endpoint Profiles
Option Description
Manage Profiles Create profiles and manage profile updates for all profiles.
Fabric Device Monitor View all FortiGates connected to EMS for Zero Trust tagging and
the list of tags that are shared with each FortiGate.
Software Inventory
Quarantine Management
Allowlist View and delete allowlisted files from the Allowlist pane.
Administration
Admin Roles Add and manage FortiClient EMS admin roles and permissions.
Log Viewer View log messages generated by FortiClient EMS and download
raw logs.
System Settings
EMS Settings Change the IP address and port and configure other EMS
settings for FortiClient EMS, including enabling Chromebook
management.
Log Settings Specify what level of log messages to capture in FortiClient EMS
logs and when to automatically delete logs and alerts.
Option Description
Custom Messages Customize the message that displays on an endpoint when it has
been quarantined by FortiClient EMS
Editing a site
To edit a site:
Super administrator Full access to the global site and all other sites. Can access all configuration
options on all sites, including the global site. The built-in admin account is a
super administrator and cannot be configured as another administrator role.
Settings administrator Access to the global site only. Can access all configuration options on the
global site, except for administrator configuration.
Site administrator Access to specified sites only, with no access to the global site. A site
administrator can have access to multiple sites. By default, a site administrator
is a super administrator for all sites that they have access to. A site
administrator can configure the site license and system settings, including
server, FortiGuard, login banner, alerts, and SMTP server settings. You can
modify the site administrator's available configuration options for a site by
assigning them a different admin role for that site after you log in to the site.
See Admin roles on page 219.
The SiteA Administration > Administrators page shows that AlecB is a super administrator for this site. This means that
AlecB has complete access to all EMS permissions within SiteA, as described in Admin roles on page 219.
The SiteB Administration > Administrators page shows that AlecB is a read-only administrator for this site. This means
that AlecB has only read-only access to endpoint, policy, and settings permissions within SiteB, as described in Admin
roles on page 219.
If you had configured a SAML SSO administrator prior to enabling multitenancy, enabling
multitenancy causes this administrator to become a global superadministrator. You can
configure a different role for this administrator. You can only have one
SAML SSO administrator for the entire EMS server.
If you logged in as a site administrator, the EMS GUI displays the dashboard for the first site that you have access to
in the dropdown list. The site selection list displays sites that you have access to in alphabetical order.
You can create a support package to provide to the Fortinet technical support team for troubleshooting. Creating a
support package backs up your database but clears all sensitive username and password fields.
You can simply and efficiently move configurations, data, and endpoint connections between EMS instances without
disrupting FortiClient endpoint functionality. This document describes migrating one EMS on-premise environment to
another. This migration requires the following:
l The EMS version in both environments is 6.4.3 GA.
l FortiClient for all supported endpoint platforms (Windows, macOS, Linux, Android, and iOS) are connected before,
during, and after migration.
l You have fully configured EMS and generated data such as logs and events before starting the migration.
l Licensing on the two EMS instances is similar, if not the same, in terms of the number of seats, entitlement, license
types, and duration.
To migrate from on-premise EMS to FortiClient Cloud, see Migrating from on-premise EMS to
FortiClient Cloud.
This guide refers to the EMS instance that you are migrating from as "EMS A". It refers to the EMS instance that you are
migrating to as "EMS B".
d. In the dialog, enter the EMS B FQDN or IP address. Once the migration begins, the Connections column on the
Endpoints pane in EMS B for the selected endpoints displays as Migrating. Events may not display immediately
on the Endpoints pane in EMS B, but are present in the database. Endpoints that are offline when you apply the
Choose a Different IP action migrate when they reconnect to EMS A.
Limitations
l Chromebook: The migration does not support migration for Chromebook endpoints.
This section includes the following configuration examples for FortiClient EMS:
l Support banned word check in URL on page 257
You can configure keyword scanning on search engines for Chromebook endpoints. EMS has a content safeguard
service-provided file with a list of words in various languages for different categories. The Keyword Scanning on Search
Engine feature supports monitoring and blocking searches for banned words that users perform in popular search
engines. You can use this feature to protect students from inappropriate and malicious content.
1. In EMS, go to Endpoint Profiles. Select the desired Chromebook profile, or create a new one.
2. Enable Keyword Scanning on Search Engine.
3. Configure the following features:
Banned Word Search Enable to configure actions (block or monitor) to take when the
user searches for terms that belong to the following categories:
l Violence/Terrorism
l Extremist
l Pornography
l Cyber Bullying
l Self Harm
Custom Banned Words Configure actions for individual terms. Enable Custom Banned
Words, type the desired term in the Add Word field, then click Add
Word. Configure the action for the term (Block, Monitor, or Allow),
then toggle the Status to On.
You can remove a term from the Custom Banned Word list by
selecting the checkbox beside the term, then clicking the Remove
Word button.
The custom term may belong to a category under Banned Word
Search. If the action configured for the category under Banned
Word Search and the action configured for the term under Custom
Banned Words differ, EMS applies the action configured under
Custom Banned Words.
You can view user statistics on the Blocked Search Words and Monitored Search Words widgets in Dashboard >
Chromebook Status.
When the user searches for a banned word, they see the following. In the example, the user searched for "bomb",
which belongs to the Extremist category.
Change log
2021-06-21 Updated Configuring a profile with application-based split tunnel on page 171.
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.