FortiClient EMS 7.4.0 Administration Guide

Administration Guide
FortiClient EMS 7.4.0

FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO LIBRARY

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
FORTINET TRAINING INSTITUTE

https://training.fortinet.com
FORTIGUARD LABS
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
October 16, 2024

FortiClient EMS 7.4.0 Administration Guide
04-740-1010849-20241016
TABLE OF CONTENTS
Introduction 10
FortiClient EMS components 10
Documentation 12
Getting started 13
Getting started with managing Windows, macOS, and Linux endpoints 13
Initially deploying FortiClient software to endpoints 13
Pushing configuration information to FortiClient 14
Relationship between FortiClient EMS, FortiGate, and FortiClient 14
Getting started with managing Chromebooks 19
Configuring FortiClient EMS for Chromebooks 19
Configuring the Google Admin console 19
Deploying a profile to Chromebooks 19
How FortiClient EMS and FortiClient work with Chromebooks 20
Installation preparation 21
System requirements 21
License types 22
FortiClient EMS 22
Component applications 25
Required services and ports 25
Telemetry data usage requirements 28
Management capacity 29
Hardware configuration when EMS and Postgres run on same machine with no
FortiGate connected 30
Hardware configuration when EMS and PostgreSQL run on different machines with no
FortiGate connected 31
Hardware configuration when there are FortiGates connected to the EMS 32
FortiClient Telemetry security features 32
Server readiness checklist for installation 33
Upgrading from an earlier FortiClient EMS version 33
Legacy licenses 33
Upgrading EMS and FortiClient 34
Upgrading EMS from an earlier version 35
Install preparation for managing Chromebooks 35
Google Workspace account 35
SSL certificates 36
Installation and licensing 37
Downloading the installation file 37
Installing FortiClient EMS 7.4.0 37
Migrating EMS from 7.2.4 to 7.4.0 38
Installation 43
Starting FortiClient EMS and logging in 76
Configuring EMS after installation 77
Licensing FortiClient EMS 78
FortiClient EMS 7.4.0 Administration Guide 3

Fortinet Inc.
Licensing EMS by logging in to FortiCloud 79
Importing an EMS license via FortiFlex 83
Uploading a license file 84
Licensing EMS in an air-gapped network 85
License status 86
Help with licensing 87
Uninstalling FortiClient EMS 87
Installation and setup for managing Chromebooks 87
Google Admin Console setup 87
Service account credentials 94
Verifying ports and services and connection between EMS and FortiClient 104
Ports and services 104
GUI 105
Banner 105
Left pane 106
Content pane 108
Dashboard 109
Viewing the Status 109
System Information widget 109
License Information widget 111
Status charts and widgets 112
Viewing the Vulnerability Scan dashboard 114
Viewing current vulnerabilities 115
Viewing the Endpoint Scan Status 118
Viewing the top 10 vulnerable endpoints with high risk vulnerabilities 120
Viewing top ten vulnerabilities on endpoints 122
Viewing the Forensics Analysis dashboard 124
Viewing the PUA dashboard 126
Viewing Chromebook Status 127
Endpoint management 128
Windows, macOS, and Linux endpoints 128
Managing groups 128
Adding endpoints 128
Viewing endpoints 131
Managing endpoints 147
Group assignment rules 157
Group assignment rule types 157
Managing group assignment rule priority levels 158
Adding a group assignment rule 159
Enabling/disabling a group assignment rule 161
Deleting a group assignment rule 161
Google Domains 161
Adding a Google domain 161
Viewing domains 162
Editing a domain 164
Deleting a domain 164

Fortinet Inc.
Deployment & Installers 165
Manage Deployment 165
Creating a deployment configuration 165
Managing deployment configuration priority levels 166
Enabling/disabling a deployment configuration 167
Deleting a deployment configuration 168
Deploying FortiClient upgrades from FortiClient EMS 168
Deploying different installer IDs to endpoints using the same deployment package 168
FortiClient Installer 169
Adding a FortiClient deployment package 170
Viewing deployment packages 173
Deleting a FortiClient deployment package 174
Endpoint Policy & Components 175
Manage Policies 175
Adding an endpoint policy 175
Editing an endpoint policy 177
Deleting an endpoint policy 177
Enabling/disabling an endpoint policy 177
Managing endpoint policy priority levels 177
Editing endpoint policy view 179
FortiClient management based on Active Directory user/user groups 179
CA Certificates 181
On-fabric Detection Rules 183
Source IP address anchoring for IPsec VPN 186
Chromebook Policy 188
Endpoint Profiles 189
Editing a default profile 189
Creating a new profile 189
Adding a new Chromebook profile 190
Managing profiles 190
Editing a profile 190
Cloning a profile 191
Syncing profile changes 191
Editing sync schedules 191
Exporting a profile 191
Importing a profile 192
Deleting profiles 192
Remote Access 192
SSL VPN 194
IPsec VPN 198
Configuring a profile with application-based split tunnel 203
Configuring a profile to allow or block endpoint from VPN tunnel connection based on
the applied security posture tag 207
Configuring a backup VPN connection 209
Using a browser as an external user-agent for SAML authentication in an SSL VPN
connection 211
Per-machine prelogon VPN connection without user interaction 213

Fortinet Inc.
Autoconnect on logging in as an Entra ID user 217
Load balancing SSL VPN gateways with one FQDN 224
Certificate path configuration for automated certificate selection 228
Autoconnect to IPsec VPN using Entra ID logon session information 230
IPsec VPN SAML-based authentication 252
IPsec VPN support for traffic going through FortiADC 283
ZTNA Destinations 293
Wildcard support for ZTNA FQDN rules 295
FQDN-based ZTNA TCP forwarding services 301
Web Filter 303
Importing a Web profile from FortiOS or FortiManager 311
Enabling and disabling Safe Search 312
Support banned word check in URL 313
Video Filter 316
Vulnerability Scan 318
Malware Protection 320
AntiVirus Protection 320
Anti-Ransomware 323
Anti-Exploit 325
Cloud-Based Malware Detection 325
Removable Media Access 326
Exclusions 327
Other 328
Sandbox 330
Firewall 333
Define exceptions for Firewall Detect & Block Exploits feature 335
System Settings 338
Configuring identity compliance for endpoints 346
FortiPAM integration 347
Add FortiPAM agent to SSOMA 354
Configuring SSOMA with AD 356
Requesting forensic analysis on an endpoint 361
XML Configuration 364
Creating a profile with XML 364
Importing a profile from an XML file 364
Configuring encrypted ZTNA rules 364
Security Posture Tags 367
Security Posture Tagging Rules 367
Adding a security posture tagging rule set 367
Editing a security posture tagging rule set 369
Deleting a security posture tagging rule 369
Importing and exporting a security posture tagging rule set 369
Uploading signatures for FortiGuard Outbreak Alerts service 369
Managing tags 370
Security posture tagging rule types 370
Security Posture Tag Monitor 377
FortiOS dynamic policies using EMS dynamic endpoint groups 378

Fortinet Inc.
Configuring FortiOS dynamic policies using EMS security posture tags 379
Fabric Device Monitor 382
FortiGuard Outbreak Alerts 383
Software Inventory 385
Applications 385
Hosts 409
Quarantine Management 411
Files 411
Viewing quarantined files 411
Allowlisting quarantined files 413
Configuring quarantine management 413
Allowlist 414
Viewing allowlisted files 414
Editing file descriptions 415
Deleting a file from the allowlist 415
Administration 416
Admin Users 416
Viewing users 416
Configuring user accounts 417
Activating a disabled account 417
Resetting the password for a local administrator 418
Using the PasswordRecovery tool 419
Admin roles 420
Adding an admin role 420
Cloning an admin role 420
Deleting admin roles 421
Admin role permissions reference 421
Authentication Servers 424
Adding an ADDS server 424
Adding an Entra ID server 425
Adding an API key 432
AD connector 432
Configuring Admin User Settings 436
Fabric Devices 436
Configuring EMS to share tagging information with multiple FortiGates 438
Configuring FortiGate per-VDOM connection 439
SAML SSO 442
SAML SSO with FortiGate as IdP 442
SAML SSO with Okta as IdP 443
SAML SSO with Entra ID as IdP 444
SAML SSO with AD FS as IdP 445
Licenses 447
Log Viewer 447
Generate Diagnostic Logs 447
Marking all endpoints as uninstalled 447

Fortinet Inc.
User Management 449
Authorized User Groups 449
Verified Users 450
Unverified Users 451
Local users 452
SAML Configuration 452
Invitations 454
Configuring user verification with an LDAP server for authentication 455
Configuring user verification with SAML authentication and an LDAP domain user
account 456
Configuring user verification with Entra ID authentication 464
Configuring user verification with SAML authentication and an Entra ID server user
account 467
System Settings 471
Configuring EMS settings 472
Generating a QR code for centrally managing FortiClient (Android) and (iOS)
endpoints 477
Persistent connection 477
JWT support for ZTNA UID and tag sharing 478
Configuring Logs settings 481
Sending EMS system log messages to FortiAnalyzer 482
Configuring FortiGuard Services settings 484
EMS Server Certificates 486
Adding an SSL certificate to FortiClient EMS 488
Alerts 488
Configuring EMS Alerts 488
Configuring Endpoint Alerts 490
Configuring SMTP Server settings 490
Viewing alerts 492
Custom Messages 492
Customizing the endpoint quarantine message 492
Customizing Web Filter messages 493
Feature Select 494
MDM Integration 497
Workspace ONE 497
Microsoft Intune 498
Jamf 498
Deploying ZTNA certificates to FortiClient mobile via MDM 498
Multitenancy 500
Enabling and configuring multitenancy 500
Global and per-site configuration 501
Global configuration 501
Site level configuration 501
Left pane with multitenancy enabled 502
Editing a site 505
Adding a multitenancy administrator 506

Fortinet Inc.
Logging into EMS with multitenancy enabled 507
Fabric connection setup using FortiGate as a load balancer 508
Creating a support package 510
Migrating to another EMS instance 511
Limitations 512
FortiClient EMS API 513
Appendix - FortiClient EMS services 514
Critical severity 514
Medium severity 515
Low severity 515
Change log 517

Fortinet Inc.
Introduction
FortiClient Endpoint Management Server (FortiClient EMS) is a security management solution that enables scalable and
centralized management of multiple endpoints (computers). FortiClient EMS provides efficient and effective
administration of endpoints running FortiClient. It provides visibility across the network to securely share information and
assign security policies to endpoints. It is designed to maximize operational efficiency and includes automated
capabilities for device management and troubleshooting. FortiClient EMS also works with the FortiClient Web Filter
extension to provide web filtering for Google Chromebook users.
FortiClient EMS is designed to meet the needs of small to large enterprises that deploy FortiClient on endpoints and/or
provide web filtering for Google Chromebook users. Benefits of deploying FortiClient EMS include:
l Remotely deploying FortiClient software to Windows PCs
l Updating profiles for endpoint users regardless of access location
l Administering FortiClient endpoint connections, such as accepting, disconnecting, and blocking connections
l Managing and monitoring endpoints, such as status, system, and signature information
l Identifying outdated FortiClient software versions
l Defining web filtering rules in a profile and remotely deploying the profile to the FortiClient Web Filter extension on
Google Chromebook endpoints
You can manage endpoint security for Windows and macOS platforms using a unified organizational security policy. An
organizational security policy provides a full understandable view of the security policies defined in the organization. You
can see all policy rules, assignments, and exceptions in a single unified view.
FortiClient EMS is part of the Fortinet Endpoint Security Management suite, which ensures comprehensive policy
administration and enforcement for an enterprise network.
FortiClient EMS components
FortiClient EMS provides the infrastructure to install and manage FortiClient software on endpoints. FortiClient protects
endpoints from viruses, threats, and risks.
FortiClient EMS also provides the infrastructure to install and manage the FortiClient Web Filter extension on Google
Chromebook endpoints. FortiClient protects endpoint users by working with FortiClient EMS to filter web content
endpoint users view on Google Chromebooks.
The following table lists FortiClient EMS components:
Component Description
FortiClient EMS Manages FortiClient on endpoints that connect to your network.

Manages the FortiClient Web Filter extension installed on Google Chromebook
endpoints, which are connected to your Google domain.

Fortinet Inc.
Introduction
Component Description
Includes the following software:

l Console software that manages security profiles, FortiClient on endpoints,
and Chromebook endpoints
l Server software that provides secure communication between endpoints and
the console and between Chromebook endpoints and the Google Admin
console.
Database Stores security profiles and events.

Also stores user information retrieved from the Google Admin console for
Chromebooks.
The FortiClient EMS installation installs the PostgreSQL database.
FortiClient Helps enforce security and protection on endpoints. It runs on servers, desktops,
and portable computers you want to secure. See the FortiClient Administration
Guide.
FortiClient Web Filter Extension Communicates with FortiClient EMS and enforces web filtering on Google
Chromebook endpoints.
In the diagram, the undotted lines show how different components connect to manage Windows, macOS, and Linux
endpoints using FortiClient EMS. The dotted lines represent how you use components to manage Chromebook
endpoints with FortiClient EMS.
FortiClient EMS allows you to:

Fortinet Inc.
Introduction
l Establish and enforce security profiles

l Manage deployment, configuration, and updates
l Manage security profiles from an integrated management console
l Obtain a consolidated view of multiple security components across all endpoints in your network and Google
domain
l Perform integrated installation of security components and set profiles
l Monitor endpoints' web browsing activity
Documentation
You can access FortiClient EMS documentation from the Fortinet Document Library.
The FortiClient EMS documentation set includes the following:
Document Description
Administration Guide Describes how to set up FortiClient EMS and use it to manage endpoints. It
includes information on how to configure multiple endpoints, configure and
manage profiles for the endpoints, and view and monitor endpoints.
New Features Guide Describes new features and enhancements in FortiClient EMS for the release,
including configuration information.
QuickStart Guide Describes how to install and begin working with the FortiClient EMS system. It
provides instructions on installation and deployment, and includes a high-level
task flow for using the FortiClient EMS system.
Release Notes Lists any known issues and limitations for the release. This document also
defines supported platforms and minimum system requirements.
REST API The FortiClient EMS API allows you to perform configuration operations on EMS.
You can view the API documentation on the FortiAPI tab on FNDN.
Upgrade Paths Provides upgrade path information for different versions of FortiClient EMS.
Compatibility Chart Provides compatibility information for different versions of FortiClient EMS and
other Fortinet products.
Jamf Deployment Provides information about deploying FortiClient using Jamf mobile device
management (MDM).
Intune Deployment Provides information about deploying FortiClient using Intune MDM.
Workspace ONE Deployment Provides information about deploying FortiClient using VMware Workspace ONE
MDM.
HA with Multiple Databases Deployment instructions when using high availability with FortiClient EMS.
Deployment Guide

Fortinet Inc.
Getting started
Getting started with managing Windows, macOS, and Linux

endpoints
Initially deploying FortiClient software to endpoints
Following is an overview of how to initially deploy FortiClient to endpoints and connect them to EMS. You can use one of
the following methods:
Deployment method Description
Microsoft System Center 1. Create a custom deployment package (MSI file) on EMS. See Adding a
Configuration Manager (SCCM) FortiClient deployment package on page 170.
or group policy object (GPO) 2. Deploy the FortiClient deployment package to desired endpoints using one of
the following:
a. SCCM: Deploy applications with Configuration Manager.
b. GPO: Use Group Policy to remotely install software.
Mobile device management Use an MDM application to initially deploy FortiClient to the desired endpoints.
(MDM) FortiClient supports the following MDM applications. See the guide for each
MDM application:
l Intune
l Workspace ONE (macOS only)
Sending installer link to end 1. Create a custom deployment package on EMS. See Adding a FortiClient
users deployment package on page 170.
2. Create an invitation on EMS, configuring the invitation to be sent to all
desired end users. See Invitations on page 454.
3. The end user receives an email or SMS notification that includes the
configured invitation code and installer. They install FortiClient on their
devices using the included installer and enter the invitation code to connect
their FortiClient to EMS.
After FortiClient and EMS establish a Telemetry connection, you can push FortiClient updates
to endpoints using EMS. The aforementioned methods are only required for initial FortiClient
deployment to endpoints. See Deployment & Installers on page 165.
In 7.4.0, you cannot deploy initial FortiClient installations to Active Directory domain-joined
devices. You must use one of the aforementioned methods to deploy initial FortiClient
installations.

Fortinet Inc.
Getting started
Installing FortiClient may require administrator privileges on the endpoint. See:

l Microsoft Windows
l macOS
l Linux
Pushing configuration information to FortiClient
After the endpoints' FortiClient connects Zero Trust Telemetry to FortiClient EMS, EMS manages the endpoints, and you
can use FortiClient EMS to push configuration information to FortiClient software on endpoints.
To push configuration information to FortiClient:
1. Edit an existing profile or create a new profile to configure FortiClient software on endpoints. See Creating a new
profile on page 189.
2. Edit an existing endpoint policy or create a new endpoint policy that is configured with desired profile. Configure the
endpoint policy to apply to the desired domains and workgroups. See Adding an endpoint policy on page 175.
After you apply the endpoint policy to endpoint groups, EMS pushes profile changes to endpoints with the next
Telemetry communication.
3. Monitor the update using the Endpoints pane. See Viewing the Endpoints pane on page 131.
Relationship between FortiClient EMS, FortiGate, and FortiClient
You can use FortiClient EMS in standalone mode or integrated with FortiGate. The following section illustrates the
topology for each configuration and the differences between the scenarios.
See FortiClient Access Control.
FortiClient in the Security Fabric
In this scenario, FortiClient Zero Trust Telemetry connects to EMS to receive a profile of configuration information as part
of an endpoint policy. EMS is connected to the FortiGate to participate in the Security Fabric. EMS sends FortiClient
endpoint information to the FortiGate.
The FortiGate can also receive dynamic endpoint group lists from EMS and use them to build dynamic firewall policies.
EMS sends group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those groups. This
feature requires FortiOS 6.2.0 or a later version.
FortiClient can also receive a device certificate from EMS that it can use to securely encrypt and tunnel TCP or HTTPS
traffic through HTTPS to the FortiGate. This feature requires FortiClient 7.0.0 or a later version and FortiOS 7.0.0 or
later.
FortiGate does not provide configuration information for FortiClient and the endpoint. An
administrator must configure FortiClient using an EMS endpoint policy.

Fortinet Inc.
Getting started
Following is a summary of how the Zero Trust Telemetry connection works in this scenario. The following assumes that
EMS is already connected to the FortiGate as a participant in the Security Fabric, and that FortiClient and FortiOS are
also 7.0.0 or a later version:
1. EMS sends its CA certificate to the FortiGate.
2. FortiClient Telemetry attempts connection to EMS. Based on the EMS configuration, FortiClient may receive an
SSL certificate from EMS to verify the connection. If the certificate is valid, FortiClient Telemetry connects to EMS. If
the certificate is invalid, FortiClient may allow or deny connection to the EMS based on configured invalid certificate
action.
3. FortiClient receives the following from EMS:
l Licensing. See Windows, macOS, and Linux licenses on page 23.
l Profile of configuration information as part of an endpoint policy. See Endpoint Profiles on page 189.
l Device certificate that includes the FortiClient UID. FortiClient installs the received certificate to the current user
certificate store for Chrome and Edge browser, and installs it to the browser certificate store for Firefox. This
feature may not be available for Firefox.
4. FortiClient sends security posture information to EMS, including third-party software information, running
processes, network information, and so on.
5. EMS dynamically groups the endpoint based on the information it received, using the configured security posture
tagging rules. See Security Posture Tagging Rules on page 367.
6. FortiOS pulls the dynamic endpoint group information from EMS. The FortiOS administrator can use this data to
build dynamic firewall policies.
7. When the endpoint initiates TCP or HTTPS traffic, FortiClient works as a local proxy gateway to securely encrypt
and tunnel the traffic through HTTPS to the FortiGate, using the certificate received from EMS.
8. The FortiGate retrieves the UID to identify the device and check other information using the endpoint information
that EMS provided to the FortiGate. The FortiGate allows or denies the access as applicable.
9. EMS sends dynamic endpoint group updates to FortiOS. FortiOS uses the updates to adjust the policies based on
those groups.
For details about dynamic endpoint groups, see FortiOS dynamic policies using EMS dynamic endpoint groups on page
378.

Fortinet Inc.
Getting started
FortiClient follows the endpoint profile configuration that it receives from EMS. EMS locks FortiClient settings so that the
endpoint user cannot manually change FortiClient configuration.
Only EMS can control the connection between FortiClient and EMS. You can only disconnect FortiClient when you are
logged into EMS.
The EMS server's IP addresses are embedded in FortiClient deployment packages created in EMS. This allows the
endpoint to connect FortiClient Telemetry to the specified EMS server.
EMS sends the following endpoint information to FortiOS:
l User profile:
l Logged-in username
l Full name
l Email address
l Phone number
l User avatar
l Social network account IDs
l MAC address
l OS type
l OS version

Fortinet Inc.
Getting started
l FortiClient version
l FortiClient UUID
FortiGate also opens a websocket with EMS. EMS adds a new FcmNotify daemon to handle the websocket connection.
EMS notifies the FortiGate if any of the following device information has changed. FortiOS loads the updated
information:
l System information
l User avatar
l Vulnerabilities
l Security posture tags
EMS also sends the following endpoint information to FortiAnalyzer:
l Telemetry/system information
l User avatar
l Software inventory
l Processes
l Network statistics
l Classification tags
FortiClient directly sends the following information to FortiAnalyzer:
l Logs
l Windows host events
See the FortiAnalyzer Administration Guide for details.
FortiClient with EMS
In this scenario, EMS provides FortiClient endpoint provisioning. FortiClient EMS connects Telemetry to EMS to receive
configuration information in an endpoint profile as part of an endpoint policy from EMS. EMS also sends security posture
tagging rules to FortiClient, and use the results from FortiClient to dynamically group endpoints in EMS. Only EMS can
control the connection between FortiClient EMS and EMS. You must make any changes to the connection from EMS,
not FortiClient EMS. When FortiClient EMS is connected to EMS, EMS locks FortiClient EMS settings so that the
endpoint user cannot change any configuration. To disconnect FortiClient EMS from EMS, the EMS administrator must
deregister the endpoint in EMS.
In this scenario, EMS and FortiClient EMS cannot participate in the Security Fabric, since a FortiGate is not present.

Fortinet Inc.
Getting started
Quarantining an endpoint from FortiOS using EMS
In FortiOS 6.0, an administrator can quarantine FortiClient endpoints using EMS by enabling the Quarantine FortiClient
via EMS option. The following lists the requirements for this feature:
l The FortiClient endpoint is connected to FortiGate and managed by EMS.
l The FortiClient endpoint and FortiGate use the same FortiAnalyzer.
l The EMS managing the FortiClient endpoint is configured on the FortiGate. FortiOS allows configuration of up to
three EMS servers to allow endpoint control in different locations.
Configuring Quarantine FortiClient via EMS requires setting the following fields in the
FortiOS CLI: automation-stitch and forticlient-ems. See the FortiOS CLI
Reference.
If Quarantine FortiClient via EMS is enabled, the following occurs when an indicator of compromise (IOC) is detected on
an endpoint in the Security Fabric:
1. An IOC is detected on an endpoint.
2. FortiOS sends the endpoint information to EMS with instructions to quarantine the endpoint.
3. EMS identifies and quarantines the endpoint based on the request from FortiOS.

Fortinet Inc.
Getting started
You can remove the endpoint from quarantine using EMS as Quarantining an endpoint on page 150 describes or using
FortiOS:
1. The administrator identifies that EMS has quarantined an endpoint from one of the following:
a. FortiClient on the endpoint
b. Quarantine Management or FortiClient Monitor in FortiOS
c. Endpoints pane in EMS
2. The administrator removes the endpoint from quarantine in FortiOS.
3. FortiOS sends the endpoint information to EMS with instructions to remove the endpoint from quarantine.
4. EMS identifies and removes the endpoint from quarantine based on the request from FortiOS.
Getting started with managing Chromebooks
The following tasks are specific to Chromebook management.

This section also includes a description of how FortiClient EMS and FortiClient work with Google Chromebooks after
setup is complete.
Configuring FortiClient EMS for Chromebooks
To configure FortiClient EMS for Chromebooks:
1. Start and log in to FortiClient EMS. See Starting FortiClient EMS and logging in on page 76.
2. Add SSL certificates. See Adding an SSL certificate to FortiClient EMS on page 488.
3. Configure FortiClient EMS settings. See System Settings on page 471.
4. Configure user accounts and permissions. See Admin Users on page 416.
Configuring the Google Admin console
Following is an overview of how to configure the Google Admin console to prepare for adding the Google domain to
FortiClient EMS. The document assumes you have created the Google domain.
To configure the Google Admin console:
1. Add the FortiClient Web Filter extension. See Adding the FortiClient Web Filter extension on page 88.
2. Configure the FortiClient Web Filter extension. See Configuring the FortiClient Web Filter extension on page 89.
3. Add root certificates. See Adding root certificates on page 90.
4. Configure unique service account credentials. See Configuring unique service account credentials on page 95.
5. Disallow incognito mode. See Disallowing incognito mode on page 92.
Deploying a profile to Chromebooks
Following is an overview of how to add a Google domain, configure profiles, and push profiles to Google Chromebooks.
After you add the extension in the Google Admin console, the extension is downloaded to the Google Chromebook when

Fortinet Inc.
Getting started
the Chromebook user logs into the Chromebook.
To deploy a profile to Chromebooks:
1. Add the Google domain. See Adding a Google domain on page 161.
2. Define web filtering options in one or more profiles. You can enable Safe Search in profiles. See Adding a new
Chromebook profile on page 190.
3. Edit an existing endpoint policy or create a new endpoint policy that is configured with desired profile. Configure the
endpoint policy to apply to domains to deploy FortiClient on Chromebooks. See Chromebook Policy on page 188.
4. Verify the FortiClient Web Filter extension. See Verifying the FortiClient Web Filter extension on page 94.
5. View Google domains and Google users. See Viewing domains on page 162.
How FortiClient EMS and FortiClient work with Chromebooks
After you install and configure FortiClient EMS, the Google Admin console, and the FortiClient Web Filter extension, the
products work together to provide web filtering security for Google Chromebook users logged into the Google domain.
Following is a summary of how the products work together after setup is complete:
1. A user logs into the Google Chromebook.
2. The Google Chromebook downloads the FortiClient Web Filter extension.
3. FortiClient connects to FortiClient EMS.
4. FortiClient downloads a profile to the Google Chromebook. The profile contains web filtering settings from
FortiClient EMS.
5. The user browses the Internet on the Google Chromebook.
6. FortiClient sends the URL query to the Fortinet Ratings Server.
7. The Fortinet Ratings Server returns the category result to FortiClient. FortiClient compares the category result with
the profile to determine whether to allow the Google Chromebook user to access the URL.

Fortinet Inc.
Installation preparation
This section helps you prepare to install FortiClient EMS. Before installing FortiClient EMS, be aware of the following
information:
Before installing FortiClient EMS, reading the FortiClient EMS Release Notes to become familiar
with relevant software components and other important information about the product is
recommended.
Because implementing or migrating to EMS 7.4.0 on the Linux platform can be complex,
Fortinet highly recommends FortiClient Best Practices Service (BPS).
FortiClient Best Practices Service is an account-based annual subscription providing access
to a specialized team that delivers remote guidance on deployment, upgrades, and
operations. The service allows customers to share information about their deployment, user
requirements, resources, and other related items. Based on the information provided, the BPS
experts can provide recommended best practices, sample code, links to tools, and other
materials or assistance to speed adoption and guide the customer towards best practice
deployments. The team does not log into customer devices to make changes for them. This is
a consulting and guidance service which may include sample configurations or playbooks.
This is not an on-site professional services offer.
System requirements
The minimum system requirements for FortiClient EMS are:

l Ubuntu 22.04 LTS Server and Desktop
l No additional installed services
l 2.0 GHz 64-bit processor, six virtual CPUs (6 vCPU)
l 8 GB RAM (10 GB RAM or more is recommended)
l 80 GB free hard disk
l Gigabit (10/100/1000baseT) Ethernet adapter
l Internet access is recommended, but optional, during installation. EMS also tries to download information about
FortiClient signature updates from FortiGuard.
l For the language to install and time and currency format, select English (United States). For the keyboard or input
method, select US.
Considering the ease that virtualization offers, installing EMS and PostgreSQL on virtual machines (VM) is
recommended. You may save VM checkpoints or snapshots before major operating system, application, or configuration
changes.

Fortinet Inc.
You should only install FortiClient EMS and the default services for the operating system on
the server. You should not install additional services on the same server as FortiClient EMS.
Unnecessary services may cause port conflicts and issues during upgrades, and interrupt
EMS functionality.
License types
This section describes licensing options available for FortiClient EMS. It provides information for each license type to
help determine which license best suits your needs.
FortiClient EMS
This section contains licensing information for FortiClient EMS:
Free trial license
After you install EMS, you can enable a free trial license. With the free trial license, you can provision and manage
FortiClient on three Windows, macOS, Linux, iOS, and Android endpoints and three Chromebooks indefinitely. The trial
license includes the same functionality as the zero trust network access license and does not include Sandbox Cloud
support. EMS consumes one license count for each managed endpoint.
See To apply a trial license to FortiClient EMS: on page 79.
You must have an eligible FortiCloud account to activate an EMS trial license. A FortiCloud account can only have one
EMS trial license.
The trial license has the following limitations:
l You should not use a trial license for production purposes.
l A trial license does not entitle you to Fortinet technical support.
l Fortinet may cancel a trial license if the terms of use are violated.
l The free trial policy terms may change at any time at Fortinet's discretion.
l You can only have one trial license per customer.
l You cannot create an installer from the FortiGuard distribution server. See Adding a FortiClient deployment
package on page 170.
For evaluation, contacting Fortinet sales for an evaluation license is recommended. With an
evaluation license, Fortinet provides support as needed during the evaluation period. See How
to Buy and Product Download for FortiClient EMS.

Fortinet Inc.
Windows, macOS, and Linux licenses
FortiClient EMS supports per-endpoint and per-user licensing. You cannot use both license types on one FortiClient
EMS instance.
The following are the latest license bundles for FortiClient EMS:
License name Description
Endpoint protection platform Full license that offers all FortiClient features. Includes all features detailed for the
(EPP) zero trust network access (ZTNA) license, as well as antivirus (AV),
antiransomware, antiexploit, cloud-based malware detection, Application
Firewall, software inventory, USB device control, and advanced threat protection
via FortiClient Cloud Sandbox (SaaS).
Fortinet offers this license for both per-endpoint and per-user licensing.
ZTNA Includes support for Fabric Agent for endpoint telemetry, security posture check
via ZTNA tagging, remote access (IPsec and SSL VPN), Vulnerability Scan, Web
Filter, and threat protection via Sandbox (appliance only).
Each purchased ZTNA license allows management of one FortiClient Windows,
macOS, Linux, iOS, Android, or Chromebook endpoint. You must purchase a
minimum of 25 endpoint licenses, and you can have these EMS licenses for a
maximum five year term. You can specify the number of endpoints and the term
duration at time of purchase.
If you do not apply a ZTNA license to EMS, no endpoints can register to EMS.
Fortinet offers this license for both per-endpoint and per-user licensing.
FortiSASE License that applies for deployments using FortiSASE. See FortiSASE.
FortiGuard Endpoint Forensics The forensic service provides remote endpoint analysis to help endpoint
Analysis customers respond to and recover from cyber incidents. For each engagement,
forensic analysts from Fortinet’s FortiGuard Labs remotely assist in the collection,
examination, and presentation of digital evidence, including a final detailed report.
This is an add-on license that you can apply to per-endpoint and per-user EPP,
ZTNA, and FortiSASE licensing.
On-premise EMS only supports this feature for Windows endpoints.
You can purchase different numbers of EPP and ZTNA licenses. For example, you can purchase 100 EPP licenses and
200 ZTNA licenses. EMS applies licenses based on the features that are enabled in the endpoint's assigned profile.
For per-user licenses, you can manually remove or exclude users from management to free up license seats. Each per-
user license allows the user to register three devices. If a user registers a fourth device, they consume two licenses.
When using per-user licensing, using user verification is recommended. See User
Management on page 449. If an endpoint connects to EMS by specifying the EMS IP address
or using an invitation code, without using user verification, EMS considers the locally logged-in
user identity as consuming a user license.
The following shows a more comprehensive comparison between the features included in the EPP and ZTNA licenses:

Fortinet Inc.
Feature EPP ZTNA
Zero Trust Security
Zero Trust Agent Yes Yes
Central management via EMS Yes Yes
Dynamic Security Fabric connector Yes Yes
Vulnerability agent and remediation Yes Yes
SSL VPN with multifactor authentication (MFA) Yes Yes
IPsec VPN with MFA Yes Yes
Integration with FortiSandbox (on-premise/PaaS) Yes Yes
Next Generation Endpoint Security
AI-powered next generation AV Yes
FortiClient Cloud Sandbox (SaaS) Yes
Automated endpoint quarantine Yes
Application inventory Yes
Application Firewall Yes
Software Inventory Yes
You must purchase a license for each registered endpoint or user.
Chromebook licenses
Each purchased Chromebook license allows management of one Google Chromebook user. You must purchase a
minimum of 25 Google Chromebook user licenses and can have these EMS licenses for a maximum three year term.
You can specify the number of Google Chromebook users and the term duration at time of purchase. FortiClient EMS
uses one license seat per logged-in user. If the user logs out, the license seat times out (default timeout being 24 hours),
and the license is released. At this point, another user can use this license seat.
If the number of Chromebooks that the EMS is managing exceeds the number of Chromebook licenses available,
EMS licenses the additional Chromebooks using any available zero trust network access (ZTNA) licenses. For example,
consider that your EMS instance has 50 Chromebook licenses, but 80 Chromebooks connect to the EMS instance.
EMS licenses 50 Chromebooks using the Chromebook licenses, and licenses the remaining 30 Chromebooks using 30
ZTNA licenses, if available. EMS only licenses Chromebooks using ZTNA licenses if no Chromebook license is
available. See Windows, macOS, and Linux licenses on page 23 for information about the ZTNA license.
EMS sends you an email when you are running out of licenses. Additionally, a log entry is
entered when a client is refused connection due to unavailable licenses.

Fortinet Inc.
Component applications
Common services or applications do not require a license.
Installation of common services required for FortiClient EMS does not ask you for license
information.
Required services and ports
You must ensure that you enable required ports and services for use by FortiClient EMS and its associated applications
on your server. The required ports and services enable FortiClient EMS to communicate with endpoints and servers
running associated applications. You do not need to enable ports 8013 and 10443 as the FortiClient EMS installation
opens these.
Communication Usage Protocol Port Incoming/Outgoing How to

customize
FortiClient FortiClient endpoint TCP 8013 Incoming Installer/GUI

Telemetry management (default)
Active Directory Retrieving workstation TCP 389 Outgoing GUI

server connection and user information (LDAP) or
636
(LDAPS)
FortiClient Downloading FortiClient TCP 10443 Incoming Installer

download deployment packages (default)
that FortiClient EMS
created
Web Filter custom Downloading custom TCP 10443 Incoming N/A

page download Web Filter pages that the (default)
administrator created in
EMS.
Antivirus (AV) Downloading AV allowlist TCP 10443 Incoming N/A

allowlist signature signatures. (default)
download
Apache/HTTPS Web access to FortiClient TCP 443 Incoming Installer

EMS.
Also required for the
ACME feature.

Fortinet Inc.

customize
SMTP server/email Alerts for FortiClient EMS TCP 25 Outgoing GUI

and endpoint events. (default)
When an alert is
triggered, EMS sends an
email notification.
FortiClient FortiClient EMS uses ICMP N/A Outgoing N/A

endpoint probing ICMP for endpoint
probing during FortiClient
initial deployment.
Communication EMS is the server that TCP 8015 Incoming N/A

with FortiOS opens up the port for
FortiOS to connect to as a
client.
ACME EMS can use certificates TCP 80 Incoming N/A

that are managed by Let's
Encrypt and other
certificate management
services that use the
ACME protocol.
This feature also requires
port 443.
See Adding an SSL
certificate to FortiClient
EMS on page 488.
License FortiCare login TCP 443 Outgoing N/A

synchronization (support.fortinet.com) to
synchronize licenses
FortiCloud FortiCloud services TCP 443 Outgoing N/A

(forticlient.forticloud.com)
SCEP service Installing zero trust TCP 4001, Incoming N/A

network access certificate 4002
The following ports and services only apply when using FortiClient EMS to manage Chromebooks:

customize
FortiClient on Connecting to TCP 8443 Incoming GUI

Chrome OS FortiClient EMS (default)
You can
customize
this port.

Fortinet Inc.

customize
Google Workspace Retrieving Google TCP 443 Outgoing N/A

API/Google domain domain information
directory using API calls
You should enable the following ports and services for use on Chromebooks when using FortiClient for Chromebooks:

customize
FortiClient EMS Connecting to the TCP 8443 Outgoing Via Google

profile server (default) Admin
console when
adding the
profile
FortiGuard Rating URLs TCP 443, 3400 Outgoing N/A
FortiClient EMS connects to FortiGuard to download AV and vulnerability scan engine and signature updates and
FortiClient and EMS installer downloads. FortiClient EMS can connect to legacy FortiGuard or FortiGuard Anycast. The
following table summarizes required services for FortiClient EMS to communicate with FortiGuard:
Usage Server URL Proto Por Incoming/Out How to

col t going custom
ize
Global U.S. Europe
AV/vulnera forticlient.fortinet usforticlient.forti N/A TCP 80 Outgoing N/A

bility .net net.net
signature myforticlient.forti
update and net.net
FortiClient
installer
downloads
AV/vulnera fctupdate.fortine fctusupdate.forti fcteuupdate.forti TCP 443 Outgoing N/A

bility t.net net.net net.net
signature
updates
with
FortiGuard
Anycast
and
FortiClient
installer
package
download

Fortinet Inc.
FortiClient EMS can also connect to FortiClient Cloud Sandbox (SaaS) for integration with FortiSandbox. The following
table summarizes required services for FortiClient EMS to communicate with FortiClient Cloud Sandbox (SaaS):
Usage Server URL Protocol Port Incoming/Outgoing How to

customize
FortiClient aptctrl1.fortinet.com TCP 443 (default) Outgoing N/A

EMS Cloud
Sandbox
(SaaS)
connection
For the list of required services and ports for FortiClient, see the FortiClient Administration
Guide.
Telemetry data usage requirements
Telemetry syncs between EMS and endpoints transfer data. The amount of data transferred varies significantly between
cases and depends on many factors, such as the amount of zero trust network access (ZTNA) tags, the features enabled
in the endpoint configuration, and so on.
The following table provides statistics for the average and maximum amounts of data transferred when the Telemetry
sync occurs and includes certain events or configuration changes. You may find this information useful for your own
sizing and deployment planning. However, this information is not intended to provide a comprehensive overview or
exact data for your deployment.
Data amount transferred Notes

(KB)
Average Maximum
Avatar
User uploads avatar for the first time 4.54 8.99 157 KB size image
User changes their avatar 8.85 15.39 Avatar changed from 157 KB
image to 878 KB image
Endpoint registration
Endpoint registers to EMS for the first time 14.25 58.95
Endpoint status changes from offline to online 3.24 3.83
Endpoint maintains connection to EMS at keepalive 2.3 2.31

interval
Endpoint policy updates

Fortinet Inc.
Data amount transferred Notes

(KB)
Average Maximum
Policy includes some configuration updates. Policy 5.03 8.39

does not include a VPN profile.

includes SSL VPN configuration and no IPsec VPN
configuration.

includes IPsec VPN configuration and no SSL VPN
configuration.
Quarantine
File added to allowlist 2.71 3.77
File removed from allowlist 2.51 2.91
ZTNA
New ZTNA tag applied to endpoint 0.66 3.52
Endpoint receives new ZTNA rules and displays 1.47 3.54

updated tags
Endpoint deletes non-applicable tag 2.688 3.47
Other
Download deployment package (Windows) 6145.18 190407.34 Example deployment

package size is 185 MB. Data
transfer amount measured
until reboot notification
appears on endpoint.
Download deployment package (macOS) 3266.82 254507.06 Example deployment

package size is 276 MB. Data
transfer amount measured
until reboot notification
appears on endpoint.
Management capacity
FortiClient EMS is intended for enterprise use and has the capacity to manage a large number of endpoints.
Having at least 200 GB of disk space available is recommended.

The following features require additional disk space:
l Multitenancy site: 1 GB per site
l Deployment package: 1.1 GB per deployment package

Fortinet Inc.
You can install EMS with default PostgreSQL (Postgres) shipped with EMS. When managing more than 50000
endpoints, install Postgres in a Docker container running on a different machine or install Postgres standalone on a
different machine. Otherwise, you may experience database deadlocks.
The following topics include suggested host system hardware configurations for FortiClient EMS. The suggested
configurations depend on the number of endpoints FortiClient EMS manages, whether Postgres and EMS are on the
same or different servers, and whether there are FortiGates connected to EMS. The configurations in the following topics
apply when a maximum of 50 multitenancy sites are configured. EMS supports 50 multitenancy sites. However, you
must derive the actual number of supported sites for your configuration in conjunction with the management capacity
tables. See the following for the suggested host system hardware configurations for these scenarios:
l Hardware configuration when EMS and Postgres run on same machine with no FortiGate connected on page 30
l Hardware configuration when EMS and PostgreSQL run on different machines with no FortiGate connected on
page 31
l Hardware configuration when there are FortiGates connected to the EMS on page 32
Hardware configuration when EMS and Postgres run on same machine with no
FortiGate connected
The following table shows the configurations when EMS and PostgreSQL (Postgres) run on the same Linux server
machine with no FortiGate connected and multitenancy disabled:
Number of man- Number of virtual Memory (RAM) (in Suggested keep Deployment
aged endpoints CPUs GB) alive (KA) interval duration
Up to 5000 6 12 6 to 12 hours
Default (60 seconds)
5000 to 10000 10 18 12 to 24 hours
10 000 to 20 000 14 22 1 to 2 days

120 seconds
20 000 to 50 000 22 28 3 to 4 days
The following table shows the configurations when EMS and Postgres run on the same Linux server machine with no
FortiGate connected and multitenancy enabled with up to 20 sites:
Number of managed
Number of virtual CPUs Memory (RAM) (in GB) Suggested KA interval
endpoints
Up to 5 000 6 16
5 000 to 10 000 10 26
10 000 to 20 000 14 30
120 seconds
20 000 to 50 000 22 36

Fortinet Inc.
Hardware configuration when EMS and PostgreSQL run on different machines with
no FortiGate connected
The following table shows the configurations when EMS and PostgreSQL (Postgres) run on different Linux server
machines with no FortiGate connected and multitenancy disabled:
Number of EMS server machine Postgres server machine Suggested

managed Number of vir- Memory (RAM) Number of Memory (RAM) keep alive
endpoints tual CPUs (in GB) virtual CPUs (in GB) (KA) interval
10000 to 20000 8 6 4 16
20000 to 50000 16 8 6 22 120 seconds
50000 to 75000 20 10 10 26
75000 to 150000 26 14 16 44 180 seconds
150000 to 250000 32 20 26 56 240 seconds
The following table shows the configurations when EMS and Postgres run on different Linux server machines with no
EMS server machine

Number of Postgres server machine Suggested
managed keep alive
endpoints Number of vir- Memory (RAM) Number of Memory (RAM) interval
tual CPUs (in GB) virtual CPUs (in GB)
10000 to 20000 8 8 4 22
20000 to 50000 16 10 8 28 120 seconds
50000 to 75000 20 12 12 32
75000 to 150000 26 16 18 54 180 seconds
150000 to 250000 32 22 28 66 240 seconds
The following table shows the configurations when EMS and Postgres run on different Linux server machines with no
Number Number of EMS server machine SQL server machine Suggested

of sites managed keep alive
endpoints Number of Memory Number of Memory interval
virtual (RAM) (in virtual (RAM) (in
CPUs GB) CPUs GB)
50 Up to 100000 24 18 26 64 180 seconds

Fortinet Inc.
Hardware configuration when there are FortiGates connected to the EMS
The following table shows the resource requirement for the following EMS setup:
l EMS and PostgreSQL (Postgres) run on the same Linux server machine
l Up to 100 FortiGates connected to the EMS
l Up to 20 security posture tags are configured
Number of managed Suggested keep alive

Number of virtual CPUs Memory (RAM) (in GB)
endpoints (KA) interval
Up to 5000 8 14
5000 to 10000 12 18
10000 to 20000 14 22
120 seconds
20000 to 50000 36 30
The following table shows the resource requirement for the following EMS setup:
l EMS and Postgres run on different Linux server machines
l Up to 300 FortiGates connected to the EMS. FortiGates are recommended to run FortiOS 7.4.1 and later versions.
l Up to 20 security posture tags are configured
Number of EMS server machine Postgres server machine

Suggested KA
managed Number of vir- Memory (RAM) Number of vir- Memory (RAM) interval
endpoints tual CPUs (in GB) tual CPUs (in GB)
10000 to 20000 12 8 12 20
20000 to 50000 18 12 32 30 120 seconds
50000 to 75000 22 14 36 36
75000 to
26 20 48 56 180 seconds
150000*
* Supports up to 100 FortiGates only.
FortiClient Telemetry security features
FortiClient connects to EMS and FortiGate over an SSL connection. All protocol exchanges flow through this secure
connection. The connection is closed after protocol exchanges between both parties are complete. The SSL
connections require a valid certificate.
You can configure Telemetry connections between FortiClient and FortiGate or EMS to require a preshared password or
connection key. See Configuring EMS settings on page 472.

Fortinet Inc.
The default Telemetry port number is 8013. You can change this in EMS and FortiClient. When a port is not provided,
FortiClient always attempt to connect to the default port, which is 8013. Changing this in EMS locks out endpoints that
are still using the default.
At any time, you can disconnect a rogue endpoint from EMS and prevent it from reconnecting to EMS in the future.
See Required services and ports on page 25 for a list of TCP/IP ports that EMS uses. You can block all other ports or
service requests to the EMS IP address or fully qualified domain name (FQDN).
Server readiness checklist for installation
Use the following checklist to prepare your server for installation:
Checklist Readiness factor
Temporarily disable security applications. You must temporarily disable any antivirus (AV) software on
the target server before you install FortiClient EMS. Installation may be slow or disrupted while these
programs are active. A server may be vulnerable to attack when you uninstall or disable security
applications.
Consider the date and time settings you apply to your server. If managing Chromebooks, syncing the
time to the Google server time is recommended.
Confirm required services and ports are enabled and available for use by FortiClient EMS. Ensure that
no conflicts exist with all ports that Required services and ports on page 25 lists as incoming.
Upgrading from an earlier FortiClient EMS version
FortiClient EMS 7.4.0 does not support upgrading from previous EMS versions. You must
upgrade EMS to 7.2.4, then migrate from the Windows Server model to the Linux model as
Migrating EMS from 7.2.4 to 7.4.0 on page 38 describes.
Most of the following information in this topic is meant to provide guidance on upgrading EMS
to 7.2.4, after which you can migrate to 7.4.0 as Migrating EMS from 7.2.4 to 7.4.0 on page 38
describes. You cannot use the following information to directly upgrade another EMS version
to 7.4.0.
Before any version upgrade or other maintenance, back up the EMS database. Consider
performing a full server backup or taking a VM snapshot if possible.
Legacy licenses
EMS 7.4.0 does not support legacy 158 licenses, which were in use before 2021 and have reached end-of-life (EOL).
Following is a list of discontinued SKUs:

Fortinet Inc.
l FC1-15-EMS01-158-02-DD
l FC1-15-EMS02-158-02-DD
If you attempt an upgrade to EMS 7.4.0 with the legacy 158 licenses, the EMS installer displays an error message:
Legacy license is not supported after upgrade. The EMS upgrade does not proceed.
EMS 7.4.0 does not support the following legacy licenses:
l FC1-15-EMS01-297-01-DD
l FC2-15-EMS01-297-01-DD
l FC3-15-EMS01-297-01-DD
l FC4-15-EMS01-297-01-DD
l FC1-15-EMS03-297-01-DD
l FC2-15-EMS03-297-01-DD
l FC1-15-EMS03-298-01-DD
l FC2-15-EMS03-298-01-DD
l FC1-15-EMS01-299-01-DD
l FC2-15-EMS01-299-01-DD
l FC3-15-EMS01-299-01-DD
You may be using the EMS migration tool to migrate your Windows Server-based EMS 7.2 to the Linux-based EMS 7.4.
If you attempt to migrate EMS 7.2 using a legacy license to EMS 7.4 using the migration tool, the migration tool aborts
the process and displays a Current EMS Windows license is not supported in EMS Linux,
migration is aborted message.
Upgrading EMS and FortiClient
When EMS manages FortiClient endpoints, you must consider the version compatibilities between EMS and FortiClient
before upgrading EMS. Ensure that you follow these instructions when upgrading EMS and FortiClient.
See the EMS Compatibility Chart for EMS and FortiClient compatibility information.
To upgrade EMS and FortiClient:
1. If EMS is already upgraded to the latest 7.2 version, do the following:

a. For endpoints where the FortiClient version is compatible with the EMS version, deploy the latest FortiClient
version as an upgrade from EMS. EMS can only upgrade FortiClient versions that it is compatible with. See
Deploying FortiClient upgrades from FortiClient EMS on page 168.
b. For endpoints where the FortiClient version is incompatible with the EMS version, manually uninstall FortiClient
from the endpoint. Then, install the latest FortiClient version on the endpoint. See Uninstalling FortiClient and
Installing FortiClient on computers.
2. If EMS is not yet upgraded to the latest 7.2 version, do one of the following:
l Incrementally upgrade EMS and FortiClient to ensure that they remain compatible with each other at every step
of the installation process. When following this method, you do not need to restore the EMS configuration at
any step. At each step of the incremental process, ensure the following:

Fortinet Inc.
l Run the upgrade as an administrator.

l Confirm that the upgraded EMS contains all of the configuration prior to the upgrade before proceeding to
the next step of your incremental upgrade process.
For example, if you want to upgrade EMS and FortiClient from 6.4 to 7.2, do the following:
a. Upgrade EMS from 6.4 to 7.0 as To upgrade EMS from an earlier version: on page 35 describes.
b. Deploy FortiClient upgrade from 6.4 to 7.0 from EMS as Deploying FortiClient upgrades from
FortiClient EMS on page 168 describes.
c. Upgrade EMS from 7.0 to 7.2.4 as To upgrade EMS from an earlier version: on page 35 describes.
d. Deploy FortiClient upgrade from 7.0 to 7.2.4 from EMS as Deploying FortiClient upgrades from
FortiClient EMS on page 168 describes.
l Uninstall FortiClient, then deploy the latest version from EMS:
i. Uninstall FortiClient by creating an Uninstall deployment configuration to deploy to endpoints. See
Creating a deployment configuration on page 165.
ii. Upgrade EMS to the latest version as To upgrade EMS from an earlier version: on page 35 describes.
iii. Deploy the latest FortiClient version to endpoints as Manage Deployment on page 165 describes.
After you perform these steps to upgrade EMS to 7.2.4, see Migrating EMS from 7.2.4 to 7.4.0 on page 38.
Upgrading EMS from an earlier version
To upgrade EMS from an earlier version:
1. Close FortiClient EMS.

2. Install the desired FortiClient EMS version. You can download the installer files from Customer Service & Support.
See Installation on page 43.
3. Monitor FortiClient EMS performance for at least two days, including testing use cases.
After you perform these steps to upgrade EMS to 7.2.4, see Migrating EMS from 7.2.4 to 7.4.0 on page 38.
Install preparation for managing Chromebooks
Google Workspace account
You must sign up for your Google Workspace (formerly G Suite) account before you can use the Google service and
manage your Chromebook users.
The Google Workspace account is different from the free consumer account. The Google Workspace account is a paid
account that gives access to a range of Google tools, services, and technology.
You can sign up for a Google Workspace account here.
In the signup process, you must use your email address to verify your Google domain. This also proves you have
ownership of the domain.

Fortinet Inc.
SSL certificates
FortiClient EMS requires an SSL certificate signed by a Certificate Authority (CA) in pfx format. Use your CA to generate
a certificate file in pfx format, and remember the configured password. For example, the certificate file name is server.pfx
with password 111111.
The server where you installed FortiClient EMS should have an FQDN, such as ems.forticlient.com, and you must
specify the FQDN in your SSL certificate.
If you are using a public SSL certificate, the FQDN can be included in Common Name or Subject Alternative Name. You
must add the SSL certificate to FortiClient EMS. See Adding an SSL certificate to FortiClient EMS on page 488. You do
not need to add the root certificate to the Google Admin console.
If you are using a self-signed certificate (non-public SSL certificate), your certificate's Subject Alternative Name must
include DNS:<FQDN>, for example, DNS:ems.forticlient.com. You must add the SSL certificate to FortiClient EMS
and the root certificate to the Google Admin console to allow the extension to trust FortiClient EMS. See Adding root
certificates on page 90.

Fortinet Inc.
Installation and licensing
Before you install and license FortiClient EMS on a server, ensure you have:
l Reviewed License types on page 22
l Met the requirements listed in Required services and ports on page 25
l Completed the Server readiness checklist for installation on page 33
l Logged into the server as the administrator. The administrator user account provides access to all common
services, FortiClient EMS, and other application tasks. You can use this account to initially log into the server and to
create other user accounts for normal day-to-day use of the applications.
Installing FortiClient EMS on a dedicated server in a controlled environment is recommended.

Installing other software applications can interfere with normal operation of FortiClient EMS.
Downloading the installation file
FortiClient EMS is available for download from the Fortinet Support website.
You can also receive installation files from a sales representative.
The following installation files are available for FortiClient EMS:
l forticlientems_7.4.0.xxxx.bin
l forticlientems_7.4.0.xxxx_migration_tool.zip
l forticlientems_7.4.0.xxxx_postgres-ha.tar.gz
l forticlientems_7.4.0.xxxx_postgresql15.tar.gz
For information about obtaining FortiClient EMS, contact your Fortinet reseller.
Installing FortiClient EMS 7.4.0
EMS 7.4.0 introduces a shift to a Linux-based model from the Windows Server-based model in earlier EMS versions.
This change provides numerous benefits, including improved architecture and flexibility. This document provides
instructions to migrate your EMS data from an existing Windows Server-based instance to the Linux-based model, as
well as installation instructions for various use cases.
EMS 7.4.0 only supports Ubuntu 22.04 Server and Desktop. While EMS 7.4.0 supports both Ubuntu 22.04 Desktop and
Server, consider that Desktop uses more resources that could otherwise be available for EMS usage. You should
consider proper planning for hardware resources.

Fortinet Inc.
Because implementing or migrating to EMS 7.4.0 on the Linux platform can be complex,
Fortinet highly recommends FortiClient Best Practices Service (BPS).
FortiClient Best Practices Service is an account-based annual subscription providing access
to a specialized team that delivers remote guidance on deployment, upgrades, and
operations. The service allows customers to share information about their deployment, user
requirements, resources, and other related items. Based on the information provided, the BPS
experts can provide recommended best practices, sample code, links to tools, and other
materials or assistance to speed adoption and guide the customer towards best practice
deployments. The team does not log into customer devices to make changes for them. This is
a consulting and guidance service which may include sample configurations or playbooks.
This is not an on-site professional services offer.
Migrating EMS from 7.2.4 to 7.4.0
The following provides instructions for migrating existing EMS 7.2.4 configurations to EMS 7.4.0. Only EMS 7.2.4
supports the migration. To migrate earlier EMS versions to 7.4.0, first upgrade them to 7.2.4 as FortiClient Upgrade Path
describes.
As Fortinet released EMS 7.2.5 later than EMS 7.4.0, you cannot migrate EMS 7.2.5 to 7.4.0.
Avoid saving or deleting mobile device management (MDM) integrations while both the old
and new EMS servers are running. This is necessary because both EMS servers share the
same MDM service, and one server can accidentally overwrite changes made on the other.
To configure the EMS Linux machine:
1. Install EMS 7.4.0 on the Linux machine. Do not configure any settings on EMS. See Standalone EMS install on
page 43.
2. The EMS migration requires a user. You can create a new user or use an existing one. Add the user to the sudo,
forticlient, and www-data groups. In this example the user is "test":
sudo adduser test
sudo usermod -aG sudo test
sudo usermod -aG forticlientems test
sudo usermod -aG www-data test
3. Do one of the following:
l Disable firewall:
sudo ufw disable

l Enable firewall and ports 5432, 443, and 22:
sudo ufw enable
sudo ufw allow 5432/tcp
4. Do the following if your implementation does not use Docker. If you are using Docker, go to step 5:
a. Update /etc/postgresql/15/main/postgresql.conf to listen on all addresses. Remove # and replace
localhost with *:
sudo nano postgresql.conf
#listen_addresses = 'localhost' >> listen_addresses = '*'

Fortinet Inc.
b. Update /etc/postgresql/15/main/pg_hba.conf to allow remote access to postgresql:

sudo nano pg_hba.conf
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256 >> host all all 0.0.0.0/0 scram-sha-256
5. Restart the postgresql service:

sudo systemctl restart postgresql
To configure the Windows Server machine with the EMS instance to migrate:
The Windows Server machine must have TLS 1.2 enabled for Client. In Registry Editor, confirm that the registry key
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client] is set to 1 or does not exist at all. Being enabled is the default behavior.
1. Create a user in SQL Server with the sysadmin role. You will use this user to export the tables that contain
EMS data:
a. Log in to SQL Server Management Studio using Windows authentication. You may need to enable Trust server
certificate.
b. In Object Explorer, right-click FCEMS and select Properties. Click Security and select SQL Server and
Windows Authentication mode.
c. In Object Explorer, go to Security > Logins. Right-click and select New login > General.
d. In the Login name field, enter the desired login name. In this example, the login name is ems.
e. Select SQL Server authentication.
f. In the Password and Confirm password fields, enter the desired password.

Fortinet Inc.
g. Disable Enforce password policy. Save.
h. Go to Server Roles. Select sysadmin. Save.

i. Restart the SQL Server (FCEMS) service.
2. If you have not enabled or installed PowerShell on the Windows Server, follow the steps in Get started with
OpenSSH for Windows to install OpenSSH.
3. Generate a public key pair in PowerShell and copy it to the EMS Linux server home directory:
a. In PowerShell, enter the following command. For all subsequent prompts, press the Enter key. A key pair is
generated and saved to C:\Users\Administrator\.ssh:
ssh-keygen.exe -t rsa -b 4096
b. Enter the following command. In this example, 172.16.1.22 is the Linux server IP address. Run the following:
ssh [email protected] mkdir -p .ssh
c. Enter the following command:
cat C:\Users\Administrator\.ssh/id_rsa.pub | ssh [email protected] 'cat >>
~/.ssh/authorized_keys'
4. Download the migration tool from https://support.fortinet.com and extract the files. The migration tool consists of an
executable and a config file.
5. Open the config file in a text editor. The file consists of the following parameters:
Parameter Value to configure

host EMS Windows Server IP address. If using a local database, enter 127.0.0.1.
port Microsoft SQL Server port.
user User in SQL Server with sysadmin role. For an EMS with a local database, you
can leave this field blank.
password Password for SQL user. For an EMS with a local database, you can leave this
field blank.
[postgresql]
host EMS Linux server IP address, as in this example the database and EMS will
be on the same Linux server.
port Postgres port.
user Postgres default username.
password Postgres user password found in
/opt/forticlientems/pgbouncer/userlist.txt.

Fortinet Inc.
Parameter Value to configure

account_number used for cloud ems
[linux_server]
host EMS Linux server IP address.
ssh_port SSH port open in EMS Linux.
user EMS Linux Server user(member of sudo, forticlientems, and www-data group).
password EMS Linux Server user password.
key_file Key file location in EMS Windows Server.
The following shows an example:

[sqlserver]
host =172.16.1.3
port =1433
user =ems
password =Test123!
[postgresql]
host =172.16.1.22
port =5432
user =postgres
password =postgres
account_number=
[linux_server]
host =172.16.1.22
ssh_port =22
user =test
password =password#EMS Linux Servers user’s password
key_file = C:\Users\Administrator\.ssh\id_rsa#location of key file in EMS windows
[files]
# Copy a single file or a directory recursively to the remote server
# follow the pattern: file_or_folder_key = {'source' : '<file_souce>', 'target' : <file_
target>'}
# multiple entries are allowed, file_or_folder_key is just a placeholder
# Examples:
# 1 - copying the installer directory recursively:
# installer_dir =
# {'source' : 'C:\\Program Files (x86)\\Fortinet\\FortiClientEMS\\Installers',
# 'target' : '/opt/forticlientems/data'}
# 2 - copying a specific file:
# signatures_file =
# {'source' : ''C:\\Program Files (x86)\\Fortinet
\\FortiClientEMS\\signatures\\emsaval\\emsaval.dll',
# 'target' : '/opt/forticlientems/data/signatures/emsaval/emsaval.dll'}
6. In PowerShell, go to the directory where you extracted the migration tool. Run migration.exe:M
.\migration.exe
If there are issues, check the migration log in the same folder as the migration tool.
7. After installation completes, check that all EMS services are running by entering the following command:
systemctl --all --type=service | grep -E 'fcems|apache|redis|postgres'

Fortinet Inc.
The output shows that postgresql.service status displays as exited. This is the expected status. EMS does not
create this service, which only exists to pass commands to version-specific Postgres services. It displays as part of
the output as the command filters for all services that contain "postgres" in the name.
8. Access the EMS GUI on the Linux server and verify that all configurations and data from the EMS Windows Server
were migrated.
To migrate FortiClient endpoints to Linux EMS:
After EMS migration completes, do one of the following to migrate FortiClient endpoints to Linux EMS:
Method Description
Update DNS record with Linux On the DNS server, update the EMS DNS record with the Linux EMS IP address.
EMS IP address (recommended) FortiClient endpoints that were previously connected to Windows Server
EMS resolve the new IP address to the EMS FQDN and connect to the Linux
EMS. This is the recommended method to migrate FortiClient endpoints to Linux
EMS.
The endpoint automatically connects to Linux EMS. Even if user verification is
enabled, the migration is seamless and the user does not notice any changes on
the endpoint.
Switch EMS 1. On the Windows Server EMS, go to Endpoints > All Endpoints.
2. Select the desired endpoints.
3. Select Action > Switch EMS > Switch by IP/Switch by Invitation.
4. Enter the Linux EMS IP address, FQDN, or invitation. Selected endpoints
connect to the Linux EMS.
5. If user verification is enabled, the user onboarding popup for the new
invitation displays on the endpoint. The user must verify their identity to

Fortinet Inc.
Method Description
connect to Linux EMS.
Configure EMS server list on This method only works if user verification is not enforced and FortiClient
Windows Server EMS connects to EMS using an FQDN or IP address.
1. On the Windows Server EMS, go to System Settings > EMS Settings.
2. Enable Configure EMS server list.
3. Add the Linux EMS IP address or FQDN and port number.
4. Click Save.
5. After the endpoint receives the configuration changes, disconnect or shut
down the EMS Windows Server. In the next keepalive interval, FortiClient
connects to Linux EMS.
After migration, the license remains active on Windows Server EMS.
Installation
The following topics provide instructions for installing EMS 7.4.0:
Standalone EMS install
The following assumes that you have a machine with Ubuntu installed.
To install standalone EMS:
1. Download the forticlientems_7.4.0.XXXX.bin file from the Fortinet Support site.

2. Run sudo -i to log in to the shell with root privileges.
3. Change permissions and add execute permissions to the installation file:
chmod +x forticlientems_7.4.0.XXXX.bin
4. Set umask to 022 if the existing umask setting is more restrictive.

5. Run the following command to install EMS:
./forticlientems_7.4.0.XXXX.bin -- --allowed_hosts '*' --enable-remote-https
Run the installer to/from any directory other than /tmp. Running the installer to/from /tmp causes issues.

Fortinet Inc.
7. Access the EMS GUI and log in.
8. If after initially installing EMS 7.4.0 you need to upgrade to a newer build, repeat steps 2-5 with the new installation
file.
EMS installation with Postgres in Docker
You can install PostgreSQL (Postgres) in Docker on the same machine as EMS or on a remote machine.
To install EMS with Postgres in Docker:
1. Prepare the desired Ubuntu machine(s). If you are using two machines, you will install Postgres on one machine
and EMS on the other machine. The following instructions designate some steps for the Postgres machine and
others for the EMS machine. If you are using one machine, simply perform all configuration on that machine.
2. On the Postgres machine, do the following:
a. Run sudo -i to log in to the shell with root privileges. Perform all following steps with root privileges.
b. Install Docker:
apt install docker.io
c. Download the Postgres Docker image forticlientems_7.4.0.XXXX_postgresql15.tar.gz file from Fortinet

Support site.
d. Load the image:
docker load -i forticlientems_postgresql15.tar.gz

Fortinet Inc.
e. List the images on Docker:

docker image ls
f. Run the Docker container. The following shows the command to run a container:
docker run --restart always --name <container name> -e POSTGRES_PASSWORD=<password> -
p <local port number>:<Postgres port number:5432> -d <container instance
name><default username> -N <number>
The following details the options for the command:
Option Description
-e Set environment variables.
-p Publish all exposed ports to random ports.
-d Run container in the background and print container ID.
-N Maximum number of concurrent connections allowed to the containerized
Postgres database.
--restart always Ensures that if the host restarts, it starts the container automatically.
The following shows an example command with example values:

docker run --restart always --name ems_docker -e POSTGRES_PASSWORD=Fortinet123# -p
6434:5432 -d ems_postgresql15 postgres

Fortinet Inc.
You can use any container instance name and password. In this example, the
container's Postgres port, 5432, is exposed to port 6434 on the machine where Docker
is running.
This allows you to have several instances of Postgres containers running and isolated
from each other as long as they use different local host ports. You can use any port
number as a local port for a Postgres container.
3. On the EMS machine, install EMS and connect to the database:

a. Download the forticlientems_7.4.0.XXXX.bin file from the Fortinet Support site.
b. Change permissions and add execute permissions to the installation file:
c. Set umask to 022 if the existing umask setting is more restrictive.
d. Start the EMS installation and connect to the Postgres database on the Docker container. The following shows
the command to do so:
sudo ./<ems installation script file> -- --db_host <IP address or FQDN> --db_port
<local port> --db_user <username> --db_pass <password> --skip_db_install --allowed_
hosts '*' --enable-remote-https
The following shows an example command with example values:

./forticlientems_7.4.0.XXXX.bin -- --db_host 192.168.1.20 --db_port 6434 --db_user
postgres --db_pass Fortinet123# --skip_db_install --allowed_hosts '*' --enable-
remote-https
db_host is the Postgres Docker machine IP address or FQDN.
e. After installation completes, check that all EMS services are running by entering the following command:

Fortinet Inc.
The output shows that postgresql.service status displays as exited. This is the expected status. EMS does
not create this service, which only exists to pass commands to version-specific Postgres services. It displays as
part of the output as the command filters for all services that contain "postgres" in the name.
f. Access the EMS GUI and log in.
g. If after initially installing EMS 7.4.0 you need to upgrade to a newer build, repeat step 3 with the new installation
file.
EMS installation with standalone remote database without Docker
The following uses PostgreSQL (Postgres) for the remote database. EMS and the Postgres database are hosted on two
Ubuntu machines.
To configure the Postgres server:
1. Install Postgres 15 on the Postgres Ubuntu machine:

sudo apt install -y --no-install-recommends curl ca-certificates
sudo install -d /usr/share/postgresql-common/pgdg
sudo curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail
https://www.postgresql.org/media/keys/ACCC4CF8.asc
sudo sh -c 'echo "deb [signed-by=/usr/share/postgresql-
common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_
release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
sudo apt update
sudo apt install -y postgresql-15

Fortinet Inc.
2. Install EMS custom extensions. The following commands require the ems_pg_extensions.tar.gz file, which you can
download from the Fortinet Support site:
sudo tar zxvf ems_pg_extensions.tar.gz -C /
sh -c 'head -c 20 /dev/urandom | md5sum | head -c 20;' |sudo tee
/var/lib/postgresql/15/symmetric_key.txt > /dev/null
3. You can tune Postgres based on the host server specs by applying the recommended configuration. While there are
various tools you can use to find the recommended configuration, these instructions use PGTune. Generate and
copy the recommended configuration:
a. Go to PGTune and enter the following information:
Field Value
DB version 15
OS Type Linux
DB Type Online transaction processing system
Total Memory (RAM) Enter the total memory for your Postgres server. In this example, it is 4 GB.
Number of CPUs Enter the total number of CPUs for your Postgres server. In this example, it
is 4.
Number of Connections 1092
Data Storage Enter the data storage type as per your device. In this example, it is SSD
storage.
b. Click Generate.

Fortinet Inc.
c. Click Copy configuration.
4. Update /etc/postgresql/15/main/postgresql.conf:
a. Add or update the configuration in /etc/postgresql/15/main/postgresql.conf with the content that
you copied in step 3.

Fortinet Inc.
b. Uncomment and change wal_level to minimal, e.g. wal_level = minimal. This removes all logging
except the information required to recover from a crash or immediate shutdown.
c. Uncomment and change max_wal_senders to 0, e.g. max_wal_senders = 0. This disables replication.

d. Uncomment and change listen_addresses to ‘*’, e.g. 'localhost' >> listen_addresses =
'*'.
5. Give passwordless permission to the Postgres user on the same machine by changing
/etc/postgresql/15/main/pg_hba.conf running:
sed -i 's/# Database administrative login by Unix domain socket/\nhost all postgres
127.0.0.1\/32 trust\nhost all postgres ::1\/128 trust/' /etc/postgresql/15/main/pg_
hba.conf
6. Allow connection from the remote machine by updating the following in pg_hba.conf:
7. Restart the postgreSQL service:

systemctl restart postgresql
8. Change the postgres user password:

sudo -u postgres psql
ALTER USER postgres PASSWORD 'Fortinet123#';

Fortinet Inc.
To install EMS:
1. On the second Ubuntu machine, download the forticlientems_7.4.0.XXXX.bin file from https://support.fortinet.com.
2. Set umask to 022 if the existing umask setting is more restrictive.
3. Install EMS. db_host is the remote Postgres server:
sudo chmod +x forticlientems_7.4.0.XXXX.bin
sudo ./forticlientems_7.4.0.XXXX.bin -- --db_host "172.16.1.26" --db_user postgres --db_
pass Fortinet123# --skip_db_install --allowed_hosts '*' --enable-remote-https
5. If after initially installing EMS 7.4.0 you need to upgrade to a newer build, repeat steps 1-3 with the new installation
file.
EMS HA with Postgres HA using Bitnami Docker
The following provides instructions for installing EMS in a high availability (HA) configuration with the PostgreSQL
(Postgres) databases also in an HA configuration using Bitnami Docker.
To configure EMS HA with Postgres HA using Bitnami Docker:
1. Prepare four Ubuntu machines. Two act as Postgres database hosts and the other two are EMS hosts. If using
cloned virtual machines for the EMS hosts, run the following commands on the cloned machine:

Fortinet Inc.
sudo rm /etc/machine-id
sudo rm /var/lib/dbus/machine-id
sudo systemd-machine-id-setup
2. Run sudo -i to log in to the shell with root privileges. Perform all following steps with root privileges.
3. Configure the Postgres HA cluster:
a. Load the EMS Postgres Bitnami Docker image in both Postgres database host nodes:
i. Install Docker:
apt install docker.io
ii. Download the PostgreSQL Docker image forticlientems_postgres-ha.tar.gz file from the Fortinet Support
site.
iii. Load the image:
docker load -i forticlientems_postgres-ha.tar.gz
iv. List the images on Docker to verify the image has been created/loaded:
docker image ls
b. Create the Docker cluster and network on the primary database host:
i. Create the Docker cluster:
docker swarm init
ii. Create the network that the Postgres cluster will use:
docker network create --opt encrypted --driver=overlay --attachable ems_pg_ha
iii. Start the Postgres Bitnami container on the primary host. In this example, the primary host is pg-1.
docker run --restart always --detach --network ems_pg_ha --name pg-1 -p 5432:5432
\
--env POSTGRESQL_POSTGRES_PASSWORD=postgres \
--env ALLOW_EMPTY_PASSWORD=yes \
--env POSTGRESQL_DAEMON_USER=postgres \
--env REPMGR_PASSWORD=postgres \
--env REPMGR_PRIMARY_HOST=pg-1 \
--env REPMGR_PRIMARY_PORT=5432 \
--env REPMGR_PARTNER_NODES=pg-1,pg-2:5432 \
--env REPMGR_NODE_NAME=pg-1 \
--env REPMGR_NODE_NETWORK_NAME=pg-1 \
--env REPMGR_PORT_NUMBER=5432 \
--volume pg_1_data:/bitnami/postgresql \

Fortinet Inc.
-it \
ems-postgres-ha
iv. Verify if the container is running:

docker ps –a
v. Find a command to add the secondary node to the Postgres cluster:

docker swarm join-token worker
c. From the secondary database host, join the Docker cluster:

i. Join the Docker cluster using the command that you retrieved in step 3.b.v:
docker swarm join --token SWMTKN-1-
443i6pp588vdi1qs2esszhp2229v586eqgwu1oyofhwatnm6b8-48oyb4mf5yzkzb4lwql0i14lz
172.16.1.12:2377
ii. Start the Postgres Bitnami container on the secondary host. In this example, the secondary host is pg-2:
docker run --restart always --detach --network ems_pg_ha --name pg-2 -p 5432:5432
\
--env POSTGRESQL_POSTGRES_PASSWORD=postgres \
--env ALLOW_EMPTY_PASSWORD=yes \
--env POSTGRESQL_DAEMON_USER=postgres \
--env REPMGR_PASSWORD=postgres \
--env REPMGR_PRIMARY_HOST=pg-1 \
--env REPMGR_PRIMARY_PORT=5432 \
--env REPMGR_PARTNER_NODES=pg-1,pg-2:5432 \
--env REPMGR_NODE_NAME=pg-2 \
--env REPMGR_NODE_NETWORK_NAME=pg-2 \
--env REPMGR_PORT_NUMBER=5432 \
--volume pg_2_data:/bitnami/postgresql \
-it \
ems-postgres-ha
iii. Verify if the container is running:

docker ps –a
d. From the primary database node, verify the cluster status:

docker exec -it pg-1 bash /opt/bitnami/scripts/postgresql-repmgr/entrypoint.sh repmgr
-f /opt/bitnami/repmgr/conf/repmgr.conf service status
4. After the database cluster is up and running, configure EMS HA:

a. On both nodes, do the following:
i. Download the forticlientems_7.4.0.XXXX.bin file from https://support.fortinet.com.
ii. Change permissions and add execute permissions to the installation file:
b. On the primary node, install EMS:

i. Set umask to 022 on file /etc/login.defs if the existing umask setting is more restrictive.
ii. Install EMS:
./forticlientems_7.4.0.1745.bin -- --db_host "172.16.1.12,172.16.1.15" --db_user
postgres --db_pass postgres --skip_db_install --skip_event_feature --allowed_

Fortinet Inc.
In the example, db_host contains IP addresses for both database nodes. Replace
the IP addresses with your database server IP addresses or FQDNs.
iii. After installation completes, check that all EMS services are running by entering the following command:
The output shows that postgresql.service status displays as exited. This is the expected status. EMS
does not create this service, which only exists to pass commands to version-specific Postgres services. It
displays as part of the output as the command filters for all services that contain "postgres" in the name.
c. On the secondary node, install EMS:
i. Set umask to 022 if the existing umask setting is more restrictive.
ii. Install EMS:
./forticlientems_7.4.0.XXXX.bin -- --db_host "172.16.1.12,172.16.1.15" --db_user
postgres --db_pass postgres --skip_db_install --skip_db_deploy --skip_event_
feature --allowed_hosts '*' --enable-remote-https
iii. After installation completes, check that EMS services are running by entering the following command. On
the secondary EMS, only fcems_monitor, fcems_pgbouncer, fcems_wspgbouncer, and redis-server
services should be running:
d. After installation on both nodes is complete, access the EMS GUI from the primary node using a browser by
going to https://localhost. Complete initial configuration for EMS by doing the following:
i. Set the password for the default administrator. See Starting FortiClient EMS and logging in.
ii. Configure the EMS FQDN and remote access. See Configuring EMS after installation.
iii. License EMS. See Licensing FortiClient EMS.
iv. Confirm that Listen on IP is set to All. See Configuring EMS settings.
e. Go to System Settings > EMS Settings.

Fortinet Inc.
f. In the Custom hostname field, enter a virtual IP address (VIP) that is configured in the FortiGate load balancer
(LB) as the VIP for EMS. In this example, the VIP is 172.16.1.50.
5. Configure a FortiGate as an LB for EMS HA:
a. Create a health check:
i. Go to Policy & Objects > Health Check. Click Create New.
ii. For Type, select TCP.
iii. In the Interval field, enter 10.
iv. In the Timeout field, enter 2.
v. In the Retry field, enter 3.
vi. In the Port field, enter 8013. Click OK.
b. Create a virtual server:
i. Go to Policy & Objects and create a virtual server.
ii. Configure the fields as follows:
Field Value
Virtual server IP VIP that you configured in step 4.f. In this example, the VIP is
172.16.1.50.
Virtual server port 10443
Load Balancing method First Alive
Health check Monitor that you configured.
Network Type TCP
iii. Under Real Servers, select Create New.

iv. In the IPv4 address field, enter the primary EMS node IP address. In this example, it is 192.168.1.10.
v. In the Port field, enter 10443.
vi. In the Max connections field, enter 0.
vii. For Mode, select Active.
viii. Create a real server for the secondary EMS node. Click Save.
c. Repeat steps i-ix to create five additional virtual servers. The additional servers use ports 443, 8013, 8015,
8443, and 8871, but otherwise have identical settings to the first virtual server created. If you have enabled
Chromebook management, create a virtual server for port 8443. Similarly, if you require importing an
ACME certificate, create a virtual server for port 80.
d. Create a security policy that includes the LB virtual server as a destination address:
i. Go to Policy & Objects > Firewall Policy.
ii. Click Create New.
iii. Configure the Incoming Interface and Outgoing Interface fields. The outgoing interface connects to the
primary EMS node.
iv. For Source, select all.
v. In the Destination field, select ports 10443, 443, 8013, 8015, 8443, and 8871.
vi. For Service, select ALL.
vii. For Inspection Mode, select Proxy-based.
viii. Save the policy.
ix. If the EMS nodes are in different subnets, repeat these steps to configure a policy for the secondary
EMS node. In this example, the nodes are in the same subnet, so you do not need to add a separate policy
for the secondary EMS.

Fortinet Inc.
6. After the FortiGate LB configuration is complete, you can access EMS using the VIP configured in the FortiGate LB.
If after initially installing EMS 7.4.0 you need to upgrade to a newer build, repeat steps 4.a.-c. with the new
installation file.
EMS HA installation with standalone remote database without Docker
The following uses PostgreSQL (Postgres) for the remote database. EMS and the Postgres database are hosted on two
Ubuntu machines.
To configure the Postgres server:
1. Install Postgres 15 on the Postgres Ubuntu machine:

sudo apt update
2. Install EMS custom extensions. The following commands require the ems_pg_extensions.tar.gz file, which you can
download from the Fortinet Support site:
3. You can tune Postgres based on the specs of the host server by applying the recommended configuration. While
there are various tools you can use to find the recommended configuration, these instructions use
PGTune. Generate and copy the recommended configuration:

Fortinet Inc.
a. Go to PGTune and enter the following information:
Field Value
DB version 15
OS Type Linux
DB Type Online transaction processing system
Total Memory (RAM) Enter the total memory for your Postgres server. In this example, it is 4 GB.
Number of CPUs Enter the total number of CPUs for your Postgres server. In this example, it
is 4.
Number of Connections 1092
Data Storage Enter the data storage type as per your device. In this example, it is SSD
storage.
b. Click Generate.
c. Click Copy configuration.
4. Update /etc/postgresql/15/main/postgresql.conf:
a. Add or update the configuration in /etc/postgresql/15/main/postgresql.conf with the content that
you copied in step 3.

Fortinet Inc.
b. Uncomment and change wal_level to minimal, e.g. wal_level = minimal. This removes all logging
except the information required to recover from a crash or immediate shutdown.
c. Uncomment and change max_wal_senders to 0, e.g. max_wal_senders = 0. This disables replication.

d. Uncomment and change listen_addresses to ‘*’, e.g. 'localhost' >> listen_addresses =
'*'.
5. Give passwordless permission to the Postgres user on the same machine by changing
/etc/postgresql/15/main/pg_hba.conf running:
sed -i 's/# Database administrative login by Unix domain socket/\nhost all postgres
127.0.0.1\/32 trust\nhost all postgres ::1\/128 trust/' /etc/postgresql/15/main/pg_
hba.conf
6. Allow connection from the remote machine by updating the following in pg_hba.conf:
7. Restart the postgreSQL service:

systemctl restart postgresql
8. Change the postgres user password:

sudo -u postgres psql
ALTER USER postgres PASSWORD 'Fortinet123#';

Fortinet Inc.
To configure EMS HA:
1. On both nodes, do the following:

a. Download the forticlientems_7.4.0.XXXX.bin file from https://support.fortinet.com.
b. Change permissions and add execute permissions to the installation file:
sudo chmod +x forticlientems_7.4.0.XXXX.bin
2. On the primary node, install EMS:
a. Set umask to 022 if the existing umask setting is more restrictive.
b. Install EMS:
sudo ./forticlientems_7.4.0.XXXX.bin -- --db_host "172.16.1.26" --db_user postgres --
db_pass Fortinet123# --skip_db_install --allowed_hosts '*' --enable-remote-https
db_host is the remote Postgres server IP address.
c. After installation completes, check that all EMS services are running by entering the following command:
The output shows that postgresql.service status displays as exited. This is the expected status. EMS does
not create this service, which only exists to pass commands to version-specific Postgres services. It displays as
part of the output as the command filters for all services that contain "postgres" in the name.
3. On the secondary node, install EMS:
a. Set umask to 022 if the existing umask setting is more restrictive.
b. Install EMS:

Fortinet Inc.
sudo ./forticlientems_7.4.0.XXXX.bin -- --db_host "172.16.1.26" --db_user postgres --

db_pass Fortinet123# --skip_db_install --skip_db_deploy --allowed_hosts '*' --enable-
remote-https
c. After installation completes, check that EMS services are running by entering the following command. On the
secondary EMS, only fcems_monitor, fcems_pgbouncer, fcems_wspgbouncer, and redis-server services
should be running:
4. After installation on both nodes is complete, access the EMS GUI from the primary node using a browser by going to
https://localhost. Complete initial configuration for EMS by doing the following:
a. Set the password for the default administrator. See Starting FortiClient EMS and logging in.
b. Configure the EMS FQDN and remote access. See Configuring EMS after installation.
c. License EMS. See Licensing FortiClient EMS.
5. Go to System Settings > EMS Settings.
6. In the Custom hostname field, enter a virtual IP address (VIP) that is configured in the FortiGate load balancer (LB)
as the VIP for EMS. In this example, the VIP is 172.16.1.50.
Field Value
Virtual server IP VIP that you configured in step 6. In this example, the VIP is
172.16.1.50.


Fortinet Inc.
primary EMS node.
If after initially installing EMS 7.4.0 you need to upgrade to a newer build, repeat steps 1-3 with the new installation
file.
EMS HA installation with native Postgres HA without Docker
This guide gives instructions on how to set up a PostgreSQL (Postgres) high availability (HA) cluster when Postgres is
natively installed (not Postgres containers) and install EMS HA.
Postgres HA requires at least three servers or virtual machines (VM):
Node Purpose
Postgres node 1 Starts as the primary node
Postgres node 2 Starts as the standby node
Postgres witness 1 Serves as a witness to prevent split-brain scenarios where both nodes may self-
promote to become the primary and clash
The configuration also requires two servers or VMs for EMS nodes.
To configure Postgres node 1:
1. Install Postgres 15:

sudo apt update
2. Install Replication Manager. Postgres recommends this replication tool:

sudo apt-get install apt-transport-https
sudo sh -c 'echo "deb https://apt.2ndquadrant.com/ $(lsb_release -cs)-2ndquadrant main"

Fortinet Inc.
> /etc/apt/sources.list.d/2ndquadrant.list'
sudo apt-get install curl ca-certificates
curl https://apt.2ndquadrant.com/site/keys/9904CD4BD6BAF0C3.asc| sudo apt-key add
sudo apt-get update
sudo apt-get install -y postgresql-15-repmgr
3. Install EMS custom extensions (ems_pg_extensions.tar.gz) for Postgres. You can download the extensions from
the Fortinet Support site:
4. Create the symmetric key required that the custom extension requires. Copy the value in symmetric_key.txt as you
must share it with the other nodes:
cat /var/lib/postgresql/15/symmetric_key.txt
5. Set the password for the Postgres Linux user: sudo passwd postgres
6. Modify postgresql.conf to add replication parameters. Change the following settings on
/etc/postgresql/15/main/postgresql.conf with the indicated values:
listen_addresses = ‘localhost, <ip of the PostgreSQL node1 server>’
max_wal_senders = 10
max_replication_slots = 10
wal_level = replica
hot_standby = on
archive_mode = on
archive_command = '/bin/true'
shared_preload_libraries = 'repmgr'
7. Set up Postgres access to the replication user. Add the following to /etc/postgresql/15/main/pg_
hba.conf:
host all all 0.0.0.0/0 trust
local replication repmgr trust
host replication repmgr 127.0.0.1/32 trust
host replication repmgr <node1 ip>/32 trust
host replication repmgr <witnesse ip>/32 trust
local repmgr repmgr trust
host repmgr repmgr 127.0.0.1/32 trust
host repmgr repmgr <node1 ip>/32 trust
host repmgr repmgr <witness ip>/32 trust
Replace <node1 ip>, <node2 ip>, and <witness ip> accordingly.
8. Create the repmgr user and database. Run the following to create the repmgr user and database on Postgres:
sudo -u postgres createuser -s repmgr
sudo -u postgres createdb repmgr -O repmgr

Fortinet Inc.

sudo systemctl restart [email protected]
To configure Postgres node 2:

sudo apt install -y --no-install-recommends curl ca-
sudo install -d /usr/share/postgresql-common/
https://www.postgresql.org/media/keys/ACCC4CF8.
release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list
sudo apt update

sudo apt-get install apt-transport-
> /etc/apt/sources.list.d/2ndquadrant.list
sudo apt-get install curl ca-
curl https://apt.2ndquadrant.com/site/keys/9904CD4BD6BAF0C3.asc| sudo apt-key
sudo apt-get
3. Install EMS custom extensions (ems_pg_extensions.tar.gz) for Postgres. You can download the extensions from
the Fortinet Support site:
4. Create the symmetric key required that the custom extension requires. The value must be the one copied from the
symmetric key from the PostgreSQL node 1:
sh -c 'echo "<value copied from PostgreSQL node 1>"|head -c 20 | head -c 20;'|sudo tee
5. Set the password for the Postgres Linux user: sudo passwd postgres
listen_addresses = ‘localhost, <ip of the PostgreSQL node2 server>
max_wal_senders =
max_replication_slots = 10
wal_level = replica
hot_standby = on
archive_mode = on

Fortinet Inc.
archive_command = '/bin/true'
hba.conf:

sudo systemctl restart [email protected]
To set up SSH access between Postgres nodes 1 and 2:
When the CLI prompts you, enter the postgres password.
1. On Postgres node 1, run the following:

sudo -H -u postgres bash -c “ssh-keygen -t rsa -f ~/.ssh/id_rsa -N ‘’”\
sudo -H -u postgres bash -c “ssh-copy-id -i ~/.ssh/id_rsa.pub -o
StrictHostKeyChecking=no 'postgres@<node2 ip>’”
2. On Postgres node 2, run the following:

sudo -H -u postgres bash -c “ssh-keygen -t rsa -f ~/.ssh/id_rsa -N ‘’”
sudo -H -u postgres bash -c “ssh-copy-id -i ~/.ssh/id_rsa.pub -o
StrictHostKeyChecking=no 'postgres@<node2 ip>’”
To register Postgres node1 to the cluster:
1. Create the /etc/repmgr.conf file on Postgres node1:

cluster='emscluster'
node_id=1
node_name=postgresqlnode1
conninfo='host=<PostgresSQL node1 ip> user=repmgr dbname=repmgr connect_timeout=2' data_
directory='/var/lib/postgresql/15/main/'
pg_bindir='/usr/bin/'

Fortinet Inc.
log_file='/var/log/repmgr/repmgr.log'
log_level=DEBUG
failover=automatic
promote_command='/usr/bin/repmgr standby promote -f /etc/repmgr.conf'
follow_command='/usr/bin/repmgr standby follow -f /etc/repmgr.conf --upstream-node-
id=%n'
Replace <node1 ip> accordingly.
2. Create the log directory for repmgr:

sudo mkdir /var/log/repmgr
sudo chown -R postgres /var/log/repmgr
3. Register the node as the primary:

sudo -u postgres /usr/bin/repmgr -f /etc/repmgr.conf primary register
4. Confirm registration: sudo -u postgres /usr/bin/repmgr -f /etc/repmgr.conf cluster show

5. Create a systemd service config for repmgr by creating the file:
[Unit]
Description=PostgreSQL Replication Manager Daemon
After=network.target postgresql.service
[Service]
Type=forking
User=postgres
ExecStart=/usr/bin/repmgrd -f /etc/repmgr.conf --daemonize
PIDFile=/tmp/repmgrd.pid
ExecStop=/bin/kill -s TERM $(cat /tmp/repmgrd.pid)
ExecReload=/bin/kill -s HUP $(cat /tmp/repmgrd.pid)
Restart=on-failure
LimitNOFILE=16384
[Install] WantedBy=multi-user.target
6. Edit /etc/default/repmgrd to change default settings. The following provides an example:

# default settings for repmgrd. This file is source by /bin/sh from
# /etc/init.d/repmgrd
# disable repmgrd by default so it won't get started upon installation

# valid values: yes/no
REPMGRD_ENABLED=yes
# configuration file (required)

REPMGRD_CONF="/etc/repmgr.conf"
# additional options
#REPMGRD_OPTS=""

Fortinet Inc.
# user to run repmgrd as

#REPMGRD_USER=postgres
# repmgrd binary
#REPMGRD_BIN=/usr/bin/repmgrd
# pid file REPMGRD_PIDFILE=/tmp/repmgrd.pid
REPMGR_ENABLED changed to yes, REPMGRD_CONF was uncommented and value

changed to "/tmp/repmgrd.conf" and REPMGRD_PIDFILE was uncommented and
value changed to /tmp/repmgrd.pid.
7. Kill any previous instance of repmgrd that may be running: ps -ef|grep "bin/repmgrd"|grep -v
grep|xargs -t -i sudo kill {}
8. Enable and start the repmgrd service: sudo systemctl enable repmgrd.service && sudo systemctl start repmg
9. Create a monitor and reconciliation service to support automatic failover. Create the script /var/lib/postgresql/node_
monitor.sh with ownership to the Postgres user:
#!/bin/bash
# Script to detect a new primary and rejoin the cluster as standby if necessary
# Configuration variables
REPMGR_CONF="/etc/repmgr.conf"
PG_SERVICE="postgresql@15-main"
CHECK_INTERVAL=10 # Check every 10 seconds
REPMGR_CMD="/usr/bin/repmgr"
PG_CTL="/usr/bin/pg_ctl"
NODE_NAME="node1"
# Function to log messages

log_message() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1"
}
# Main loop
while true; do
# Ensure PostgreSQL is running before checking the cluster status
systemctl is-active --quiet $PG_SERVICE
PG_STATUS=$?
if [ $PG_STATUS -eq 0 ]; then

# Check if there is another primary in the cluster
OTHER_PRIMARY=$(sudo -u postgres $REPMGR_CMD -f $REPMGR_CONF cluster show
2>/dev/null | grep -v "$NODE_NAME" | grep "primary"|grep "running as primary"|sed -
n 's/.*host=$[^ ]*$.*/\1/p')
# Get current node's role

CURRENT_ROLE=$(sudo -u postgres $REPMGR_CMD -f $REPMGR_CONF node check --role

Fortinet Inc.
2>/dev/null | grep -oP '(?<=$).*(?=$)'|awk '{print $NF}')
if [[ ! -z "$OTHER_PRIMARY" && "$CURRENT_ROLE" == "primary" ]]; then

log_message "Another primary detected in the cluster. Attempting to rejoin as
standby."
# Ensure PostgreSQL is stopped before rejoining

systemctl stop $PG_SERVICE
sleep 5
# Ensure PostgreSQL is fully stopped

if [ $? -eq 0 ]; then
log_message "Failed to stop PostgreSQL service. Skipping rejoin."
else
# Clone the data from the current primary and rejoin as standby
sudo -u postgres $REPMGR_CMD -h $OTHER_PRIMARY -U repmgr -d repmgr -f $R
CONF standby clone --force 2>/dev/null && \
sudo systemctl start $PG_SERVICE && \
sudo -u postgres $REPMGR_CMD -f $REPMGR_CONF standby register --force
2>/dev/null
if [ $? -eq 0 ]; then
log_message "Node rejoined as standby successfully."
else
log_message "Failed to rejoin node as standby."
fi
fi
elif [[ -z "$CLUSTER_STATUS" ]]; then
log_message "No other primary detected, or the current node is already a standby
Nothing to do."
fi
else
log_message "PostgreSQL service is not running. Skipping checks."
fi
# Wait for the next check
sleep $CHECK_INTERVAL
done
10. Create a monitor service by creating the file /etc/systemd/system/pg_node_monitor.service:

[Unit]
Description=Automatic Rejoin Standby Service
[Service]
Type=simple
User=root
ExecStart=/var/lib/postgresql/node_monitor.sh
Restart=on-failure
RestartSec=5s

Fortinet Inc.
[Install]
WantedBy=multi-user.target
11. Enable and start the monitor service: sudo systemctl enable pg_node_monitor && sudo systemctl
start pg_node_monitor
To register Postgres node2 to the cluster:
1. Create the /etc/repmgr.conf file on Postgres node2:

node_id=2
node_name=postgresqlnode2
conninfo='host=<PostgresSQL node2 ip> user=repmgr dbname=repmgr connect_timeout=2' data_
directory='/var/lib/postgresql/15/main/'
log_level=DEBUG
failover=automatic
promote_command='/usr/bin/repmgr standby promote -f /etc/repmgr.conf'
follow_command='/usr/bin/repmgr standby follow -f /etc/repmgr.conf --upstream-node-
id=%n'

3. Stop the Postgres service: sudo systemctl stop postgresql

4. Create a clone from Postgres node1: sudo -u postgres repmgr -h <node1 ip> -U repmgr -d
repmgr -f /etc/repmgr.conf standby clone --force
5. Restart the Postgres service: sudo systemctl start postgresql

6. Register the node as the standby:
sudo -u postgres /usr/bin/repmgr -f /etc/repmgr.conf standby register
7. Confirm registration: sudo -u postgres /usr/bin/repmgr -f /etc/repmgr.conf cluster show

8. Create a systemd service config for repmgr by creating file /etc/systemd/system/repmgrd.service:
[Unit]
[Service]

Fortinet Inc.
Type=forking
User=postgres
Restart=on-failure
LimitNOFILE=16384
[Install] WantedBy=multi-user.target
9. Edit /etc/default/repmgrd to change default settings. The following provides an example:


REPMGRD_ENABLED=yes

#REPMGRD_OPTS=""

# repmgrd binary
# pid file REPMGRD_PIDFILE=/tmp/repmgrd.pid

10. Kill any previous instance of repmgrd that may be running: ps -ef|grep "bin/repmgrd"|grep -v
grep|xargs -t -i sudo kill {}
11. Enable and start the repmgrd service: sudo systemctl enable repmgrd.service && sudo systemctl start repmg
12. Create a monitor and reconciliation service to support automatic failover. Create the script /var/lib/postgresql/node_
monitor.sh with ownership to the Postgres user:
#!/bin/bash
# Script to detect a new primary and rejoin the cluster as standby if necessary
# Configuration variables
REPMGR_CONF="/etc/repmgr.conf"
PG_SERVICE="postgresql@15-main"
CHECK_INTERVAL=10 # Check every 10 seconds

Fortinet Inc.
REPMGR_CMD="/usr/bin/repmgr"
PG_CTL="/usr/bin/pg_ctl"
NODE_NAME="node2"
# Function to log messages

log_message() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1"
}
# Main loop
while true; do
# Ensure PostgreSQL is running before checking the cluster status
PG_STATUS=$?
if [ $PG_STATUS -eq 0 ]; then

# Check if there is another primary in the cluster
OTHER_PRIMARY=$(sudo -u postgres $REPMGR_CMD -f $REPMGR_CONF cluster show
2>/dev/null | grep -v "$NODE_NAME" | grep "primary"|grep "running as primary"|sed -
n 's/.*host=$[^ ]*$.*/\1/p')
# Get current node's role

CURRENT_ROLE=$(sudo -u postgres $REPMGR_CMD -f $REPMGR_CONF node check --role
2>/dev/null | grep -oP '(?<=$).*(?=$)'|awk '{print $NF}')
if [[ ! -z "$OTHER_PRIMARY" && "$CURRENT_ROLE" == "primary" ]]; then

log_message "Another primary detected in the cluster. Attempting to rejoin as
standby."
# Ensure PostgreSQL is stopped before rejoining

systemctl stop $PG_SERVICE
sleep 5
# Ensure PostgreSQL is fully stopped

if [ $? -eq 0 ]; then
log_message "Failed to stop PostgreSQL service. Skipping rejoin."
else
# Clone the data from the current primary and rejoin as standby
sudo -u postgres $REPMGR_CMD -h $OTHER_PRIMARY -U repmgr -d repmgr -f $R
CONF standby clone --force 2>/dev/null && \
sudo systemctl start $PG_SERVICE && \
sudo -u postgres $REPMGR_CMD -f $REPMGR_CONF standby register --force
2>/dev/null
if [ $? -eq 0 ]; then
log_message "Node rejoined as standby successfully."
else

Fortinet Inc.
log_message "Failed to rejoin node as standby."

fi
fi
elif [[ -z "$CLUSTER_STATUS" ]]; then
log_message "No other primary detected, or the current node is already a standby
Nothing to do."
fi
else
log_message "PostgreSQL service is not running. Skipping checks."
fi
# Wait for the next check
sleep $CHECK_INTERVAL
done
13. Create a monitor service by creating the file /etc/systemd/system/pg_node_monitor.service:

[Unit]
Description=Automatic Rejoin Standby Service
[Service]
Type=simple
User=root
ExecStart=/var/lib/postgresql/node_monitor.sh
Restart=on-failure
RestartSec=5s
[Install]
14. Enable and start the monitor service: sudo systemctl enable pg_node_monitor && sudo systemctl
start pg_node_monitor
To register Postgres witness server:

sudo apt update

sudo apt-get install apt-transport-https
> /etc/apt/sources.list.d/2ndquadrant.list'
sudo apt-get install curl ca-certificates
curl https://apt.2ndquadrant.com/site/keys/9904CD4BD6BAF0C3.asc| sudo apt-key add
sudo apt-get update

Fortinet Inc.

listen_addresses = ‘localhost, <ip of witness server>’
hba.conf:

6. Create the repmgr user and database. Run the following to create the repmgr user and database on Postgres:
sudo -u postgres createuser -s repmgr
sudo -u postgres createdb repmgr -O repmgr

8. Create the /etc/repmgr.conf file:

node_id=3
node_name='witness1'
conninfo='host=<witness node ip> user=repmgr dbname=repmgr connect_timeout=2'
data_directory='/var/lib/postgresql/15/main' # Not used but required by repmgr
9. Register as witness informing the host of the primary node: sudo -u postgres /usr/bin/repmgr -f
/etc/repmgr.conf witness register -h <node1 ip>
10. Create a systemd service config for repmgr by creating file /etc/systemd/system/repmgrd.service:
[Unit]

Fortinet Inc.
[Service]
Type=forking
User=postgres
Restart=on-failure LimitNOFILE=16384
[Install]
11. Edit /etc/default/repmgrd to change default settings. It should look like this:
REPMGRD_ENABLED=yes

#REPMGRD_OPTS=""

# repmgrd binary
# pid file
REPMGRD_PIDFILE=/tmp/repmgrd.pid

12. Kill any previous instance of the repmgrd that might be running:
ps -ef|grep "bin/repmgrd"|grep -v grep|xargs -t -i sudo kill {}
13. Enable and start the repmgrd service:

sudo systemctl enable repmgrd.service && sudo systemctl start repmgrd
To test failover:
Stop the Postgres service on the primary node or shut down the primary node. By default, the health check happens
every 10 seconds. Before promoting itself to the primary node, the secondary node checks if the primary is down at least

Fortinet Inc.
six times. Therefore, failover takes 60 seconds to happen. This is configurable but an acceptable timeout or downtime.
To configure EMS HA:
1. After the database cluster is up and running, configure EMS HA:

a. On both nodes, do the following:
i. Download the forticlientems_7.4.0.XXXX.bin file from https://support.fortinet.com.
ii. Change permissions and add execute permissions to the installation file:
b. On the primary node, install EMS:

i. Set umask to 022 on file /etc/login.defs if the existing umask setting is more restrictive.
ii. Install EMS:
./forticlientems_7.4.0.1745.bin -- --db_host "172.16.1.12,172.16.1.15" --db_user
postgres --db_pass postgres --skip_db_install --skip_event_feature --allowed_
In the example, db_host contains IP addresses for both database nodes. Replace
the IP addresses with your database server IP addresses or FQDNs.
iii. After installation completes, check that all EMS services are running by entering the following command:
The output shows that postgresql.service status displays as exited. This is the expected status. EMS
does not create this service, which only exists to pass commands to version-specific Postgres services. It
displays as part of the output as the command filters for all services that contain "postgres" in the name.

Fortinet Inc.
c. On the secondary node, install EMS:

i. Set umask to 022 if the existing umask setting is more restrictive.
ii. Install EMS:
./forticlientems_7.4.0.XXXX.bin -- --db_host "172.16.1.12,172.16.1.15" --db_user
postgres --db_pass postgres --skip_db_install --skip_db_deploy --skip_event_
feature --allowed_hosts '*' --enable-remote-https
iii. After installation completes, check that EMS services are running by entering the following command. On
the secondary EMS, only fcems_monitor, fcems_pgbouncer, fcems_wspgbouncer, and redis-server
services should be running:
d. After installation on both nodes is complete, access the EMS GUI from the primary node using a browser by
going to https://localhost. Complete initial configuration for EMS by doing the following:
i. Set the password for the default administrator. See Starting FortiClient EMS and logging in.
ii. Configure the EMS FQDN and remote access. See Configuring EMS after installation.
iii. License EMS. See Licensing FortiClient EMS.
iv. Confirm that Listen on IP is set to All. See Configuring EMS settings.
e. Go to System Settings > EMS Settings.
f. In the Custom hostname field, enter a virtual IP address (VIP) that is configured in the FortiGate load balancer
(LB) as the VIP for EMS. In this example, the VIP is 172.16.1.50.
Field Value
Virtual server IP VIP that you configured in step 4.f. In this example, the VIP is
172.16.1.50.
Network Type TCP


Fortinet Inc.

primary EMS node.
If after initially installing EMS 7.4.0 you need to upgrade to a newer build, repeat steps 4.a.-c. with the new
installation file.
Starting FortiClient EMS and logging in
FortiClient EMS runs as a service on Linux computers.
To start FortiClient EMS and log in:
1. In a browser, go to https://localhost.
2. By default, the admin user account has no password. Sign in with the username admin and no password.
3. You must now create a new set of credentials for increased security. Create a username and password following
the rules shown. Click Submit.

Fortinet Inc.
4. EMS displays a popup after login in the following scenarios:

l If you did not import a secure SSL certificate. See EMS Server Certificates on page 486.
l If you imported a secure SSL certificate to EMS, but configure it in Endpoint Control certificate. See Configuring
EMS settings on page 472.
Configuring EMS after installation
You can configure a fully qualified domain name (FQDN) for EMS.
FortiClient's connection to EMS is critical to managing endpoint security. Managing this is relatively easy for internal
devices. For external devices or devices that may leave the internal network, you must consider how to maintain this
connection. FortiClient can connect to EMS using an IP address or FQDN. An FQDN is preferable for the following
reasons:
l Easy to migrate EMS to a different IP address
l Easy to migrate to a different EMS instance
l Flexible to dynamically resolve the FQDN
The third reason is particularly valuable for environments where devices may be internal or external from day to day.
When using an FQDN, you can configure your internal DNS servers to resolve the FQDN to the EMS internal IP address

Fortinet Inc.
and register your external IP address with public DNS servers. You must then configure the device with your external IP
address to forward communication received on port 8013 to your EMS internal IP address. This allows your external
clients to leverage a virtual IP address on the FortiGate so that they can reach EMS, while allowing internal clients to use
the same FQDN to reach EMS directly.
Alternatively, you can use a private IP address for the connection. This configuration requires external clients to
establish a VPN connection to reach the EMS (VPN policies permitting). This configuration can be problematic if all
endpoints need an urgent update but some are disconnected from VPN at that time.
You can also configure FortiClient EMS so that you can access it remotely using a web browser instead of the GUI.
To enable remote access to FortiClient EMS:

2. Enable Use FQDN. In the FQDN field, enter the desired FQDN.
3. If desired, in the Custom hostname field, enter the hostname or IP address. Otherwise, EMS uses the Pre-defined
hostname.
4. If desired, select the Redirect HTTP request to HTTPS checkbox. If this option is enabled, if you attempt to remotely
access EMS at http://<server_name>, this automatically redirects to https://<server_name>.
5. Click Save.
To remotely access FortiClient EMS:
l To access EMS from the EMS server, visit https://localhost

l To access the server remotely, use the server's hostname: https://<server_name>
Ensure you can ping <server_name> remotely. You can achieve this by adding it into a DNS entry or to the
Windows hosts file. You may need to modify the Windows firewall rules to allow the connection.
Licensing FortiClient EMS
There are several licensing options available with FortiClient EMS. You can use these licenses to manage Windows,
macOS, Linux, iOS, Android, or Chromebook endpoints. For information on the different license types available, see
License types on page 22.
There are two ways to activate, upgrade, or renew a FortiClient EMS license:
l Licensing EMS by logging in to FortiCloud on page 79: You can log in to your FortiCloud account to activate
EMS using that account. Once an EMS license expires, EMS uses the FortiCloud account to obtain a new license
file, if available on that account. You can use this method to apply a trial or paid license to EMS. This is the primary
licensing method for EMS.
l Uploading a license file on page 84: You can upload a license file to EMS. This functions in the same way as
EMS versions prior to 6.2.0. You must use this backup licensing method only if you cannot license EMS by logging
into FortiCare.
You must activate an EMS license before you can manage and provision any endpoints with EMS.
You can license an EMS instance that is in an isolated environment and completely isolated from the Internet using an
Air-Gap license. To obtain an Air-Gap license, contact Fortinet Customer Service & Support.

Fortinet Inc.
Although the option to upload a license file is available in the EMS GUI, FortiCloud does not
provide EMS 7.4 license files. You cannot use this option to activate, upgrade, or renew an
EMS 7.4 license.
If you attempt to license EMS with a license that only later versions support, a Future License
error appears. For example, thise error displays if you attempt to license EMS 6.4.2 or an
earlier version with a zero trust network access license.
Licensing EMS by logging in to FortiCloud
You must license FortiClient EMS to use it for endpoint management and provisioning.
Applying a trial license to FortiClient EMS
To apply a trial license to FortiClient EMS:
The following steps assume that you have already acquired an EMS installation file from FortiCloud or a Fortinet sales
representative for evaluation purposes and installed EMS.
1. In EMS, in the License Information widget, click Add beside FortiCloud Account.
2. In the FortiCloud Registration dialog, enter your FortiCloud account credentials. If you do not have a FortiCloud
account, create one.
3. Read and accept the license agreement terms.
4. Click Login & Sync License Now. If your FortiCloud account is eligible for an EMS trial license, the License
Information widget updates with the trial license information, and you can now manage three Windows, macOS,
Linux, iOS, and Android endpoints indefinitely.
Applying paid licenses to FortiClient EMS
To apply a paid license to FortiClient EMS:
The following steps assume that you have already purchased and acquired your EMS and FortiClient licenses from a
Fortinet reseller.
1. Log in to your FortiCloud account on Customer Service & Support.
2. Go to Asset Management.
3. Click Register More.
4. In the Registration Code field, enter the Contract Registration Code from your service registration document.
Configure other fields as required, then click Next.

Fortinet Inc.

l If this is the first license that you are applying to this EMS server, do the following:
i. Click Register.
ii. In the Hardware ID field, enter the hardware ID found in Dashboard > Status > License Information widget
> Config License in EMS. If you register the license prior to installing EMS, you must enter the hardware
ID after installation. Configure other fields as required, then click Next.
iii. Complete the registration, then click Confirm.
iv. In EMS, go to Dashboard > Status > License Information widget > Config License.
v. For License Source, select FortiCare.
vi. In the FortiCloud Account field, enter your FortiCloud account ID or email address.
vii. In the Password field, enter your FortiCloud account password.
viii. Click Login & Update License. Once your account information is authenticated, EMS updates Configure
License with the serial number and license information that it retrieved from FortiCloud.
l As Windows, macOS, and Linux licenses on page 23 describes, you can apply multiple license types to the
same EMS server. For example, if you have already applied an EPP license to your EMS server, you can apply
another license type, such as a ZTNA license, to the same EMS server. If desired, add another license type:
i. On the Registration Confirmation page, when applying an additional license type, you must select Renew
on the contract registration screen, regardless of the license types of the first and subsequent licenses.
Selecting Renew combines the new license with any existing licenses for the EMS server and allows you
to add the new license type to EMS while retaining previously applied license(s).
When applying an additional license type to EMS, selecting Register instead of

Renew creates an additional license file instead of combining the new license with
the existing license(s). You cannot apply the new and existing licenses to the same
EMS server.
ii. In the Serial Number field, enter the EMS serial number or select the EMS instance from the list. You can
find the serial number in Dashboard > Status > License Information widget > Configure License in EMS.
Click Next.
EMS reports the following information to FortiCare. FortiCloud displays this information in its dashboard and asset
management pages:

Fortinet Inc.
l EMS software version

l Number of FortiClient endpoints currently actively licensed under and being managed by this EMS
l Endpoint license expiry statuses. You can use this information to plan license renewals.
Using a second license to extend the license expiry date does not increase the number of
licensed clients. To increase the number of licensed clients, contact Fortinet Support for a co-
term contract.
If you previously activated another license with the same EMS hardware ID, you receive a
duplicated UUID error. In this case, contact Customer Support to remove the hardware ID from
the old license.
To apply multiple paid licenses to FortiClient EMS:
You may want to apply multiple paid licenses of the same type to at the same time. For example, if you want EMS to
manage 525 ZTNA endpoints, you can purchase two ZTNA licenses: one for 500 endpoints, and another for 25
endpoints. In this scenario, you need to register the licenses at the same time.
The following steps assume that you have already purchased and acquired your EMS and FortiClient licenses from a
Fortinet reseller.
1. Log in to your FortiCloud account on Customer Service & Support.
2. Go to Register Product.
3. In the Registration Code field, enter the Contract Registration Codes from your service registration documents.
Separate the codes with a comma. For example, to register the 3922U and 1057U codes in the following
screenshots, you would enter 3922U,1057U in the Registration Code field. Configure other fields as required, then
click Next.

Fortinet Inc.

a. If these are the first licenses that you are applying to this EMS server, do the following:
i. Click Register.
ii. In the Hardware ID field, enter the hardware ID found in Dashboard > Status > License Information widget
> Configure License in EMS. If you register the licenses prior to installing EMS, you must enter the
hardware ID after installation. Configure other fields as required, then click Next.
iv. In EMS, go to Dashboard > Status > License Information widget > Configure License.
v. For License Source, select FortiCare.
vi. In the FortiCloud Account field, enter your FortiCloud account ID or email address.
vii. In the Password field, enter your FortiCloud account password.
viii. Click Login & Update License. Once your account information is authenticated, EMS updates the
Configure License page with the serial number and license information that it retrieved from FortiCloud.
b. As described in Windows, macOS, and Linux licenses on page 23, you can apply multiple license types to the
same EMS server. For example, if you have already applied an EPP license to your EMS server, you can apply
other license types, such as a ZTNA license, to the same EMS server. If desired, add another license type:
i. On the Registration Confirmation page, when applying an additional license type, you must select Renew
on the contract registration screen, regardless of the license types of the first and subsequent licenses.
Selecting Renew combines the new licenses with any existing licenses for the EMS server and allows you
to add the new license types to EMS while retaining previously applied license(s).
When applying an additional license types to EMS, selecting Register instead of

Renew creates an additional license file instead of combining the new licenses with
the existing license(s). You cannot apply the new and existing licenses to the same
EMS server.
ii. In the Serial Number field, enter the EMS serial number or select the EMS instance from the list. You can
find the serial number in Dashboard > Status > License Information widget > Configure License in EMS.
Click Next.
EMS reports the following information to FortiCare. FortiCloud displays this information in its dashboard and asset
management pages:

Fortinet Inc.
l EMS software version

l Number of FortiClient endpoints currently actively licensed under and being managed by this EMS
l Endpoint license expiry statuses. You can use this information to plan license renewals.
Using a second license to extend the license expiry date does not increase the number of
licensed clients. To increase the number of licensed clients, contact Fortinet Support for a co-
term contract.
If you previously activated another license with the same EMS hardware ID, you receive a
duplicated UUID error. In this case, contact Customer Support to remove the hardware ID from
the old license.
Importing an EMS license via FortiFlex
FortiFlex, formerly Flex-VM, is a subscription service to configure and manage virtual machine (VM) usage entitlements.
You can now import an EMS license via a FortiFlex VM token. You can easily manage entitlements (license seats and
expiry) from the FortiFlex portal. You can monitor point usage on the FortiFlex portal, which helps to keep track of your
costs and billings.
FortiFlex only supports on-premise EMS and per-endpoint licensing.
To import an EMS license via a FortiFlex VM token:
1. Register a contract for the FortiFlex program on your FortiCloud account. For FortiFlex ordering information, see
the FortiFlex Ordering Guide.
2. Create a configuration for EMS:
a. In the FortiFlex portal, go to Services > FortiFlex > Configurations.
b. Under Form Factor, select Virtual Machines.
c. Under Product Type, select FortiClient EMS - Per Endpoint.
d. Configure the desired name, then click Next.
e. Assign license seats as desired, then proceed to save. FortiFlex creates the configuration.

Fortinet Inc.
3. Create an entitlement for EMS:

a. Go to Flex Entitlements.
b. Click New Flex Entitlement.
c. From the Product Type dropdown list, select FortiClient EMS - Per Endpoint.
d. Under Termination Mode, select one of the following:
i. To set the license expiry date to be the same as the FortiFlex program expiry, select Follow Program.
ii. To manually set the expiry date, select User Defined.
e. From the Asset Folder dropdown list, select the folder to create the entitlement under.
f. From the Configuration dropdown list, select the configuration that you created.
g. Configure other fields as desired, then submit to create the entitlement.
4. Import the EMS license using a FortiFlex token:

a. In the FortiFlex portal, go to Flex Entitlements.
b. Select the EMS entitlement.
c. Copy the license file token.
d. In EMS, on the Dashboard > License Information widget, click Add beside FortiCloud Account.
e. Enter your credentials.
f. Enable Activate license through Flex-VM.
g. In the Flex-VM Token field, enter the token.
h. Click Login & Sync License Now. FortiCloud updates the entitlement with the EMS hardware ID. You can
update the license seats and expiry in the FortiFlex portal by editing the configuration and entitlement. EMS
automatically imports the new license file after syncing with FortiGuard. You can also manually sync the
FortiCloud account connected to EMS.
Uploading a license file
You must use this backup licensing method only if you cannot license EMS by logging into FortiCare.
Contact Fortinet Support to activate, upgrade, or renew your FortiClient EMS license. After you have the license file, you
can add it to FortiClient EMS.

Fortinet Inc.
To upload a license file for activation, upgrade, or renewal:
1. Go to Dashboard > Status > License Information widget > Configure License.
2. For License Source, select File Upload.
3. Click Browse and locate the license key file.
4. Click Upload.
Licensing EMS in an air-gapped network
If you are deploying EMS in an air-gapped or isolated network where EMS cannot access the Internet, you can configure
EMS to receive updates from FortiManager to deploy to FortiClient. In offline mode, FortiManager allows export and
import of FortiGuard packages from FortiManager for provisioning as a FortiGuard distribution server. You can export
FortiGuard packages from an online FortiManager to import to an offline FortiManager that provides signature, engine,
and FortiClient installer updates to EMS. EMS receives AntiVirus, Web Filter, Application Firewall, Vulnerability Scan,
and Sandbox signatures and engines updates and FortiClient installers from FortiManager and deploys updates to
FortiClient while in an air-gapped or isolated network.
This feature is also useful if you have experienced hardware failure and need to install EMS on another server. Fortinet
customer support can provide a key file to allow you to apply your original license to EMS on the new server.
To configure EMS for an air-gapped network:
1. Contact Fortinet Customer Service & Support. Provide them with your original EMS license file and the IP address
of the new machine where you install EMS. They provide you with a key file.
2. Install EMS. See Installing FortiClient EMS.
3. Go to System Settings > EMS settings. Ensure that the value in the Listen on IP field matches the IP address that
you gave to Customer Service & Support in step 1. Otherwise, EMS cannot validate the key file.
4. In EMS, on the License Information widget, select Config License.
5. For License Source, select File Upload.
6. In License File, browse to and upload your original license file.
7. EMS detects that the hardware ID associated with the license has changed and prompts you to upload the key file.
Browse to and upload the key file that Customer Service & Support provided to you. If the key file matches the
license file, the EMS license is activated.

Fortinet Inc.
8. Enable EMS to use FortiManager for signature updates:

a. Go to System Settings > FortiGuard Servings.
b. Enable Use FortiManager for client software/signature updates.
c. Configure the fields for the desired FortiManager.
d. Click Save.
9. Enable endpoint profiles to use FortiManager for signature updates:
a. Go to Endpoint Profiles > Manage Profiles.
b. Select the desired profile.
c. On the System Settings tab, under Update, enable Use FortiManager for Client Signature Update.
d. Configure the fields for the same FortiManager as you configured in step 8.
e. Configure the update schedule as desired.
f. Click Save.
License status
The Dashboard > Status > License Information widget displays your license statuses. EMS supports multiple licenses,
including separate licenses for Telemetry and endpoint protection and management, for FortiClient Cloud Sandbox
(SaaS) integration, and for Chromebook endpoint management. Each license's status can change. The options are:
License status Description
Unlicensed If you just installed FortiClient EMS, EMS is unlicensed by default. Log in to your
FortiCloud account or upload a license file to update the license status.
Non-expired license You can upgrade the license on your FortiCloud account.
Expired license You can renew the license on your FortiCloud account.
You have ten days after the license expiry date to renew the license. During this
grace period, the License Information widget displays the expiry date, which has
already passed, and FortiClient EMS functions as if the license has not expired.
FortiClient EMS also displays a daily notification that the license has expired and
that you are currently using FortiClient EMS as part of the ten day grace period.
After ten days, FortiClient EMS reverts to unlicensed mode for that license.
After applying a trial license to EMS, you can purchase a license and register the EMS installation on your FortiCloud
account as To apply a paid license to FortiClient EMS: on page 79 describes, then click Sync License Now in Dashboard
> Status > License Information widget > Configure License to apply a paid license to EMS.

Fortinet Inc.
Help with licensing
For licensing issues with FortiClient EMS, contact the licensing team at Fortinet Technical Assistance Center (TAC):
l Phone: +1-866-648-4638
l Technical support: support.fortinet.com/
Uninstalling FortiClient EMS
To uninstall EMS:
Run the following command in the Linux terminal with sudo privileges:
sudo apt remove -y forticlientems
Installation and setup for managing Chromebooks
The following sections only apply if you plan to use FortiClient EMS to manage Chromebooks:
Google Admin Console setup
This section describes how to add and configure the FortiClient Web Filter extension on Chromebooks enrolled in the
Google domain.
Following is a summary of how to set up the Google Admin console:
1. Log into the Google Admin console. See Logging into the Google Admin console on page 87.
2. Add the FortiClient Web Filter extension. See Adding the FortiClient Web Filter extension on page 88.
3. Configure the FortiClient Web Filter extension. See Configuring the FortiClient Web Filter extension on page 89.
4. Add the root certificate. See Adding root certificates on page 90.
If you are using another Chromebook extension that uses external rendering servers, the
FortiClient Web Filter settings may be bypassed. Check with the third-party extension vendor if
this is the case.
Logging into the Google Admin console
Log into the Google Admin console using your Google domain admin account. The Admin console displays.

Fortinet Inc.
Adding the FortiClient Web Filter extension
FortiClient EMS software is unavailable for public use. You can only enable the feature using
the following extension ID: igbgpehnbmhgdgjbhkkpedommgmfbeao
To add the FortiClient Web Filter extension:
1. In the Google Admin console, go to Devices > Chrome > Settings > Apps & extensions > Managed guest sessions.
2. On the left, select the organization that contains the desired users or enrolled browsers. To select all users and
browsers, select the top-level organization. Otherwise, select a child.
3. In the bottom right corner, hover over the + icon, then select Add Chrome app or extension by ID.
4. In the Extension ID field, enter the following extension ID: igbgpehnbmhgdgjbhkkpedommgmfbeao.

Fortinet Inc.
5. Click SAVE. The extension displays, with the Force install installation policy.
Configuring the FortiClient Web Filter extension
You must configure the FortiClient Chromebook Web Filter extension to enable the Google Admin console to
communicate with FortiClient EMS.
FortiClient EMS hosts the services that assign endpoint profiles of web filtering policies to groups in the Google domain.
FortiClient EMS also handles the logs and web access statistics that the FortiClient Web Filter extensions send.
FortiClient EMS is the profile server.
For instructions on configuring the extension for connection to FortiClient Cloud, see
Managing Chromebooks with FortiClient Cloud.
To configure the FortiClient Web Filter extension:
1. In FortiClient EMS, locate the server name and port by going to System Settings > EMS Settings.
2. Create a text file that contains the following text:
{
"ProfileServerUrl": { "Value": "https://< ProfileServer >:< port for Profile Server
>"}
}
For example:
{

Fortinet Inc.
"ProfileServerUrl": { "Value": "https://ems.mydomain.com:8443"}

}
3. In the Google Admin console, go to Devices > Chrome browser > Apps & extensions > Users & browsers.
5. Click the FortiClient Web Filter extension.
6. In the right pane, under Policy for extensions, paste the JSON content from step 2.
7. Click SAVE.
8. Go to Devices > Chrome browser > Apps & extensions to view your configured Chrome applications.
Adding root certificates
Communication with the FortiClient Chromebook Web Filter extension
The FortiClient Chromebook Web Filter extension communicates with FortiClient EMS using HTTPS connections. The
HTTPS connections require an SSL certificate. You must obtain an SSL certificate and add it to FortiClient EMS to allow
the extension to trust FortiClient EMS.
If you use a public SSL certificate, you only need to add the public SSL certificate to FortiClient EMS. See Adding an SSL
certificate to FortiClient EMS on page 488.
However, if you prefer to use a certificate not from a common CA, you must add the SSL certificate to FortiClient EMS
and push your certificate's root CA to the Google Chromebooks. Otherwise, the HTTPS connection between the
FortiClient Chromebook Web Filter extension and FortiClient EMS does not work. See Uploading root certificates to the
Google Admin console on page 92.
Communication with FortiAnalyzer for logging
This section applies only if you are sending logs from FortiClient to FortiAnalyzer. If you are not sending logs, skip this
section.
Sending logs to FortiAnalyzer requires you enable ADOMs in FortiAnalyzer and add
FortiClient EMS to FortiAnalyzer. You can add FortiClient EMS as a device to the FortiClient or
Fabric ADOM in FortiAnalyzer. See the FortiAnalyzer Administration Guide.
FortiClient supports logging to FortiAnalyzer. If you have a FortiAnalyzer and configure FortiClient to send logs to
FortiAnalyzer, a FortiAnalyzer CLI command must be enabled and an SSL certificate is required to support
communication between the FortiClient Web Filter extension and FortiAnalyzer.
If you use a public SSL certificate, you only need to add the public SSL certificate to FortiAnalyzer. See Adding an SSL
certificate to FortiAnalyzer.
However, if you prefer to use a certificate not from a common CA, you must add the SSL certificate to FortiAnalyzer and
push your certificate's root CA to the Google Chromebooks. Otherwise, the HTTPS connection between the FortiClient
Chromebook Web Filter extension and FortiAnalyzer does not work. See Uploading root certificates to the Google Admin
console on page 92.
The FortiAnalyzer IP address should be specified in the SSL certificate. If you are using a
public SSL certificate, the FortiAnalyzer IP address can be assigned to Common Name or
Alternative Name. If you are using a self-signed (nonpublic) SSL certificate, your certificate's
Subject Alternative Name must include IP:<FortiAnalyzer IP>.

Fortinet Inc.
You must use the FortiAnalyzer CLI to add HTTPS-logging to the allow-access list in FortiAnalyzer. This command is
one step in the process that allows FortiAnalyzer to receive logs from FortiClient.
In FortiAnalyzer CLI, enter the following command:
config system interface
edit "port1"
set allowaccess https ssh https-logging
next
end
Adding an SSL certificate to FortiAnalyzer
To add an SSL certificate to FortiAnalyzer:
1. In FortiAnalyzer, go to System Settings > Certificates > Local Certificates.

2. Click Import. The Import Local Certificate dialog appears.
3. In the Type list, select Certificate or PKCS #12 Certificate.
4. Beside Certificate File, click Browse to select the certificate.
5. Enter the password and certificate name.
6. Click OK.
Selecting a certificate for HTTPS connections
To select a certificate for HTTPS connections:
1. In FortiAnalyzer, go to System Settings > Admin > Admin Settings.

2. From the HTTPS & Web Service Certificate dropdown list, select the certificate to use for HTTPS connections, and
click Apply.
Summary of where to add certificates
The following table summarizes where to add certificates to support communication with the FortiClient Web Filter
extension and FortiAnalyzer.
Scenario Certificate and CA Where to add certificates
Public SSL certificate Add SSL certificate to FortiClient EMS.

Allow the FortiClient
Chromebook Web Filter
l Add SSL certificate to FortiClient EMS.
SSL certificate not from a
extension to trust EMS l Add your certificate's root CA to the Google Admin
common CA
console.
Public SSL certificate Add SSL certificate to FortiAnalyzer.

Allow the FortiClient
Chromebook Web Filter l Add SSL certificate to FortiAnalyzer.
extension to trust SSL certificate not from a
l Add your certificate's root CA to the Google Admin
FortiAnalyzer for logging common CA
console.

Fortinet Inc.
Uploading root certificates to the Google Admin console
To upload root certificates to the Google Admin console:
1. In the Google Admin console, go to Device Management > Network > Certificates (root certificate) (crt certificate).
2. Add the root certificate.
3. Select the Use this certificate as an HTTPS certificate authority checkbox.
Do not forget to select the Use this certificate as an HTTPS certificate authority checkbox.
Disabling access to Chrome developer tools
Disabling access to Chrome developer tools is recommended. This blocks users from disabling the FortiClient Web Filter
extension.
To disable access to Chrome developer tools:
1. In the Google Admin console, go to Devices > Chrome > Settings > Users & browsers.
3. In User & Browser Settings, for the Developer tools option, select Never allow use of built-in developer tools.
Disallowing incognito mode
When users browse in incognito mode, Chrome bypasses extensions. You should disallow incognito mode for managed
Google domains.
To disallow incognito mode:

Fortinet Inc.
3. In User & Browser Settings, under Security, set Incognito mode to Disallow incognito mode.
4. Click Save.
Disabling guest mode
You should disallow guest mode for managed Google domains.
To disallow guest mode:
1. In the Google Admin console, go to Devices > Chrome > Settings > Device.
3. Under Sign-in settings, for Guest mode, select Disable guest mode.
4. Click Save.
Blocking the Chrome task manager
You should block users from ending processes with the Chrome task manager for managed Google domains.
To block the Chrome task manager:
3. In User & Browser Settings, under Task manager select Block users from ending processes with the Chrome task
manager from the dropdown list.
4. Click Save.

Fortinet Inc.
Verifying the FortiClient Web Filter extension
After you add the Google domain to FortiClient EMS, the Google Admin console automatically pushes the FortiClient
Web Filter extension to the Chromebooks when users log into the Google domain. You can verify the feature has
become available on the Chromebooks.
To verify the FortiClient Web Filter extension:
1. Open the Google Chrome browser.

2. Enter the following in the address bar: chrome://extensions
3. Visit any gambling site, such as https://www.777.com, and confirm the site is blocked.
Service account credentials
FortiClient EMS requires service account credentials that the Google Developer console generates. You can use the
default service account credentials provided with FortiClient EMS or generate and use unique service account
credentials, which is more secure.
The service account credentials must be the same in FortiClient EMS and the Google Admin
console.

Fortinet Inc.
Configuring default service account credentials
FortiClient EMS includes the following default service account credentials that the Google Developer console generates:
Option Default setting Where used
Client ID 102515977741391213738 Google Admin console
Email address account- FortiClient EMS

[email protected]
Service account certificate A certificate in .pem format for the service account FortiClient EMS
credentials
The service account credentials are a set. If you change one credential, you must change the
other two credentials.
To configure the default service account credentials, you must add the client ID's default value to the Google Admin
console. Service account credentials do not require other configuration. See Delegating domain-wide authority to the
service account on page 101.
Configuring unique service account credentials
When using unique service account credentials for improved security, you must complete the following steps to add the
unique service account credentials to the Google Admin console and FortiClient EMS:
1. Create unique service account credentials using the Google Developer console. See Creating unique service
account credentials on page 95.
2. Add the unique service account credentials to the Google Admin console. See Delegating domain-wide authority to
the service account on page 101.
3. Add the unique service account credentials to FortiClient EMS. See Adding service account credentials to EMS on
page 103.
Creating unique service account credentials
Creating a unique set of service account credentials provides more security. Unique service account credentials include
the following:
l Client ID (a long number)
l Service account ID (email address)
l Service account certificate (a certificate in .pem format)
To create unique service account credentials:
1. Go to Google API Console.

2. Log in with your Google Workspace account credentials.

Fortinet Inc.
3. Create a new project:

a. Click the toolbar list. The browser displays the following dialog.
b. Select your organization, if you see an organization dropdown list. Click New Project.

Fortinet Inc.
c. In the Project name field, enter your project name, then click Create.
4. Enable the Admin SDK:

a. Select your project from the toolbar list, then click APIs & Services.

Fortinet Inc.
b. Under Google Workspace APIs, search for Admin SDK API and enable it.
After enabling the Admin SDK API, the console displays a message indicating: To use this API, you may need
credentials.
5. Create a service account:

a. Go to the Credentials tab and select Create Credentials > Service account.

Fortinet Inc.
b. From the Service account list, select New Service Account. Enter a service account name.
c. From the Role list, select Project > Viewer.
d. Edit the created service account and go to Keys. Click Add Key to create a P12 private key.

Fortinet Inc.
e. Save the private key and note the private key password, "notasecret".
The private key with the P12 extension is the only copy you receive. Keep it in a safe
place. You should also remember the password prompted on the screen. At this time,
that password should be notasecret.
6. Edit the service account you just created and expand Advanced settings. There is a Domain-wide Delegation
message and step-by-step guide.

Fortinet Inc.
To use the private key in EMS, you must convert it to .pem format. You can use the following
openssl command to convert it. Remember to use the notasecret password.
C:\OpenSSL-Win64\bin>openssl pkcs12 -in demo-976b9d6e9328.p12 -out
serviceAccount-demo.pem -nodes -nocerts
Enter Import Password:
Delegating domain-wide authority to the service account
This section describes how to delegate domain-wide authority to the service account in the Google Admin console.
These settings allow Google to trust FortiClient EMS, which enables FortiClient EMS to retrieve information from the
Google domain.

Fortinet Inc.
To delegate domain-wide authority to the service account:
1. In the Google Admin console, go to Menu > Security > Access and data control > API controls.
2. Click Manage Domain Wide Delegation, then click Add New.
3. Set the following options:

a. In the Client ID field, add the client ID from the service account credentials.
b. In the OAuth Scopes field, add the following string:
https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.d
irectory.user.readonly

Fortinet Inc.
The API scopes are case-sensitive and must be lowercase. You may need to copy the
string into a text editor and remove spaces created by words wrapping to the second
line in the PDF.
c. Click Authorize.
Adding service account credentials to EMS
The section describes how to add the service account ID and service account certificate from the service account
credentials to FortiClient EMS.
To add service account credentials to EMS:
1. In FortiClient EMS, go to System Settings > EMS Settings.

2. Enable EMS for Chromebooks Settings.
The default service account credentials display. Overwrite the default settings with the
unique set of service account credentials received from Fortinet.
3. The Service account field shows the configured email address provided for the service account credentials. Click
the Update service account button and configure the following information:
Service Account Email Enter a new email address for the service account credentials.
Private key Click Browse and select the certificate provided with the service account
credentials.
4. Click Save.

Fortinet Inc.
The service account credentials are a set. If you change one credential, you must change the
other two credentials.
Verifying ports and services and connection between EMS and

FortiClient
Ports and services
On the EMS server, run the following CLI command to verify the services are bound to a port:
sudo lsof -nP -i:8013
Option Description
-n Do not convert port numbers to port names.
-p Do not resolve hostnames, show numerical addresses.
-i Initiates the network file filter.
The following shows that EMS Linux is listening to port TCP/8013 on a particular interface: 192.168.1.22 in this case.
The PID is 113194 and command is ecsocksrv.

Fortinet Inc.
GUI
The FortiClient EMS GUI consists of the following areas:
Banner
Option Description
Activate License to Enable Displays if you have not applied a license to FortiClient EMS. Click the link to
Features access Configure License, where you can apply a license by logging in to your
FortiCloud account or uploading a license file. See Licensing FortiClient EMS
on page 78.
SSL Certificate is not secure Displays if a secure SSL certificate has not been imported to FortiClient EMS.
Click the link to go to the EMS Settings page, where you can import a license.
See Configuring EMS settings on page 472.
Download icon Displays if a new version of FortiClient EMS is available on FDS.
Invitations You can configure invitation codes that endpoints users can use to connect to
EMS. See Invitations on page 454.
Multitenancy site If multitenancy is enabled and you are logged into an account that can access
multiple sites, you can go to another site by selecting it from a dropdown list. If
you are logged in to the global site, you can also configure sites. See
Multitenancy on page 500.
Help icon
Getting Started Provides access to links to the FortiClient EMS Release Notes and other
resources.
Technical Link to the FortiClient EMS documentation.

Documentation
How-To Videos Link to the Fortinet Video Library.
Forums Link to Fortinet Customer Service and Support forum.
Product Videos Links to the following FortiClient EMS videos:

l Introduction to FortiClient EMS: introductory video for FortiClient EMS,
which gives an overview of features, modes, and system requirements for

FortiClient EMS 1.0.
l How to License FortiClient EMS: shows how to license or renew FortiClient
EMS 1.0 with more endpoints.

l Adding a Domain to FortiClient EMS: shows how to add an AD domain to
FortiClient EMS

Fortinet Inc.
GUI
Option Description
Create Support Create a support package to provide to the Fortinet technical support team for
Package troubleshooting.
FortiGuard View list of engine and signature versions for this version of FortiClient EMS.
Bell icon Click the bell icon to display all alert logs.
<Logged in username> Click the dropdown list beside the <logged in username> to do one of the
following:
l Change the password for this user. Enter a new password that complies
with the displayed rules.

l Log out of FortiClient EMS.
Left pane
The left navigation pane displays content in the right pane. The following describes the left pane when multitenancy is
disabled. For descriptions of the left pane with multitenancy enabled, see Left pane with multitenancy enabled on page
502.
Option Description
Dashboard
Status Displays a dashboard of information about all managed

endpoints.
Vulnerability Scan Displays the Current Vulnerabilities Summary chart that provides
a centralized vulnerability summary for all managed endpoints.
You can observe high-risk hosts and critical vulnerabilities
existing on endpoints. You can also access links on how to fix or
repair the vulnerabilities.
Chromebook Status Displays a dashboard of information about all managed

Chromebooks. Only available if the EMS for Chromebooks
Settings option is enabled in System Settings > EMS Settings.
Endpoints
All Endpoints Manage all endpoints.
Manage Domains Add and manage AD domains.
Domains Manage endpoints from AD domains. You can also add an

AD domain if none exist.
Workgroups Manage endpoints from workgroups.
Group Assignment Rules Configure rules to automatically place endpoints into custom
groups based on their installer ID, IP address, or OS.

Fortinet Inc.
GUI
Option Description
Google Domains Only available if the EMS for Chromebooks Settings option is
enabled in System Settings > EMS Settings.
All Users Manage users from all Google domains.
Manage Domains Add and manage Google domains.
Domains Manage users from specific Google domains. You can also add a
Google domain if none exist.
Deployment & Installers
Manage Deployment Create deployment configurations to deploy FortiClient to

endpoints.
FortiClient Installers Add and manage FortiClient deployment packages.
Endpoint Policy & Components
Manage Policies Create endpoint policies and manage policy updates for
Windows, macOS, and Linux endpoints.
CA Certificates Upload and import CA certificates into FortiClient EMS.
On-fabric Detection Rules Configure on-fabric detection rules for endpoints.
Chromebook Policy Create endpoint policies and manage policy updates for
Chromebook endpoints. Only available if the EMS for
Chromebooks Settings option is enabled in System Settings >
EMS Settings.
Endpoint Profiles
Manage Profiles Create profiles and manage profile updates for all profiles.
Import from Import Web Filter profiles from FortiOS or FortiManager.

FortiGate/FortiManager
Security Posture Tags
Security Posture Tagging Define security posture tagging rules.

Rules
Security Posture Tag Monitor View tagged endpoints.
Software Inventory
Applications View applications installed on endpoints. Display applications by

application or application vendor name.
Hosts View applications installed on endpoints, sorted by endpoint.
Quarantine Management
Files View and allowlist files on endpoints that Sandbox or AV has

quarantined.

Fortinet Inc.
GUI
Option Description
Allowlist View and delete allowlisted files from the Allowlist pane.
Administration
Administrators Add and manage FortiClient EMS administrators.
Admin Roles Add and manage FortiClient EMS admin roles and permissions.
User Settings Configure the inactivity timeout and other user settings.
Fabric Devices View Fabric devices connected to EMS.
SAML SSO Configure SAML SSO authentication.
Configure License Upgrade or renew the FortiClient EMS license.
Log Viewer View log messages generated by FortiClient EMS and download
raw logs.
System Settings
EMS Settings Change the IP address and port and configure other EMS
settings for FortiClient EMS, including enabling Chromebook
management.
Log Settings Specify what level of log messages to capture in FortiClient EMS
logs and when to automatically delete logs and alerts.
FortiGuard Services Configure the FortiGuard server location. Configure

FortiManager to use for client software/signature updates and
configure FortiCloud settings.
EMS Alerts Enable alerts for FortiClient EMS events.
Endpoint Alerts Enable alerts for endpoint events.
SMTP Server Set up an SMTP server to enable email alerts.
Custom Messages Customize the message that displays on an endpoint when it has
been quarantined by FortiClient EMS
Feature Select Choose which features to show and hide in EMS.
Content pane
The right pane displays the user interface controls that correspond to the selection made in the left pane. The status and
menu icons in the top-right display controls what you can use to configure additional settings for user management and
each individual endpoint.

Fortinet Inc.
Dashboard
You can use the Dashboard to view summary information about the system and endpoints. You can view summary
information about vulnerability scans on endpoints.
Viewing the Status
To view the Status:
1. In the left pane, click Dashboard > Status.

A System Information widget and charts and widgets of summary information display. See System Information
widget on page 109 and Status charts and widgets on page 112.
2. For most Status widgets, clicking a donut chart section leads to the Endpoints pane. The Endpoints pane displays
with more details about the endpoints that belong to the selected donut chart section. See Viewing the Endpoints
pane on page 131.
3. Click a section of the Endpoint Alerts widget. The Endpoint Event Summary displays with more details about the
endpoints that belong to that chart section. The endpoint details that display on this page depend on the endpoint
alert type. In the example, the selected alert was that the AV signature on the endpoint is out-of-date. Therefore,
Endpoint Event Summary displays the current installed AV signature version and the latest available AV signature
version that you can upgrade the endpoint to.
System Information widget
The following information displays in the System Information widget when multitenancy is disabled. If multitenancy is
enabled, this information displays in the global site System Information widget. See Global and per-site configuration on

Fortinet Inc.
Dashboard
page 501.
Option Description
Hostname Name of the computer where you installed FortiClient EMS.
Version Version number for FortiClient EMS. Also displays the build number. If the current
build is an interim build, also displays (Interim) beside the build number.
Database Options to back up and restore the database. See To back up the database: on
page 110 and To restore the database: on page 110.
System Time Time and date that the computer where you installed FortiClient EMS uses.
Uptime Number of days, hours, minutes, and seconds FortiClient EMS has been running.
To back up the database:
1. Go to Dashboard > Status.

2. Beside Database, click Backup.
Password Enter a password for backing up and restoring the database.
Confirm password Reenter the password to confirm it.
4. Click Back up. FortiClient EMS backs up the database.
To restore the database:
1. Go to Dashboard > Status.

2. Beside Database, click Restore.
3. Click Browse.
4. Locate the database backup file, and click Open.
5. In the Password field, enter the password used to back up the database.
6. Click Restore. When the database is restored, a message appears. The message instructs you to wait for the
restored database to reload.
7. Wait for the restored database to be reloaded.

Fortinet Inc.
Dashboard
License Information widget
The following information displays in the License Information widget:
Option Description
Serial Number Serial number for FortiClient EMS.
FortiCloud Account FortiCloud account that this EMS server is registered to. If EMS is not registered
to a FortiCloud account, you can log into an existing FortiCloud account or create
a new FortiCloud account from this widget.
Zero Trust Access Zero Trust Network Access (ZTNA) device-based license status. You can use this
license for managing Windows, macOS, Linux, iOS, Android, and Chromebook
endpoints. When licensed, displays number of licenses used out of the total
number of available licenses and the expiry date.
Next-Generation Endpoint Endpoint Protection Platform (EPP) device-based license status. You can use this
Security license for managing Windows, macOS, Linux, iOS, Android, and Chromebook
endpoints. This license all features included in the ZTNA license as well as more
advanced features. When licensed, displays number of licenses used out of the
total number of available licenses and the expiry date.
FortiSASE FortiSASE device-based license status. When licensed, displays number of

licenses used out of the total number of available licenses and the expiry date.
Zero Trust Access User ZTNA user-based license status. When licensed, displays number of licenses
used out of the total number of available licenses and the expiry date.
Next-Generation Endpoint EPP user-based license status. This license all features included in the
Security User ZTNA license as well as more advanced features. When licensed, displays
number of licenses used out of the total number of available licenses and the
expiry date.
FortiSASE User FortiSASE user-based license status. When licensed, displays number of
Chromebook Status of the Chromebook license for FortiClient EMS. You can use this license
for managing Chromebook endpoints. When licensed, displays number of
Remote Access VPN-only license status. When licensed, displays number of licenses used out of
the total number of available licenses and the expiry date.
If you have just installed EMS, click Add beside FortiCloud Account to license by logging in to your FortiCloud account.
See License status on page 86.
For details on the features included with each license type, see Windows, macOS, and Linux licenses on page 23.

Fortinet Inc.
Dashboard
Status charts and widgets
Status displays a number of pie charts. Each pie chart provides a summary of endpoint information. The sections in each
chart are links. You can click any section of the pie charts or any row in the table to display more details.
Available options may differ depending on the features you have enabled or disabled in
Feature Select. See Feature Select on page 494.
Option Description
Endpoint Charts
Endpoint Shows a summary of endpoint activity information. Categories are:

Activity l EMS On-fabric
l EMS Off-fabric
Endpoint Alerts Shows the number of endpoints with alerts, including pending software updates, out-of-date
protection, and out-of-sync profiles.
Endpoint Shows the number of endpoints that are:

Connection l Online
l Offline for less than one hour
l Offline
l Offline for 30 days or more
Managed Mac This chart indicates the percentage of macOS endpoints with each version of FortiClient installed.
FortiClient Sorting by version lists FortiClient versions from most recent to least recent. For example,
Versions FortiClient 6.2.0 is listed first, then FortiClient 6.0.0, and so on.
Sorting by count lists FortiClient versions from the version with the largest number of endpoints to
the version with the smallest number of endpoints. For example, if there are 600 endpoints with
FortiClient 6.0.0 installed and 40 endpoints with FortiClient 6.2.0 installed, FortiClient 6.0.0 is listed
first.
Managed This chart indicates the percentage of Windows endpoints with each version of FortiClient installed.
Windows You can sort the data by version or count.
FortiClient Sorting by version lists FortiClient versions from most recent to least recent. For example,
Versions FortiClient 6.2.0 is listed first, then FortiClient 6.0.0, and so on.
FortiClient 6.0.0 installed and 40 endpoints with FortiClient 6.2.0 installed, FortiClient 6.0.0 is listed
first.
Managed Linux This chart indicates the percentage of Linux endpoints with each version of FortiClient installed.
FortiClient You can sort the data by version or count.
Versions

Fortinet Inc.
Dashboard
Option Description
Endpoint This chart indicates how many endpoints are disconnected and connected.
Management
Mac Operating This chart indicates the number of endpoints running each version of the macOS operating system.
Systems You can sort the data by version or count.
Sorting by version lists macOS versions from most recent to least recent. For example,
macOS 10.13 High Sierra is listed first, then macOS 10.12 Sierra, OS X 10.11 El Capitan, and so
on.
macOS 10.12 Sierra installed and 40 endpoints with macOS 10.13 High Sierra installed,
macOS 10.12 Sierra is listed first.
Windows This chart indicates the number of endpoints running each version of the Windows operating
Operating system. You can sort the data by version or count.
Systems Sorting by version lists Windows versions from most recent to least recent. For example, Windows
10 is listed first, then Windows 8, Windows 7, and so on.
Windows 7 installed and 40 endpoints with Windows 10 installed, Windows 7 is listed first.
Linux This chart indicates the number of endpoints running each version of the Linux operating system.
Operating You can sort the data by version or count.
Systems Sorting by version lists Linux versions from most recent to least recent. For example, Ubuntu 18.10
is listed first, then Ubuntu 17.10, Ubuntu 16.04, and so on.
Ubuntu 16.04 installed and 40 endpoints with Ubuntu 18.10 installed, Ubuntu 16.04 is listed first.
iPhone This chart indicates the number of endpoints running each version of the iOS operating system.
Systems Sorting by version lists iOS versions from most recent to least recent. For example, iOS 15 is listed
first, then iOS 14, iOS 13, and so on.
the version with the smallest number of endpoints. For example, if there are 600 endpoints with iOS
9 installed and 40 endpoints with iOS 10 installed, iOS 9 is listed first.
Android This chart indicates the number of endpoints running each version of the Android operating system.
Systems Sorting by version lists Android versions from most recent to least recent. For example, Android 12
is listed first, then Android 11, Android 10, and so on.
Android 10 installed and 40 endpoints with Android 11 installed, Android 10 is listed first.

Fortinet Inc.
Dashboard
Option Description
FortiGuard This chart displays endpoints that are considered suspicious or compromised according to the
Outbreak Alerts outbreak alert rules that FortiClient EMS has received from FortiGuard. The chart displays the
Service number of endpoints that are vulnerable to each outbreak. See FortiGuard Outbreak Alerts on page
383.
You can drill down by clicking the outbreak bar. From here, you can quarantine the endpoint if
desired.
Top 3 Lists
Antivirus This chart indicates the top three endpoints with AV alerts, including the number of AV alerts for
Detection each endpoint.
Sandbox This chart indicates the top three endpoints with FortiSandbox alerts, including the number of
Detection FortiSandbox alerts for each endpoint.
Vulnerability This chart indicates the top three endpoints with vulnerability alerts, including the number of
Detection vulnerabilities detected for each endpoint.
Web Filter This chart indicates the top three endpoints with web filter alerts, including the number of web filter
Detection alerts for each endpoint.
Viewing the Vulnerability Scan dashboard
Go to Dashboard > Vulnerability Scan. Here you can view a variety of charts and widgets containing a summary of
vulnerability scan information from endpoints.
The Vulnerability Scan dashboard displays a number of charts. Each chart provides a summary of endpoint information.
The sections in each chart are links. You can click sections of the charts or any row in the table to display more details.

Fortinet Inc.
Dashboard
Chart Description
Current Vulnerabilities Summary Displays the following summaries of current vulnerabilities:

l Total (total number of vulnerabilities)
l Operating System (number of operating system vulnerabilities)
l Browser (number of browser vulnerabilities)
l Microsoft Office (number of Microsoft Office vulnerabilities)
l Third Party App (number of third-party application vulnerabilities)
l Service (number of service vulnerabilities)
l User Config (number of user configuration vulnerabilities)
l Other (number of other vulnerabilities that do not fit any of the above
categories)
When you click a vulnerability tile, the colored circles update to display the
number of vulnerabilities that correspond to each severity level in the selected
category.
Endpoint Scan Status Displays the following summaries about endpoints:

l Vulnerable Endpoints
l Un-Scanned Endpoints
l Secured Endpoints
l Scanning Endpoints
Top 10 Vulnerable Endpoints Displays the top ten vulnerable endpoints and the number of vulnerabilities
With High Risk Vulnerabilities detected on those endpoints, with associated severity levels.
Top 10 Vulnerabilities Displays the top ten vulnerabilities and the number of hosts where the
vulnerabilities have been detected. Click the vulnerability name to see information
about the vulnerability on FortiGuard.
Viewing current vulnerabilities
To view current vulnerabilities:
1. Go to Dashboard > Vulnerability Scan.

2. Under Current Vulnerabilities Summary, click a vulnerability tile.
3. When you click a vulnerability tile, the colored circles update to display the number of vulnerabilities that correspond
to each severity level in the selected category.
In this example, there are 22 total vulnerabilities, 20 of which are OS vulnerabilities. Click the Operating System tile.

Fortinet Inc.
Dashboard
The OS vulnerabilities are organized by severity:

l0/20 are low risk (green circle)
l 4/20 are medium risk (yellow circle)
l 16/20 are high risk (orange circle)
l 0/20 are critical risk (red circle)
4. You can click any tile to display details for vulnerabilities of that type. In this example, click View 20 on the Operating
System tile to display all OS vulnerabilities and details:
Patch All Click this button to patch all vulnerabilities currently displayed on the content
pane. The vulnerabilities are patched with the next Telemetry communication
between FortiClient EMS and the endpoint.
Refresh Click to refresh the list of vulnerabilities in the content pane.
Clear Filters Click to clear all filters applied to the list of vulnerabilities.
Vulnerability Name Name of the vulnerability.
FortiGuard ID Displays the FortiGuard ID. Click the link to see information about the
vulnerability on FortiGuard.

Fortinet Inc.
Dashboard
CVE ID Displays the vulnerability ID as determined by the Common Vulnerabilities and

Exposures (CVE) system. If available, you can click the link to see more
information about the vulnerability. Depending on the vulnerability, there may
be multiple CVE IDs listed.
Severity Displays the severity of the vulnerability.
Affected Endpoints Displays the number of endpoints that are affected by this vulnerability.
Patch Status You can click the Patch button to patch the selected vulnerability with the next
Telemetry communication between FortiClient EMS and the endpoint.
If a patch is already scheduled for the vulnerability, this column displays
Scheduled.
If the vulnerability must be patched manually, this column displays Manual
Patch.
FortiClient may be unable to automatically patch the vulnerability due to one of
the following reasons:
l Third-party application vulnerabilities: incorrect or missing installation
paths
l OS vulnerabilities: Windows update service is disabled
In these cases, EMS may incorrectly display the status of these vulnerabilities
that were selected to be automatically patched as Scheduled instead of Failed.
You can filter the list of vulnerabilities by any column by clicking the filter icon beside the desired heading. Enter the
value to include in the filter. You can toggle the All/Any/Not button for the following options:
l All: Display all files that match the set filter.
l Any: Display any file that matches the set filter.
l Not: Display only files that do not match the set filter.
5. Return to Dashboard > Vulnerability Scan. You can also click a colored circle to view all vulnerabilities of the
selected severity level. The following shows all medium severity third party application vulnerabilities:

Fortinet Inc.
Dashboard
Viewing the Endpoint Scan Status
To view the Endpoint Scan Status:
1. Go to Dashboard > Vulnerability Scan.
On the Endpoint Scan Status chart, endpoints are organized by type:

l 11/21 are Secured (green section)
l 1/21 is Vulnerable (red section)
l 6/21 are Un-Scanned (yellow section)
l 3/21 are Scanning (grey section)
2. Click the Vulnerable section to view all vulnerabilities detected on vulnerable endpoints:
Patch All Click this button to patch all vulnerabilities currently displayed on the content
pane. The vulnerabilities are patched with the next Telemetry communication
between FortiClient EMS and the endpoint.
Hostname Hostname of the endpoint where the vulnerability was detected.
Username User that is currently logged into the endpoint where the vulnerability was
detected.
Vulnerability Displays the number of vulnerabilities detected on the endpoint at each

severity level. In this example, the endpoint has 11 critical vulnerabilities, 20
high risk vulnerabilities, and 5 medium risk vulnerabilities that can be patched
using FortiClient.
The same endpoint also has 2 critical vulnerabilities that must be manually
patched.

Fortinet Inc.
Dashboard

Scheduled.
Patch.
FortiClient may be unable to automatically patch the vulnerability due to one of
the following reasons:
l Third-party application vulnerabilities: incorrect or missing installation
paths
In these cases, EMS may incorrectly display the status of these vulnerabilities
that were selected to be automatically patched as Scheduled instead of Failed.
You can filter the list of vulnerable endpoints by any column by clicking the filter icon beside the desired heading.
Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
3. Click a hostname. You can view all vulnerabilities detected on that endpoint. You can filter the list of vulnerabilities in
the same way that you can filter the list of vulnerable endpoints in step 2.
4. Go back, then click one of the sections under the Vulnerability column to view all vulnerabilities detected on the
selected endpoint at the selected severity. The example displays all critical vulnerabilities for the selected endpoint.
You can filter the list of vulnerabilities in the same way that you can filter the list of vulnerable endpoints in step 2.

Fortinet Inc.
Dashboard
Vulnerability Name of the vulnerability.
Category Category of the vulnerability.
Severity Severity level of the vulnerability.
Scheduled.
Patch.
Viewing the top 10 vulnerable endpoints with high risk vulnerabilities
To view the top 10 vulnerable endpoints with high risk vulnerabilities:
1. Go to Dashboard > Vulnerability Scan. The Top 10 Vulnerable Endpoints With High Risk Vulnerabilities chart
displays vulnerabilities per endpoint in a segmented bar graph and organized by severity.
WIN-1F3BOCJBRAM has the following:

l 15 Critical Vulnerabilities (red bar)
l 17 High Risk Vulnerabilities (orange bar)
l 17 Medium Risk Vulnerabilities (yellow bar)
l 6 Low Risk Vulnerabilities (green bar)

Fortinet Inc.
Dashboard

a. Click the endpoint hostname. You can view a list of all vulnerabilities detected on that endpoint.
Patch Status You can click the Patch button to patch the selected vulnerability with the
next Telemetry communication between FortiClient EMS and the endpoint.
Scheduled.
Patch.
FortiClient may be unable to automatically patch the vulnerability due to
one of the following reasons:
l Third-party application vulnerabilities: incorrect or missing
installation paths
In these cases, EMS may incorrectly display the status of these

vulnerabilities that were selected to be automatically patched as
Scheduled instead of Failed.
You can filter the list of vulnerable endpoints by any column by clicking the filter icon beside the desired
heading. Enter the value to include in the filter. You can toggle the All/Any/Not button for the following options:
All: Display all files that match the set filter.
l
Any: Display any file that matches the set filter.

l
b. Click one of the sections of the vulnerability bar graph to view all vulnerabilities detected on the selected
endpoint at the selected severity. The example displays all critical vulnerabilities for the selected endpoint. You

Fortinet Inc.
Dashboard
can filter the list of vulnerabilities in the same way that you can filter the list of vulnerabilities in option a.
Viewing top ten vulnerabilities on endpoints
To view top ten vulnerabilities on endpoints:
1. Go to Dashboard > Vulnerability Scan. The Top 10 Vulnerabilities widget displays the type of vulnerability and how
many hosts the vulnerability has been detected on.

Fortinet Inc.
Dashboard

a. Click the vulnerability name. You can view the vulnerability on FortiGuard.
b. Click the number of hosts that are affected by a vulnerability. You can view a list of endpoints where the
vulnerability has been detected.
Hostname Hostname of the endpoint where the vulnerability was detected.
Username User that is currently logged into the endpoint where the vulnerability was
detected.
Last Seen Time of the last Telemetry communication between FortiClient EMS and
the endpoint.
Scan Time Time of the last Vulnerability Scan on the endpoint.
You can filter the list of vulnerable endpoints by any column by clicking the filter icon beside the desired
All: Display all files that match the set filter.
l
Any: Display any file that matches the set filter.

l
Here, you can also click the hostname to view all detected vulnerabilities on that endpoint. You can filter the list
of vulnerabilities in the same way that you can filter the list of endpoints above.

Fortinet Inc.
Dashboard
Patch Status You can click the Patch button to patch the selected vulnerability with the
next Telemetry communication between FortiClient EMS and the endpoint.
Scheduled.
Patch.
FortiClient may be unable to automatically patch the vulnerability due to
one of the following reasons:
l Third-party application vulnerabilities: incorrect or missing
installation paths
In these cases, EMS may incorrectly display the status of these

vulnerabilities that were selected to be automatically patched as
Scheduled instead of Failed.
Viewing the Forensics Analysis dashboard
Go to Dashboard > Forensics Analysis. Here you can view a variety of charts and widgets containing a summary of
Forensics analysis information from endpoints.
This feature requires the FortiGuard Endpoint Forensics Analysis license and for the FortiGuard Forensics Analysis
feature to be enabled.

Fortinet Inc.
Dashboard
You can view forensics information in the following widgets:
Widget Information shown
Active Concurrent Forensics Number of active requests and available requests. You can only have five
Analysis Requests concurrent requests.
Forensics Analysis Status Ticket status of each endpoint's forensics analysis task.
Forensics Analysis Result Forensics verdict for analyzed endpoints:

l Clean
l Compromised
l Suspicious
Forensics Analysis Unread Number of endpoints for which report are unread or not downloaded.
Reports
Top 10 Latest Forensics Analysis Analysis report, the time that it was updated, and the verdict.
Reports
Widget Information shown
You can drill down on the Forensics Analysis Status, Forensics Analysis Result, and Forensics Analysis Unread Reports
widgets by clicking into the charts.

Fortinet Inc.
Dashboard
Viewing the PUA dashboard
Go to Dashboard > Vulnerability Scan. Here you can view a variety of charts and widgets containing a summary of
potentially unwanted application (PUA) information from endpoints.
This feature requires the Endpoint Protection Platform license and for the Software Inventory feature to be enabled.
You can view PUA information in the following widgets:
Widget Description
Potentially Unwanted Shows all detected PUAs categorized into the following:
Applications Summary l Illegal or unethical
l Cryptomining
l Hacking
l Unpopular
l Phishing
l Malicious
Endpoint PUA Status Shows how many endpoints have PUAs and how many do not.
PUA Detection Timeline Shows historical events related to PUA detection on a timeline. Hover over the red
circles to see a popup with PUA detection count and the PUAs detected during
that time period.
PUA Total Timeline Shows line chart of PUA detection and uninstall events. Hover over the green
icircles to see a popup with PUA totals, PUA detection count, and three events in
that time period.

Fortinet Inc.
Dashboard
Widget Description
Top 10 Hosts with PUAs Displays the ten endpoints that have the most PUAs and the number of PUAs
detected on those endpoints.
Top 10 Unwanted Applications Displays the top ten most common PUAs and the number of hosts where the
PUAs have been detected. Click the vulnerability name to see information about
the vulnerability on FortiGuard.
You can drill down on information in the widgets. For example, for the Potentially Unwanted Applications Summary
widget, you can click the Unpopular section of the chart to view all unpopular PUAs detected on endpoints. From there,
you can further click a PUA to view all endpoints that have that PUA currently installed.
Viewing Chromebook Status
Chromebook Status displays a number of charts. Each chart provides a summary of Chromebook information. The
sections in each chart are links. You can click any chart section or table row to display details. Chromebook Status is
only available if you enabled System Settings > EMS Settings > EMS for Chromebooks Settings.
Option Description
User Charts
Active Users Displays active and inactive users.
Managed Users Displays managed and unmanaged users.
Webfilter Charts
Top 10 Violations by Category Displays the top ten web filter violations by category in the past few days. You can
configure the number of days. Go to System Settings > Logs.
Top 10 Violations by User Displays the top web filter violations by user in the past few days. You can
configure the number of days. Go to System Settings > Logs.
Most Searched Monitored Words Displays the top terms that users have searched that you have configured Web
Filter to monitor. See Web Filter on page 303.
Most Searched Blocked Words Displays the top terms that users have searched that you have configured Web
Filter to block. See Web Filter on page 303.
Others
System Information See System Information widget on page 109.
License Information See License Information widget on page 111.

Fortinet Inc.
Endpoint management
FortiClient EMS needs to determine which devices to manage. For Windows, macOS, and Linux endpoints, device
information can come from an AD server, Windows workgroup, or manual FortiClient connection.
For Chromebooks, device information comes from the Google Admin console.
Windows, macOS, and Linux endpoints
Device information can come from an AD server, Windows workgroup, or manual FortiClient connection. You can create
groups to organize endpoints.
Managing groups
You can create groups to organize endpoints. You can also rename and delete groups.
The LDAP connection is read-only. These groups are local to EMS and are not seen in your Active Directory.
To create groups:
1. Go to Endpoints.
2. Right-click a domain or workgroup and select Create group. The Create group dialog displays.
3. In the Required field, enter a name for the group, and click Confirm.
To rename groups:
1. Go to Endpoints.
2. Right-click the group, and select Rename group. The Rename the group dialog displays.
3. In the Required field, enter the new name, and click Confirm.
To delete groups:
1. Go to Endpoints.
2. Right-click the group, and select Delete group. A confirmation dialog displays.
3. Click Yes.
Adding endpoints
You can add endpoints to EMS in one of the following ways:

Fortinet Inc.
Endpoint management
Adding endpoints using an AD domain server
To add endpoints using an Active Directory (AD) domain server, you must add an AD server to EMS in Administration >
Authentication Servers. See Adding an ADDS server on page 424.
To add endpoints using an AD domain server:
1. Go to Endpoints > Manage Domains > Add

2. From the Authentication Server dropdown list, select the desired AD server.
3. In the Sync every field, enter the desired sync schedule for the server.
4. Under Select Base DN, select the desired DNs to import. You can also add specific OUs, containers, and groups
from the AD server to EMS. The Changes to Selected Base DN pane summarizes the changes to your selected
base DNs.
5. Click Save.
Adding endpoints using an Entra ID server
To add endpoints using a Microsoft Entra ID (formerly known as Azure Active Directory (AD)) domain server, you must
configure add an Entra ID server to EMS in Administration > Authentication Servers. See Adding an Entra ID server on
page 425.
To add endpoints using an Entra ID server:
1. Go to Endpoints > Manage Domains.

2. Click Add, then Azure.
3. From the Azure Server dropdown list, select the desired server.
4. In the Sync every field, enter the number of minutes after which EMS syncs with the Azure server.
5. For Group Selection Behaviour, select Import Entire Azure Domain or Import Selected Azure Groups.

Fortinet Inc.
Endpoint management
6. Enable Import as Base Group for the desired groups, then click Save.
Endpoints > Domains lists the Entra ID server domain groups and subgroups. It lists subgroups as a flat list and
does not preserve the hierarchy from the Entra ID server.
Connecting manually from FortiClient
Endpoint users can manually connect FortiClient Telemetry to FortiClient EMS by specifying the IP address for
FortiClient EMS in FortiClient. This process is sometimes called registering FortiClient to FortiClient EMS.
To manually connect to EMS from FortiClient:
1. In FortiClient on the endpoint, go to the Fabric Telemetry tab.

2. In EMS IP field, enter the EMS IP address, and click Connect. FortiClient connects to FortiClient EMS.
For information about FortiClient, see the FortiClient Administration Guide.
The FortiClient Telemetry gateway port may be appended to the gateway list address on
FortiClient and separated by a colon. When the port is not provided, FortiClient attempts to
connect to the IP address given using the default port. The default connection port in
FortiClient 6.0 and 6.2 is 8013. By default, FortiClient EMS listens for connection on port 8013.
Adding endpoints using an AD domain server is considered best practice. Connecting

FortiClient to FortiClient EMS manually is only recommended for troubleshooting purposes.

Fortinet Inc.
Endpoint management
Viewing endpoints
After you add endpoints to FortiClient EMS, you can view the list of endpoints in a domain or workgroup in the Endpoints
pane. You can also view details about each endpoint and use filters to access endpoints with specific qualities.
Viewing the Endpoints pane
You can view information about endpoints in Endpoints.
To view the Endpoints pane:
1. Go to Endpoints, and select All Endpoints, a domain, or workgroup. The list of endpoints, a quick status bar, and a
toolbar display in the content pane.
Not Installed Number of endpoints that do not have FortiClient installed. Click to display the
list of endpoints without FortiClient installed.
Not Registered Number of endpoints that are not connected to FortiClient EMS. Click to
display the list of disconnected endpoints.
Out-Of-Sync Number of endpoints with an out-of-sync profile. Click to display the list of
endpoints with out-of-sync profiles.
Security Risk Number of endpoints that are security risks. Click to display the list of
endpoints that are security risks.
Quarantined Number of endpoints that EMS has quarantined. Click to display the list of
quarantined endpoints.
Endpoints Click the checkbox to select all endpoints displayed in the content pane.
Show/Hide Heading Click to hide or display the following column headings: Device, User, IP,
Configurations, Connections, and Alerts and Events.
Show/Hide Full Group Path Click to hide or display the full path for the group that the endpoint belongs to.
Refresh Click to refresh the list of endpoints.
Search All Fields Enter a value and press Enter to search for the value in the list of endpoints.
Filters Click to display and hide filters you can use to filter the list of endpoints.
Device Visible when headings are displayed. Displays an icon to represent the OS on
the endpoint, the hostname, and the endpoint group.
User Visible when headings are displayed. Displays the name and icon of the user
logged into the endpoint. Also displays the endpoint status:
l Online: endpoint has been seen within less than three keep alive
timeouts.
l Away: endpoint has been offline for less than eight hours.
l Offline: endpoint has been offline for more than eight hours.
l Never Seen: endpoint has never been registered to EMS.

Fortinet Inc.
Endpoint management
When using user-based licensing, you can use the dropdown list to view all
registered users for this endpoint. The dropdown list displays the verified user
and device username.
IP Visible when headings are displayed. Displays the endpoint IP address.
Configurations Visible when headings are displayed. Displays the name of the policy
assigned to the endpoint and its synchronization status.
Connections Visible when headings are displayed. Displays the connection status between
FortiClient and FortiClient EMS. If the endpoint is connected to a FortiGate,
displays the FortiGate hostname.
Alerts and Events Visible when headings are displayed. Displays FortiClient alerts and events for
the endpoint.
2. Click an endpoint to display its details in the content pane. The following dropdown lists display in the toolbar for the
selected endpoint:
Scan Click to start a Vulnerability or AV scan on the selected endpoint.
Patch Click to patch all critical and high vulnerabilities on the selected endpoint.
Choose one of the following options:
l Selected Vulnerabilities on Selected Clients
l Selected Vulnerabilities on All Affected Clients
l All Critical and High Vulnerabilities
Move to Move the endpoint to a different group.

Fortinet Inc.
Endpoint management
Action Click to perform one of the following actions on the selected endpoint:
l Request FortiClient Logs
l Request Diagnostic Results
l Update Signatures
l Download Available FortiClient Logs
l Download Available Diagnostic Results
l Deregister
l Quarantine
l Un-quarantine
l Exclude from Management
l Revoke Client Certificate. This action is only available if the ZTNA or EPP
license is applied and for endpoints running FortiClient 7.0.0 and later
versions. Revoke the certificate that FortiClient is using to securely
encrypt and tunnel TCP traffic through HTTPS to the FortiGate. You may
want to revoke a certificate if it becomes compromised and can no longer
be trusted. When a certificate is revoked, EMS prompts FortiOS and
FortiClient with a new certificate signing request. See FortiClient in the
Security Fabric on page 14.
l Clear Events
l Mark as Uninstalled
l Set Importance
l Set Custom Tags. This option is only available if you have already created
a custom tag.
l Delete Device
l Send Message. See Sending endpoints one-way message on page 139.
The following tabs are available in the content pane toolbar when you select an endpoint, depending on which
FortiClient features are installed on the endpoint and enabled via the assigned profile:
Summary
<user name> Displays the name of the user logged into the selected endpoint. Also displays
the user's avatar, email address, and phone number if these are provided to
FortiClient on the endpoint. If the user's LinkedIn, Google, Salesforce, or other
cloud app account is linked in FortiClient, the username from the cloud
application displays. Also displays the group that the endpoint belongs to in
EMS.
Device Displays the selected endpoint's hostname. You can enter an alias if desired.
OS Displays the selected endpoint's operating system and version number.
IP Displays the selected endpoint's IP address.
MAC Displays the selected endpoint's MAC address.
Last Seen Displays the last date and time that FortiClient sent a keep-alive message to
EMS. This information is useful if FortiClient is offline because it indicates
when the last keep-alive message occurred.

Fortinet Inc.
Endpoint management
Location Displays whether the selected endpoint is on- or off-fabric. You can also view
any on-fabric detection rules that the endpoint is applicable for. See On-fabric
Detection Rules on page 183.
Network Status Displays the following information for the networks that the endpoint is
connected to:
l MAC address
l IP address
l Gateway IP address
l Gateway MAC address
l SSID for Wi-Fi connections
Hardware Displays the hardware model, vendor, CPU, RAM, and serial number
Details information for the endpoint device, if available.
Security Displays which tags have been applied to the endpoint based on the security
Posture Tags posture tagging rules. See Security Posture Tags on page 367.
FortiGuard Displays which FortiGuard Outbreak tags have been applied to the endpoint
Outbreak based on the FortiGuard Outbreak Alerts service rules. See FortiGuard
Detections Outbreak Alerts on page 383.
Connection Displays the connection status between the selected endpoint and FortiClient
EMS.
Configuration Displays the following information for the selected endpoint:

l Policy: Endpoint policy assigned to the selected endpoint
l Installer: FortiClient installer used for the selected endpoint.
l Progress: this field is intended to display deployment progress for a
FortiClient installer. However, it currently does not accurately display
deployment progress.
l FortiClient Version: FortiClient version installed on the selected endpoint.
l FortiClient Serial Number: Serial number for the selected endpoint's
FortiClient license.
l FortiClient ID
l ZTNA Serial Number: serial number for the zero trust network access
certificate provisioned to the endpoint.
l MDM Enrolled: whether the endpoint is enrolled on a mobile device
management (MDM) platform.
l MDM Deployment Status: whether a ZTNA certificate provisioned through
MDM has been installed on the endpoint.

Fortinet Inc.
Endpoint management
Classification Displays classification tags that are currently assigned to the endpoint. You
Tags can also assign a classification tag to the endpoint. Classification tags include
the default importance level tags (low, medium, high, or critical), and custom
tags. An endpoint can only have one default importance tag assigned, but can
have multiple custom tags assigned. You can also unassign a tag from the
endpoint, and create, assign, or delete a custom tag. To create a new custom
tag, click the Add button, enter the desired tag, the click the + button. When
you create a tag, it is available for assignment to all endpoints in the current
site.
You can assign a classification tag to multiple endpoints by selecting the
endpoints, then selecting Action > Set Importance or Set Custom Tags.
Tags that FortiClient EMS receives from FortiAnalyzer also display under
Classification Tags.
See Sending endpoint classification tags to FortiAnalyzer on page 144.
Classification Displays Fabric classification tags that are currently assigned to the endpoint.
Tags - Fabric In a Fabric deployment, FortiEDR can detect suspicious or compromised
endpoint behavior, share that endpoint's security status with EMS, and tag the
affected endpoint on EMS. You can view these tags under Classification Tags
- Fabric. You can also unassign a tag from the endpoint. The following lists the
predefined tags for FortiEDR use:
l FortiEDR_Malicious: FortiEDR has classified this endpoint as malicious.
l FortiEDR_PUP: FortiEDR has detected a potentially unwanted program
on this endpoint.
l FortiEDR_Suspicious: FortiEDR has detected suspicious activity on this
endpoint.
l FortiEDR_Likely_Safe: FortiEDR has detected this endpoint as likely to
be safe.
l FortiEDR_Probably_Good: FortiEDR has determined that this endpoint
is not a safety risk.

See Identity Management integration.
Forensic Displays statuses for forensic analysis tasks:

Analysis l Ticket Status: status of the ticket. Possible statuses are:
l Request Submitted
l Pending: Forensic analysis request has been initiated. The
Forensics team has not yet assigned it to an analyst.
l Running
l In Progress: Forensics team has assigned the request to an analyst,
who has begun working on it.
l Failed: analyst could not connect to the endpoint.
l Cancelled: indicates one of the following:
l The analyst needed more information about the endpoint to
perform the analysis.
l The EMS administrator canceled the request.
l Completed: analyst has completed analysis on the endpoint and
shared the result in a PDF document. You can download the report

Fortinet Inc.
Endpoint management
from the endpoint summary's Forensic Analysis section.

l Agent Status: status of the forensic agent collecting logs on the
endpoint. Possible statuses are:
l Pending: EMS has notified FortiClient that a forensic analysis
request is submitted, but the forensic agent is not running yet.
l Running: forensics agent starts collecting forensics logs.
l Collection Completed: forensics agent has completed collecting
forensics logs.
l Upload Started: FortiClient has started to upload the logs to the
cloud.
l Upload Completed: FortiClient has completed uploading the logs to
the cloud.
l Upload Failed: FortiClient failed to upload the logs to the cloud.
l Verdict: forensic analysis verdict as determined by the FortiGuard
analyst.
l Task ID: Request ID in the FortiGuard forensics system.
l Request Analysis: request forensic analysis on the endpoint. See
Requesting forensic analysis on an endpoint on page 361.
l Download Report: download the forensic analysis report.
Status Displays one of the following statuses:

l Managed: Endpoint is managed by EMS.
l Quarantined: If quarantined, displays access code. The user can enter
this access code in the affected endpoint's FortiClient to remove the

endpoint from quarantine.
l Excluded: Endpoint is excluded from management by EMS.
Features Displays which features are enabled for FortiClient.
Third Party Displays which third party features are installed and running on the endpoint.
Features This section includes the status of FortiEDR on the endpoint. This information
is only available for Windows endpoints.
Antivirus Events
Date Displays the AV event's date and time.
Count Displays the number of occurrences for this event.
Message Displays the AV event's message.
Actions Mark the event as read or delete it.
Cloud Scan Events
Date Displays the cloud-based malware detection event's date and time.
Message Displays the cloud-based malware detection event's message.

Fortinet Inc.
Endpoint management
Anti-Ransomware Events
Date Displays the anti-ransomware event's date and time.
Message Displays the anti-ransomware event's message. The message may say that
FortiClient detected ransomware on the endpoint, or that FortiClient restored a
file that the detected ransomware encrypted.
AntiExploit
Events
Date Displays the AntiExploit event's date and time.
Message Displays the AntiExploit event's message.
USB Device Events
Date Displays the USB device event's date and time.
Message Displays the USB device event's message.
Sandbox Events
Date Displays the sandbox event's date and time.
Message Displays the sandbox event's message.
Rating Displays the file's risk rating as retrieved from FortiSandbox.
Checksum Displays the checksum for the file.
Download Download a PDF version of the detailed report.
Magnifying Click to view a more detailed report. See Viewing Sandbox event details on
glass page 143.
Firewall Events
Date Displays the firewall event's date and time.
Message Displays the firewall event's message.
Web Filter Events
Date Displays the web filter event's date and time.

Fortinet Inc.
Endpoint management
Message Displays the web filter event's message.
Videofilter
Events
Date Displays the video filter event's date and time.
Message Displays the video filter event's message.
Vulnerability Events
Vulnerability Displays the vulnerability's name. For example, Security update available for
Adobe Reader.
Category Displays the vulnerability's category. For example, Third Party App.
Application Displays the name of the application with the vulnerability.
Severity Displays the vulnerability's severity.
Patch Type Displays the patch type for this vulnerability: Auto or Manual.
FortiGuard Displays the FortiGuard ID number. If you click the FortiGuard ID number, it
redirects you to FortiGuard where further information is provided if available.
PUA Events
Name Displays the potentially unwanted application (PUA) name.
Vendor Displays the PUA vendor name.
Version Displays the PUA version number.
Category Displays the PUA category that the application belongs to. PUA categories are
as follows:
l Illegal or unethical
l Cryptomining
l Hacking
l Unpopular
l Phishing
l Malicious
Date Displays the date that EMS detected the PUA. This column is available in
Events view.
Event Type Displays the event type, such as Detected (EMS detected the PUA) or
Uninstalled (the PUA was uninstalled from the endpoint). This column is
available in Events view.
System Events

Fortinet Inc.
Endpoint management
Date Displays the system event's date and time.
Message Displays the system event's message.
Actions Mark the event as read.
Sending endpoints one-way message
The EMS administrator can send a one-way message to endpoints in a tagged group, endpoint group, or one endpoint.
For example, you may want to send a message to remind a user to upload an avatar to FortiClient. EMS sends the
message at the next keepalive interval. By default, this is 60 seconds.
The message can be in plain text or HTML format.
To send an endpoint a message:
1. In EMS, go to Endpoints > All Endpoints.

2. Select the desired endpoint(s).
3. Click Action > Send Message.
a. To send a plain text message, select Input Plain Text. In the Message field, enter the desired text. Click Send.
b. To send an HTML message, do the following:

i. Click Upload HTML File.
ii. Click Browse.
iii. Navigate to and select the desired HTML file.
iv. Click Send.
When the message appears on the endpoint, the user can acknowledge or snooze the message for their desired amount
of time.

Fortinet Inc.
Endpoint management
FortiClient logs a system event for when the user snoozes the message and when they acknowledge it.
Using the quick status bar
You can use the quick status bar to quickly display filtered lists of endpoints on the Endpoints content pane.
To use the quick status bar:
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup.
The list of endpoints and quick status bar display.
3. Click one of the following buttons in the quick status bar:

l Not Installed
l Not Registered
l Out-Of-Sync
l Security Risk
l Quarantined
The list of affected endpoints displays.

4. Click an endpoint to display its details.
5. In the Events column, click the AV <number>, SB <number>, FW <number>, VUL<number>, WEB <number> and
SYS<number> buttons to display the associated tab of details for the selected endpoint.
6. Click the Total button to clear the filters. The unfiltered list of endpoints displays.

Fortinet Inc.
Endpoint management
Viewing endpoint details
You can view each endpoint's details on the Endpoints content pane. For a description of the options on the Endpoints
content pane, see Viewing the Endpoints pane on page 131.
To view endpoint details:
1. Go to Endpoints, and select All Domains, a domain, or workgroup. The list of endpoints for the selected domain or
workgroup displays.
2. Click an endpoint to display details about it in the content pane. Details about the endpoint display in the content
pane.
Filtering the list of endpoints
You can filter the list of endpoints displayed on the Endpoints content pane.
To filter the list of endpoints:
1. Go to Endpoints.
2. Click All Domains, a domain, or workgroup. The list of endpoints displays.
3. Click the Filters menu, and set filters. The filter options display. For text values, you can use a comma (,) to separate
values and an exclamation mark (!) to exclude a value. For buttons, hover the mouse over each button to view its
tooltip.
Device Lists the filter options for devices.
Name Enter the name(s) to include in the filter.
User Enter the name of the user(s) to include in the filter.
Group Enter the name of the group(s) to include in the filter.
IP Enter the IP address to include in the filter.
OS Enter the name of the operating system(s) to include in the filter.
Tag Enter the tag(s) to include in the filter. This includes security posture
tagging and classification tags. See Security Posture Tags on page 367
and Viewing the Endpoints pane on page 131.
FortiClient Lists the filter options for FortiClient version numbers.
Version Enter the FortiClient version number to include in the filter.
Deployment Package Lists the filter options for deployment.
Name Enter the name(s) of the deployment package to include in the filter.
Status Click one or more deployment status buttons to include in the filter.
Selected status buttons are green. Hover the mouse over each button to
view its tooltip. Clear the status button to exclude the status from the filter.
Excluded status buttons are gray.
More States Click to display additional statuses to include in the filter.

Fortinet Inc.
Endpoint management
Policy
Name Enter the name(s) of the policy to include in the filter.
Status Click the policy status to include in the filter. Selected status buttons are
green. Choose between Synced and Out-Of-Sync. Clear the status button
to exclude the status from the filter. Excluded status buttons are gray.
Profile
Name Enter the name(s) of the profile to include in the filter.
Forensics
Enabled Click whether to filter the list by endpoints where the Forensics feature is
enabled or disabled.
Status Click one or more forensic analysis statuses to include in the filter.
Selected status buttons are green. Clear the status button to exclude the
status from the filter. Excluded status buttons are gray.
Verdict Click one or more forensic analysis verdicts to include in the filter. Selected
status buttons are green. Clear the verdict button to exclude the status
from the filter. Excluded verdict buttons are gray.
EMS
Status Click the status for FortiClient Telemetry connection to EMS to include in
the filter. Selected status buttons are green. Clear the status button to
exclude the status from the filter. Excluded status buttons are gray.
Events Select the events to include in the filter. The selected checkboxes beside
the events are included in the filter. Clear the checkbox beside the event to
exclude the event from the filter.
Features Enter the AV, Firewall, and/or vulnerability signature and/or engine to filter
for.
Bookmarks Displays the list of saved filter settings. Displays only after you have saved
a bookmark. Click the Bookmark button to name and save filter settings.
Click a bookmark to use the saved settings. Click the x beside a bookmark
to delete it.
Search Click the Search button to apply the filter setting.
Reset Click the Reset button to clear the filter settings.
Bookmark Click the Bookmark button to save the filter settings as a bookmark.
4. Click Search. The filtered list of endpoints displays.

5. Click Reset to clear the filter settings.
Using bookmarks to filter the list of endpoints
You can save filter settings as bookmarks, then select the bookmarks to use them.

Fortinet Inc.
Endpoint management
To create bookmarks to filter endpoints:
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup. The list of endpoints displays.
3. Click the Filters menu, and set filters.
4. Click the Bookmark button.
5. In the New Bookmark field, enter a name for the filter settings, and press Enter.The bookmark displays under
Bookmarks.
To use bookmarks to filter the list of endpoints:
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup. The list of endpoints displays.
3. Click the Filters menu.
4. In the Bookmarks list, click a bookmark. The bookmark settings are used to filter the list of endpoints.
Viewing Sandbox event details
You can view a detailed report about a Sandbox event. EMS retrieves the report from FortiSandbox.
To view Sandbox event details:
1. Go to Endpoints, and select All Domains, a domain, or workgroup. The list of endpoints for the selected domain or
workgroup displays.
2. Click an endpoint to display details about it in the content pane. Details about the endpoint display in the content
pane.
3. On the Sandbox Events tab, click the magnifying glass icon beside the desired Sandbox event. EMS displays a
detailed report about the Sandbox event.
4. Click Process Tree. For some events, you can see a graphical representation of the processes that the malware

Fortinet Inc.
Endpoint management
created on FortiSandbox.
Sending endpoint classification tags to FortiAnalyzer
You can use tags for grouping and classifying endpoints, which can help with assessing incident impact and prioritizing
incidents by SOC analysts or SOAR playbooks.
You can assign a classification tag to an endpoint. Classification tags include the following:
l Default importance level tags (low, medium, high, or critical) to specify an endpoint's importance in the organization.
You can tag critical endpoints accordingly and monitor them for security incidents.
l Custom tags. You can create a maximum of eight custom tags. You can assign multiple custom tags to an endpoint
or group of endpoints.
FortiAnalyzer Fabric View shows tags for each endpoint. FortiAnalyzer FortiSoC playbook pulls endpoint information
from EMS using an EMS connector.
The following describes the process for configuring a classification tag and viewing the data in FortiAnalyzer:
1. Configure and apply classification tags to endpoints in EMS.
2. Configure FortiAnalyzer to receive the tags:
a. Configure the EMS-FortiAnalyzer Fabric connection.
b. Run the FortiSoC playbook to retrieve endpoint information from EMS.
To configure and apply classification tags to endpoints in EMS:
By default, EMS tags all newly registered endpoints with the Low default importance tag.
1. In EMS, go to Endpoints.
2. To apply tags to a single endpoint, go to the desired endpoint. Under Classification Tags, to create a new custom
tag, click the Add button, enter the desired tag, the click the + button. You can also assign a new importance tag to
the endpoint.

Fortinet Inc.
Endpoint management
3. To apply tags to multiple endpoints, select all desired endpoints, then select Action > Set Importance or Set Custom
Tags.
To configure the EMS-FortiAnalyzer Fabric connection:
1. In FortiAnalyzer, go to Fabric View.

2. Click the Fabric Connectors tab, then click Create New.
3. Click the FortiClient EMS tile. The Create New Fabric Connector dialog opens.
4. In the Configuration tab, configure the connector settings, enter the EMS IP address and administrator credentials.

Fortinet Inc.
Endpoint management
5. On the Actions tab, leave the default settings.

6. Click OK.
To run the FortiSoC playbook to retrieve endpoint information from EMS:
1. In FortiAnalyzer, in the Fabric ADOM, go to FortiSoC > Automation > Playbook.

2. Click Create New, then New Playbook created from scratch.
3. Add an on-demand playbook with two tasks:
* FabricView--FortiSoC--Playbook
-- EMS_GET_ENDPOINTS (no parameters)
-- LOCALHOST_UPDATE_ASSET_AND_IDENTITY (use parameter ems_endpoints = previous_task_
id.ems_endpoints)
4. Click Save.
5. Click Run. Accept the Manually Run Playbook prompt.
6. Go to Automation > Playbook Monitor. You can view the running playbook status.
7. Once the corresponding playbook job finishes running, go to Fabric View > Assets. The endpoint and its tags
display.
Exporting endpoint information
You can export endpoint information from EMS as a CSV file. You can use this data for compliance, software auditing,
and so on.
To export endpoint information:
1. In EMS, go to Endpoints > All Endpoints.

2. Go to the desired endpoint group.
3. In the top right corner, click Export CSV.
4. In the confirmation dialog, click Export. This downloads a .zip file to the device which contains endpoint information
in .csv format. The following shows an example:
device_id,name,ip_addr,os_version,cpu,manufacturer,sn,mem,hdd,model,ipv6_addr,mac_
addr,host,remote_ip,network_interfaces,group_id,group_name,group_path,orig_group_
name,domain_id,installer_name,deployment_state,fgt_sn,forticlient_id,uid,fct_
version,diskenc,av_product,is_installed,is_managed,is_migrating,is_ems_
registered,is_ems_online,is_ems_onnet,is_excluded,is_quarantined,quarantine_access_
code,comparable_fct_version,assigned_tags,last_seen,last_seen_fct_user_id,fct_
users,endpoint_policy_name,endpoint_policy_id,ip_list_name,av_enabled,rtp_
enabled,ae_enabled,cs_enabled,rm_enabled,fw_enabled,wf_enabled,vpn_enabled,vuln_
enabled,ssoma_enabled,sb_enabled,sb_cloud_enabled,rs_enabled,onboarding_

Fortinet Inc.
Endpoint management
supported,client_version_up_to_date,client_av_sig_version_up_to_date,client_policy_
synced,client_policy_primary_synced,client_policy_offnet_synced,client_policy_
iplist_synced,client_policy_onnet_rule_synced,client_policy_verification_rule_
synced,client_policy_certs_synced,av_events_count,wf_events_count,fw_events_
count,sb_events_count,ae_events_count,rm_events_count,cs_events_count,unreg_events_
count,rs_events_count,nwifsc_events_count,vuln_events_count,vuln_events_max_
severity,profile_components,off_net_profile_components
"""4""","""Boromir""","""192.168.0.10""","""Microsoft Windows 10 Enterprise
Edition, 32-bit (build 19044)""","""Intel(R) Core(TM) i9-9980HK CPU @
2.40GHz""","""Microsoft Corporation""","""...""","""2047""","""99""","""Virtual
Machine""","""""","""...""","""Boromir""","""192.168.0.10""","""[intf_
name:Ethernet%203,mac:...,ip:192.168.0.10, gw_ip:192.168.0.100, gw_mac:..., ssid:,
route:0]""","""2""","""Other Endpoints""","""All Groups/Other
Endpoints""",,,,,,"""1""","""...""","""7.2.0.0690""","""""","""""","""True""","""Tr
ue""","""False""","""True""","""True""","""True""","""0""","""0""",,"""700200
0""","""[all_registered_clients]|[Low]""","""2023-06-15 20:50:37""","""1""","""
[brando]""","""Policy01""","""2""",,"""True""","""True""","""False""","""False""","
""False""","""True""","""True""","""True""","""True""","""False""","""False""","""T
rue""","""True""","""1""","""True""","""1""","""True""","""True""","""True""","""Tr
ue""","""True""","""True""","""True""","""2""","""2""","""0""","""0""","""0""","""0
""","""0""","""1""","""0""","""1""","""0""",,"""{'malware': {'id': 2, 'name':
'Profile01'}, 'sandbox': {'id': 2, 'name': 'Profile01'}, 'webfilter': {'id': 3,
'name': 'Profile01', 'fp_name': ''}, 'firewall': {'id': 2, 'name': 'Profile01'},
'vpn': {'id': 2, 'name': 'Profile01'}, 'vulnerability_scan': {'id': 2, 'name':
'Profile01'}, 'system': {'id': 3, 'name': 'Profile01'}, 'ztna': {'id': 2, 'name':
'Profile01'}, 'videofilter': {'id': 2, 'name': 'Profile01'}}""","""{}"""
"""6""","""Legolas""","""192.168.0.15""","""Microsoft Windows 11 Professional
Edition, 64-bit (build 22621)""","""Intel(R) Core(TM) i9-9980HK CPU @
2.40GHz""","""Microsoft Corporation""","""...""","""4094""","""69""","""Virtual
Machine""","""""","""...""","""Legolas""","""192.168.0.15""","""[intf_
name:Ethernet,mac:...,ip:192.168.0.15, gw_ip:192.168.0.100, gw_mac:..., ssid:,
route:0]""","""2""","""Other Endpoints""","""All Groups/Other
Endpoints""",,,,,,"""2""","""...""","""7.2.1.0779""","""""","""""","""True""","""Tr
ue""","""False""","""True""","""True""","""True""","""0""","""0""",,"""700200
1""","""[all_registered_clients]|[Low]""","""2023-06-15 20:50:37""","""2""","""
[Administrator]""","""Policy01""","""2""",,"""True""","""True""","""False""","""Fal
se""","""False""","""True""","""True""","""True""","""True""","""False""","""False"
"","""True""","""True""","""1""","""True""","""1""","""True""","""True""","""True""
","""True""","""True""","""True""","""True""","""1""","""0""","""0""","""0""","""0"
"","""0""","""0""","""0""","""0""","""1""","""2""","""0.0""","""{'malware': {'id':
2, 'name': 'Profile01'}, 'sandbox': {'id': 2, 'name': 'Profile01'}, 'webfilter':
{'id': 3, 'name': 'Profile01', 'fp_name': ''}, 'firewall': {'id': 2, 'name':
'Profile01'}, 'vpn': {'id': 2, 'name': 'Profile01'}, 'vulnerability_scan': {'id':
2, 'name': 'Profile01'}, 'system': {'id': 3, 'name': 'Profile01'}, 'ztna': {'id':
2, 'name': 'Profile01'}, 'videofilter': {'id': 2, 'name': 'Profile01'}}""","""{}"""
Managing endpoints
You can manage endpoints from the Endpoints pane.

Fortinet Inc.
Endpoint management
Running AV scans on endpoints
You can run a full or quick AV scan on endpoints. Scanning starts on the endpoints with the next FortiClient Telemetry
communication.
For the difference between full and quick AV scans, see AntiVirus Protection on page 320.
To run AV scans on endpoints:
1. Go to Endpoints.
2. Right-click a domain or workgroup, and select Start full antivirus scan or Start quick antivirus scan.
To run AV scans on an endpoint:
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup.
3. Click an endpoint, and from the Scan menu, select Quick AV Scan or Full AV Scan.
Running vulnerability scans on endpoints
You can run a vulnerability scan on endpoints.
To run vulnerability scans on endpoints:
1. Go to Endpoints.
2. Right-click a domain or workgroup, and select Start vulnerability scan. Vulnerability scanning starts on the
endpoints with the next FortiClient Telemetry communication.
To run vulnerability scans on an endpoint:
1. Go to Endpoints.
3. Click an endpoint, and from the Scan menu, select Vulnerability Scan. Vulnerability scanning starts on the endpoint
with the next FortiClient Telemetry communication.
Patching vulnerabilities on endpoints
You can request FortiClient patch detected critical and high vulnerabilities on endpoints.
FortiClient can automatically patch many software. However, the endpoint user must manually patch some detected
software vulnerabilities. If a vulnerability requires the endpoint user to download and install software to patch a
vulnerability, FortiClient displays the information.
To patch vulnerabilities on a domain or group of endpoints:
1. Go to Endpoints.
2. Right-click a domain or workgroup, and select Patch critical/high vulnerabilities. FortiClient initiates automatic
vulnerability patching with the next FortiClient Telemetry communication.

Fortinet Inc.
Endpoint management
To patch vulnerabilities on an endpoint:
1. Go to Endpoints.
3. Click an endpoint, and from the Patch menu, select one of the following options:
l Selected Vulnerabilities on Selected Clients
l Selected Vulnerabilities on All Affected Clients
l All Critical and High Vulnerabilities
FortiClient initiates automatic vulnerability patching with the next FortiClient Telemetry communication.
Uploading FortiClient logs
You can upload a FortiClient log file from one or several endpoints to FortiClient EMS. The log file is uploaded to the hard
drive on the computer on which you are running EMS. The uploaded log file is not visible in the FortiClient EMS GUI.
1. Go to Endpoints.
3. Click one or multiple endpoints, and from the Action menu, select Upload FortiClient logs. The <Endpoint
serial number>_<Endpoint hostname>_log file is uploaded to the following location on your
computer: <drive>\Program Files (x86)\Fortinet\FortiClientEMS\logs
Running the FortiClient diagnostic tool
You can use EMS to run the FortiClient diagnostic tool on one or multiple endpoints and export the results to the hard
drive on the computer on which you are running FortiClient EMS. The exported information is not visible in the FortiClient
EMS GUI.
1. Go to Endpoints.
3. Click one or multiple endpoints, and from the Action menu, select Request Diagnostic Results. The <Endpoint
serial number>_<Endpoint hostname>_Diagnostic_Result.cab file is uploaded to the following
location on your computer: <drive>:\Program Files (x86)\Fortinet\FortiClientEMS\logs.
Updating signatures
You can use EMS to request FortiClient update signatures on the endpoints.
1. Go to Endpoints.
2. Select All Endpoints, a domain, or workgroup. The list of endpoints displays in the content pane.
3. Click an endpoint, and from the Action menu, select Update Signatures. FortiClient receives the request to update
signatures and downloads the signatures from the Internet.
Downloading available FortiClient logs
To download available FortiClient logs:
1. Go to Endpoints.

Fortinet Inc.
Endpoint management
3. Click an endpoint, and from the Action menu, select Download Available FortiClient Logs. If you recently requested
FortiClient logs, you must wait at least five minutes before you can download them.
4. A confirmation dialog appears. Click Download.
5. Browse to the desired directory to download the logs to. Click Save. The logs are saved to your selected directory as
a .zip file.
Downloading available diagnostic results
To download available diagnostic results:
1. Go to Endpoints.
3. Click an endpoint, and from the Action menu, select Download Available Diagnostic Results. If you recently
requested diagnostic results, you must wait at least twenty minutes before you can download them.
4. A confirmation dialog appears. Click Download.
5. Browse to the desired directory to download the logs to. Click Save. The logs are saved to your selected directory as
a .zip file.
Disconnecting and connecting endpoints
You can manually disconnect endpoints using EMS.
To disconnect endpoints:
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup.
3. Click an endpoint, and from the Action menu, select Deregister. EMS disconnects the endpoint with the next
FortiClient Telemetry communication. After the endpoint is disconnected from EMS, you can reconnect the endpoint
to EMS manually.
Quarantining an endpoint
You can quarantine an endpoint using EMS. Quarantined endpoints cannot access the network.
You must enable Application Firewall for this feature to function. See Feature Select on page 494.
To quarantine an endpoint:
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup. A list of endpoints displays.
3. Click an endpoint, and from the Action menu, select Quarantine.
The endpoint status changes to Quarantined, and EMS quarantines the endpoint with the next FortiClient Telemetry
communication.
You can remove an endpoint from quarantine by right-clicking the endpoint and selecting Unquarantine. EMS
removes the endpoint from quarantine with the next FortiClient Telemetry communication and restores network
access.
You can also provide the endpoint user with a one-time access code. The user can enter the code to access
FortiClient on a quarantined endpoint, then remove the endpoint from quarantine in FortiClient. The code is

Fortinet Inc.
Endpoint management
available under Quarantine Access Code after selecting a quarantined endpoint.
Quarantining an endpoint from FortiOS using EMS
The Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the
following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator
of Compromise (IoC) is detected. This requires the following network components:
l FortiGate
l FortiAnalyzer
l FortiClient EMS
l FortiClient
You must connect FortiClient to both the EMS and FortiGate. The FortiGate and FortiClient must both be sending logs to
the FortiAnalyzer. You must configure the EMS IP address on the FortiGate, as well as administrator login credentials.
This configuration functions as follows:
1. FortiClient sends logs to the FortiAnalyzer.
2. FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate.
3. FortiGate determines if the FortiClient is among its connected endpoints and if it has the login credentials for the
EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine
the endpoint.
4. EMS searches for the endpoint and sends a quarantine message to it.
5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint
notifies the FortiGate and EMS of the status change.
FortiClient (Linux) does not support this feature.
Prerequisites
The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate.
FortiClient
FortiClient must be installed on the endpoint and connected to EMS as part of a Security Fabric.

Fortinet Inc.
Endpoint management
EMS
1. You must create a profile for the endpoint. See Creating a new profile on page 189.
2. You must create and configure an endpoint policy that is configured with the desired profile and Telemetry gateway
list for the desired endpoint group. See Adding an endpoint policy on page 175.
3. Enable Remote HTTPS access. See Configuring EMS settings on page 472.
FortiGate
Before automation can be triggered, you must configure the following:

1. Configure an automation trigger.
2. Configure an automation object.
3. Configure an automation stitch.
4. Configure an EMS firewall address object. This is only required if using a FortiOS version earlier than 6.2.0.
5. Configure EMS endpoint control.
To create an automation trigger, enter the following commands in the CLI:
config system automation-trigger

edit "trigger01"
set trigger-type event-based
set event-type ioc
set ioc-level high
next
end
To create an automation action, enter the following commands in the CLI:
config system automation-action

edit "action01"
set action-type quarantine-forticlient
set minimum-interval 0
next
end
To create an automation stitch, enter the following commands in the CLI:
config system automation-stitch

edit "stitch01"
set status enable
set trigger "trigger01"
set action "action01"
next
end
To create an EMS firewall address object, enter the following commands in the CLI:
This step is only necessary when using a version of FortiOS prior to 6.2.0.
config firewall address
edit "EMS01"
set type ipmask
set subnet <EMS_IP_address> 255.255.255.255
next

Fortinet Inc.
Endpoint management
end
To configure EMS endpoint control:
There are separate instructions when using FortiOS 6.2.0 or a later version, and a version of FortiOS earlier than 6.2.0.
If using FortiOS 6.2.0 or a later version, do the following:
1. Go to Security Fabric > Settings.
2. Enable FortiClient Endpoint Management System (EMS).
3. In the Name field, enter the desired EMS name.
4. In the IP/Domain Name field, enter the EMS IP address or FQDN.
5. In the Serial Number field, enter the EMS serial number. You can find this in the System Information widget on the
EMS dashboard.
6. In the Admin User field, enter the EMS admin username.
7. In the Password field, enter the admin user's password.
8. Click Apply.
If using a FortiOS version earlier than 6.2.0, enter the following commands in the CLI. In the following commands,
<EMS_SERIAL_NUMBER> is the EMS serial number, <EMS_ADMIN> is the EMS administrator name, and
<PASSWORD> is the EMS administrator's password:
config endpoint-control forticlient-ems
edit "e01"
set address "EMS01"
set serial-number <EMS_SERIAL_NUMBER>
set rest-api-auth userpass
set https-port 443
set admin-username <EMS_ADMIN>
set admin-password <PASSWORD>
set admin-type Windows
next
end
Executing automation
Once prerequisites are met, you can trigger the automation process. The following procedure triggers the quarantine
action on the endpoint at <endpoint_ip_address>:
diag endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <endpoint_ip_address>
After this action, EMS and FortiOS both display that the endpoint is quarantined.
Excluding endpoints from management
You can exclude endpoints from management.
To exclude endpoints from management:
1. Right-click a domain or workgroup.

2. Select Exclude from management.

Fortinet Inc.
Endpoint management
To exclude an endpoint from management:
1. Go to Endpoints.
2. Click All Endpoints, a domain, or workgroup. A list of endpoints displays.
3. Click an endpoint, and from the Action menu, select Exclude from Management.
Deleting endpoints
You can delete disconnected endpoints from EMS. This option is only available for non-domain devices.
1. Go to Endpoints.
2. Click All Endpoints or a workgroup. A list of endpoints displays.
3. If the endpoint has a status of Registered, disconnect the endpoint.
4. Click an endpoint, and from the Action menu, select Delete Device.
5. In the dialog, click Yes. The endpoint is deleted from FortiClient EMS.
Requesting forensic analysis on an endpoint
You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team
investigates the logs and provides a detailed report with their verdict. You can download the report from EMS.
You can only request forensic analysis for Windows endpoints.
You must apply the Forensics license to EMS to access this feature. The following assumes that you have acquired and
applied the license as necessary.
To request forensic analysis for an endpoint:
1. Enable the forensic analysis feature:

a. In EMS, go to System Settings > Feature Select.
b. Enable FortiGuard Forensics Analysis.
c. Click Save.
2. Configure forensic analysis in a profile:
a. Go to Endpoint Profiles > System Settings.
b. Create a new profile or edit an existing one.
c. Under Endpoint Control, toggle Enable Forensics Feature on.

Fortinet Inc.
Endpoint management
d. Click Save.
e. Include this profile in a policy, and apply the policy to the desired endpoint.
3. Request analysis:
a. Go to Endpoints > All Endpoints.
b. Select the desired endpoint.
c. Under Forensics Analysis, click Request Analysis.
4. Complete the questionnaire:
a. In the Summary of the Issue field, enter a description of the issue that you are observing on the endpoint.
b. In the Reason of Escalation field, select the desired option, or enter another reason in the Other field.
c. In the First Identified Activity field, enter the date that you first observed the issue.
d. In the Actions Taken to Date field, select any actions you took to resolve this issue.
e. In the Supplementary Logs field, enter the path to logs that you would like the analyst to review.
f. If desired, provide details in the Comment field.
5. Click Finish. Once you submit the request, EMS notifies FortiClient and the forensics agent on the endpoint starts
collecting forensics logs. FortiClient uploads the logs to the cloud and shares a link with the analyst. In EMS, you
can see status of the analysis request in the endpoint summary:
Status Description
Ticket Status Status of the ticket. Possible statuses are:

l Request Submitted: EMS is creating the forensics analysis request and
sending the information to the team.

l Pending: Forensic analysis request has been initiated. The Forensics
team has not yet assigned it to an analyst.

l In Progress: Forensics team has assigned the request to an analyst, who
has begun working on it.


Fortinet Inc.
Endpoint management
Status Description
l The analyst needed more information about the endpoint to perform
the analysis.
l Completed: analyst has completed analysis on the endpoint and shared
the result in a PDF document. You can download the report from the
endpoint summary's Forensic Analysis section.
Agent Status Status of the forensic agent collecting logs on the endpoint. Possible statuses
are:
l Pending: EMS has notified FortiClient that a forensic analysis request is
submitted, but the forensic agent is not running yet.

forensics logs.
l Upload Started: FortiClient has started to upload the logs to the cloud.
l Upload Completed: FortiClient has completed uploading the logs to the
cloud.
Task ID Request ID in the FortiGuard forensics system.
6. Once the analysis is complete, you can click Download Report in the endpoint summary to view the details. You can
also view the verdict that the analyst arrived at. You can also filter the endpoint list based on whether the forensics
service is enabled, the status, and verdict.

Fortinet Inc.
Endpoint management
Group assignment rules
You can use group assignment rules to automatically place endpoints into custom groups.
EMS does not apply group assignment rules to a domain-joined endpoint if it belongs to an imported Active Directory
(AD) domain in EMS. The endpoint stays in the organization unit to which it belongs in the AD domain tree, even if it
matches a group assignment rule.
Group assignment rules only apply for endpoint in workgroups. EMS automatically places endpoints that do not apply for
any group assignment rule into the Other Endpoints group.
Group assignment rule types
You can use group assignment rules to automatically place endpoints into custom groups based on certain traits.
Installer ID group assignment rules
Creating a FortiClient deployment package includes an option to specify an installer ID. For example, you may want to
place all endpoints located in your company's headquarters in the same endpoint group. You can configure a FortiClient
deployment package with an "HQ" installer ID, then deploy this deployment package to the desired endpoints. When the
endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places them in the desired group. In this situation,
the process is as follows:
1. In FortiClient EMS, create an installer ID group assignment rule that requires EMS to place endpoints with the
installer ID "HQ" into the HQ group. The installer ID and group name do not need to match. See Adding a group
assignment rule on page 159.
2. Create a FortiClient deployment package. Specify the "HQ" installer ID when creating or uploading the installer. See
Adding a FortiClient deployment package on page 170.
3. Deploy the deployment package to the desired endpoints or send the download link to the desired users.
4. The endpoints install FortiClient. When FortiClient connects to FortiClient EMS, EMS places the endpoint in the HQ
group.
If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group
assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.
IP address group assignment rules
You can create a group assignment rule to automatically place all endpoints within a specified subnet or IP address
range into the same custom group. In this situation, the process is as follows:
1. In FortiClient EMS, create an IP address group assignment rule that requires endpoints within a certain subnet or IP
address range to be placed into the desired group. See Adding a group assignment rule on page 159.
2. With the next FortiClient Telemetry communication, endpoints within the specified subnet or IP address range are
placed in the specified group.

Fortinet Inc.
Endpoint management
OS group assignment rules
You can create a group assignment rule to automatically place all endpoints that have a specific OS installed into the
same custom group. In this situation, the process is as follows:
1. In FortiClient EMS, create an OS group assignment rule that requires endpoints with a certain OS installed to be
placed into the desired group. See Adding a group assignment rule on page 159.
2. With the next FortiClient Telemetry communication, endpoints with the specified OS installed are placed in the
specified group.
Invitation group assignment rules
You can create a group assignment rule to automatically place all endpoints that connected to EMS using a specific
invitation code into the same custom group. In this situation, the process is as follows:
1. In FortiClient EMS, create an invitation group assignment rule that requires endpoints that connected to EMS using
a specific invitation code to be placed into the desired group. See Adding a group assignment rule on page 159.
2. With the next FortiClient Telemetry communication, endpoints with the specified invitation code are placed in the
specified group.
Managing group assignment rule priority levels
An endpoint may be eligible for multiple group assignment rules. When an endpoint is eligible for multiple endpoint group
assignment rules, two factors determine which rule EMS applies to the endpoint:
1. EMS applies group assignment rules to endpoints only if the rules are enabled on the Endpoints > Group
Assignment Rules page.
2. If an endpoint is eligible for multiple enabled rules, the EMS applies the rule with the first priority level to the
endpoint.
To change rule priority levels:
1. Go to Endpoints > Group Assignment Rules.

2. Click and hold the rule, then drag to the desired position.
In the example, consider an endpoint where FortiClient was deployed using the "HQ" installer ID and has an IP address
that belongs to the 192.168.0.0/24 subnet. The endpoint applies for two rules. In this case, the endpoint is placed in the
HQ group, since the HQ rule has a higher priority level than the 192.168.0.0/24 subnet rule.
However, if you disable the HQ rule, EMS places the endpoint in the West Coast/Seattle group, as per the
192.168.0.0/24 subnet rule.

Fortinet Inc.
Endpoint management
You can reenable the HQ rule, then change the rule priority levels sot hat the 192.168.0.0/24 rule has priority level 1. In
this case, EMS places the endpoint in the West Coast/Seattle group.
Adding a group assignment rule
To add an installer ID group assignment rule:
An installer ID group assignment rule automatically places endpoints with the specified installer ID into the specified
endpoint group.
2. Click Add.
3. Under Type, select Installer ID.
4. In the Installer ID field, enter the desired installer ID.
5. In the Group field, do one of the following:
l To place the endpoints into an existing group, select the desired group from the dropdown list.
l To place the endpoints into a new group, click Create a new group and enter the desired group name.
FortiClient EMS creates the new group. To create a new nested group, enter the desired group hierarchy. For
example, to create a Seattle group nested under a West Coast group, enter West Coast/Seattle. FortiClient
EMS then dynamically creates any group that does not exist. For example, if both the West Coast and Seattle
groups do not exist, FortiClient EMS creates both groups with the desired hierarchy. If the West Coast group
exists, FortiClient EMS creates a new Seattle group nested under it.
6. Enable or disable the rule by toggling Enable Rule on or off.
7. Click Save.
To add an IP address group assignment rule:
An IP address group assignment rule automatically places all endpoints with an IP address in the specified subnet or IP
address range into the specified endpoint group.
2. Click Add.
3. Under Type, select IP Address.
4. In the Subnet/IP Range field, enter the desired subnet or IP address range. You must enter an IPv4 range, such as
192.168.1.1-192.168.1.5, or an IPv4 subnet with subnet mask, such as 192.168.0.0/28. You cannot enter an IPv6
range or subnet. EMS automatically places endpoints whose IP addresses belong to the specified subnet or
IP address range into the specified group.

Fortinet Inc.
Endpoint management

7. Click Save.
To add an OS group assignment rule:
An OS group assignment rule automatically places all endpoints with the specified OS installed into the specified
endpoint group.
2. Click Add.
3. Under Type, select OS.
4. In the OS field, enter the OS. EMS automatically places endpoints that have the specified OS installed into the
specified group. You can enter only the OS name or specify a version number. For example, you can enter
"Windows" to place endpoints with any version of Windows installed into the specified endpoint group. You can also
specify "Windows Server 2019" to only place endpoints that have Windows Server 2019 installed into the specified
endpoint group.
7. Click Save.
To add an invitation group assignment rule:
An invitation group assignment rule automatically places all endpoints that connected to EMS using the specified
invitation code into the specified endpoint group.
2. Click Add.
3. Under Type, select Invitation.
4. From the Invitation dropdown list, select the desired invitation. You must have previously configured invitations for
this option to be available. See Invitations on page 454. EMS automatically places endpoints that connected to EMS
using that invitation code into the specified group.

Fortinet Inc.
Endpoint management
7. Click Save.
Enabling/disabling a group assignment rule
To enable/disable a group assignment rule:

2. Select or deselect the Enabled checkbox for the desired group assignment rule.
Deleting a group assignment rule
To delete a group assignment rule:

2. Click the desired group assignment rule.
3. Click Delete.
4. In the confirmation dialog, click Yes.
Google Domains
FortiClient EMS needs to determine which Chromebooks to manage. Device information comes from the Google Admin
console. Google Domains is only available if you enabled System Settings > EMS Settings > EMS for Chromebooks
Settings. This section only applies if you are using FortiClient EMS to manage Google Chromebooks.
Adding a Google domain
To add a Google domain:
1. Go to Google Domains > Manage Domains, and click the Add button. The Google Domain pane displays.
2. In the Admin Email field, enter your Google domain admin email.

Fortinet Inc.
Endpoint management
3. In the Organization Unit Path field, enter the domain organization unit path.
/ stands for the root of the domain.
4. Click Save. EMS imports the Google domain information and users.
Viewing domains
After you add domains to FortiClient EMS, you can view the list of domains in Google Domains. You can also view the list
of Google users in each domain and details about each Google user in the User Details, Client Statistics, and Blocked
Sites panes.
Viewing the Google Users pane
To view the Google Users pane:
You can view Google user information in FortiClient EMS.

1. Go to Google Domains > Domains and click a domain. The list of Google users displays.
The following options are available in the toolbar:

Fortinet Inc.
Endpoint management
Clear Filters Clear the currently used filter(s).
Refresh Refresh the page.
The following columns of information display for Google users:
Name Chromebook user's name.
Email Chromebook user's email address.
Last Login Date and time the user last logged into the domain.
Last Policy Retrieval Date and time that the Google Chromebook last retrieved the endpoint profile.
Domain Name of the domain to which the user belongs.
Organization Path Organization path in the domain.
Viewing user details
You can view details about each user in a Google domain.
To view user details:
1. Go to Google Domains > Domains. The list of domains displays.

2. Click a domain. The list of Google users displays.
3. Click a Google user and scroll to the bottom of the content pane. The User Details, Client Statistics, and Blocked
Sites panes display.
User Details
Field Information
Name Username.
Email User's email address.
Last Login Date and time the user last logged into the domain.
Last Policy Retrieval Date and time that the Google Chromebook last retrieved the endpoint profile.
Organization Path Organization path of the user in the domain.
Effective Policy Name of the Chromebook policy assigned to the user in the domain.
Client Statistics
Charts Information
Blocked Sites Distribution (past Displays the distribution of blocked sites in the past number of days. You can
<number> days) configure the number of days for which to display information. Go to System
Settings > Logs.

Fortinet Inc.
Endpoint management
Charts Information
Top 10 Site Categories by Displays the distribution of top ten site categories in the past number of days. You
Distribution (Past <number> can configure the number of days for which to display information. Go to System
Days) Settings > Logs.
Blocked Sites (Past <number> Days)
Fields Information
Time Time that the user visited the blocked site.
Threat Threat type that FortiClient detected.
Client Version Chromebook user's current version.
OS Type of OS that the Chromebook user used.
URL Blocked site's URL.
Port Port number currently listening.
User Initiated Whether the user initiated visitation to the blocked site.
Editing a domain
To edit a domain:
1. Go to Google Domains > Domains and select a domain.

2. Click the Edit button.
3. Edit the options and click Save Changes.
Deleting a domain
To delete a domain:
1. Go to Google Domains > Domains, and select a domain.

2. Click the Delete button. A confirmation dialog displays.
3. Click Yes.

Fortinet Inc.
You can use FortiClient EMS to deploy FortiClient upgrades on endpoints that already have FortiClient installed.
The following sections do not describe how to initially deploy FortiClient to endpoints. See Initially deploying FortiClient
software to endpoints on page 13.
Manage Deployment
Creating a deployment configuration
To create a deployment configuration:
1. Go to Deployment & Installers > Manage Deployment.

2. Click Add.

Fortinet Inc.
3. Configure the fields as desired:
Field Description
Name Required. Enter the desired name.
Endpoint Groups Optional. Select the desired endpoint group. The list includes device groups
for all imported domains and workgroups.
Action Select Install or Uninstall.
Deployment Package Select the desired deployment package from the dropdown list.
Start at a Scheduled Time If this feature is enabled, FortiClient displays a notification to users that there is
a newer FortiClient version that they are expected to upgrade to. The time that
you specify in this field displays to users as the default scheduled time for the
installation to take place. The notification also allows users to configure a
custom install time or to install the update immediately. If this feature is
disabled, the FortiClient installation starts immediately without user
interaction.
Unattended Installation When enabled, the end user cannot modify the installation schedule. If
needed, the device reboots without warning logged-in users.
Reboot When Needed Reboot the endpoint to install FortiClient when needed.
Reboot When No Users Are Allow the endpoint to reboot without prompt if no endpoint user is logged into
Logged In FortiClient.
Notify Users and Let Them Notify the end user if a reboot of the endpoint is needed and allow the user to
Decide When To Reboot When decide what time to reboot the endpoint. Disable to reboot the endpoint without
Users Are Logged In notifying the user.
Priority The default priority for a new deployment configuration is the lowest priority.
You cannot edit the priority while creating the deployment configuration. You
can edit change the priority level after creating the deployment configuration.
See Managing deployment configuration priority levels on page 166.
Enable the Deployment Enable or disable.
4. Click Save.
Managing deployment configuration priority levels
An endpoint may be eligible for multiple deployment configurations. When an endpoint is eligible for multiple endpoint
deployment configurations, the following factors determine which configuration EMS applies to the endpoint:
1. EMS applies deployment configurations to endpoints only if the configurations are enabled in Deployment
& Installers > Manage Deployment.
2. If an endpoint is eligible for multiple enabled configurations, EMS applies the configuration with the first priority level
to the endpoint.

Fortinet Inc.
To change configuration priority levels in the GUI:

2. Click Change Priority.
3. Click and hold the configuration, then drag to the desired position.
4. Click Save Priority.
In the example, consider an endpoint that belongs to the Legacy group. The endpoint applies for two configurations. In
this case, EMS applies the HQ deployment configuration to the endpoint, since the HQ configuration has a higher priority
level than the Legacy configuration.
However, if you disable the HQ configuration, EMS applies the Legacy deployment configuration to the endpoint in the
Legacy group.
You can reenable the HQ rule, then change the configuration priority levels so that the Legacy configuration has priority
level 1. In this case, EMS applies the Legacy configuration to the endpoint.
To change configuration priority levels via a text file:

3. Click Bulk Policy Order Update. This option is only available if you have multiple deployment configurations
configured.
4. Click Export.
5. Open the downloaded text file. The file lists the deployment configurations in their configured priority levels. Edit the
order as desired and save.
6. Click Next.
7. Browse to and import the updated text file. The priority levels update in EMS.
Enabling/disabling a deployment configuration
To enable/disable a deployment configuration:

2. Select or deselect Enabled for the desired deployment configuration.

Fortinet Inc.
Deleting a deployment configuration
To delete a deployment configuration:

2. Click the desired configuration.
3. Click Delete.
Deploying FortiClient upgrades from FortiClient EMS
You can deploy a FortiClient software update from FortiClient EMS. A prompt appears on the FortiClient endpoint when
a deployment package requests deployment. The prompt requests the user to do one of the following.
For the following options, if there are driver version changes due to the upgrade, the upgrade process also automatically
reboots your computer. Otherwise, a reboot does not occur.
Prompt option Description
Suggested install time The dialog displays the time that you configured in Start at a Scheduled Time
when you created the deployment configuration. See Creating a deployment
configuration on page 165. If selected, FortiClient performs the upgrade at this
time.
Select a time Indicate the time to start the upgrade. The default is the same as the suggested
install time.
Install now Perform the upgrade now.
No option If the user does not select an option, the upgrade occurs by default at the
suggested install time. After the previous version is uninstalled, it asks if the user
wants to reboot. The prompt requests the user to do one of the following:
l Reboot: have the reboot occur immediately.
l Reboot later: reboot the computer later. You cannot select a specific reboot
time. Use this option at your discretion.
As initially installing FortiClient usually requires administrator privileges on the endpoint,

upgrades does not require any additional privilege changes. See the following:
l Microsoft Windows
l macOS
l Linux
Deploying different installer IDs to endpoints using the same deployment package
As Installer ID group assignment rules on page 157 describes, you can include an installer ID in a FortiClient deployment
package. After FortiClient installation, the endpoint connects to EMS and EMS groups the endpoint according to the
installer ID group assignment rule. You can configure one installer ID for each deployment package.

Fortinet Inc.
In an environment with a large number of endpoints, you may have dozens of installer IDs that you want to use to group
endpoints automatically in EMS after installation. Since you can configure each deployment package with only one
installer ID, it may be inefficient to create a deployment package for each installer ID.
Instead, you can create a deployment package without an installer ID in EMS, then install FortiClient on the endpoint
using the CLI, providing the installer ID as one of the CLI options. You can use the same deployment package on
multiple endpoints, providing different installer IDs in the CLI depending on which group you want EMS to place the
endpoint in. When these endpoints connect to EMS, EMS groups them according to the installer ID provided in the CLI.
This process consists of the following:
1. Create a deployment package in EMS. Do not configure an installer ID. See Adding a FortiClient deployment
package on page 170.
2. Create installer ID group assignment rules to automatically move endpoints into the desired groups. See To add an
installer ID group assignment rule: on page 159.
3. Install FortiClient on endpoints using the following CLI commands:
Installer CLI command
.msi msiexec /i forticlient.msi GROUP_TAG="<installer_ID>"

If the .msi file name includes a space, you must also enclose it in quotes. For
example, if the .msi file name is "FortiClient Setup.msi", the command is as
follows:
msiexec /i "FortiClient Setup.msi" GROUP_TAG="<installer_
ID>"
.exe FortiClientSetup_7.4.0_x64.exe /v"GROUP_TAG=<installer_ID>"
For example, consider that you want to deploy the same deployment package but different installer IDs for the HR,
Marketing, and Office Management teams at your organization. In this scenario, you would use EMS to create an
deployment package without an installer ID and an installer ID group assignment rule for each endpoint group. Then, you
can install FortiClient on the HR, Marketing, and Office Management endpoints using the same deployment package
and the following CLI commands, respectively:
FortiClientSetup_7.4.0_x64.exe /v"GROUP_TAG=HR"
FortiClientSetup_7.4.0_x64.exe /v"GROUP_TAG=Marketing"
FortiClientSetup_7.4.0_x64.exe /v"GROUP_TAG=OM"
After the endpoints connect to EMS, EMS automatically places them into groups based on their different installer IDs
(HR, Marketing, and OM).
FortiClient Installer
You can create deployment packages to deploy FortiClient to endpoints. Deployment packages include the FortiClient
installer, which determines the FortiClient release and patch to install on the endpoint. Deployment packages can also
include a Telemetry gateway list for connection to a FortiGate.
See Installing FortiClient using the CLI.

Fortinet Inc.
Adding a FortiClient deployment package
After you add a FortiClient deployment package to FortiClient EMS, you cannot edit it. You can
delete the deployment package from FortiClient EMS, and edit the deployment package
outside of FortiClient EMS. You can then add the edited deployment package to FortiClient
EMS.
You can create an installer or installer config file, or upload a packaged installer to add a FortiClient deployment
package.
If you enable Sign software packages in System Settings > EMS Settings, Windows
deployment packages display as being from the publisher specified in the certificate file. See
Configuring EMS settings on page 472.
To create an installer or installer config file:
1. Go to Deployment & Installers > FortiClient Installer.

2. Click Add.
3. On the Version tab, set the following options:
Installer Type Select Create installer to create an installer from the FortiGuard distribution
server. This option is not available if using the EMS free trial license.
Release Select the FortiClient release version to install.
Patch Select the specific FortiClient patch version to install.
Build (Optional) Available if you select Create installer config file. Enter the
FortiClient build number to install.
Keep updated to the latest Available if you select Create installer. Enable EMS to repackage EMS-
patch created FortiClient deployment package to the latest patch release.
4. Click Next. On the General tab, set the following options:
Name Enter the FortiClient deployment package name.
Notes (Optional) Enter notes about the FortiClient deployment package.
5. Click Next. On the Features tab, set the following options. For features that are not available for all operating
systems, the dialog displays the icons for the operating systems that the feature is available:
Available options may differ depending on the features you have enabled or disabled in
Zero Trust Telemetry Enabled by default and cannot be disabled. Installs

FortiClient with Telemetry enabled.

Fortinet Inc.
Secure Access Architecture Components Install FortiClient with SSL and IPsec VPN enabled. Disable
to omit SSL and IPsec VPN support from the FortiClient
deployment package.
If you enable this feature for a deployment package and
include a preconfigured VPN tunnel in the included endpoint
profile, users who use this deployment package to install
FortiClient can connect to this preconfigured VPN tunnel for
three days after their initial FortiClient installation. This is
useful for remote users, as it allows them to connect to the
corporate network to activate their FortiClient license. If the
user does not activate their FortiClient license within the three
days, all FortiClient features, including VPN, stop working on
their device.
See Remote Access on page 192 for details on configuring a
VPN tunnel.
Vulnerability Scan Enabled by default and cannot be disabled. Installs

FortiClient with Vulnerability Scan enabled.
Advanced Persistent Threat (APT) Install FortiClient with APT components enabled. Disable to
Components omit APT components from the FortiClient deployment
package. Includes FortiSandbox detection and quarantine
features.
Additional Security Features Enable any of the following features:

l Malware
l AntiVirus, Anti-Exploit, Removable Media Access
l Anti-Ransomware
l Cloud Based Malware Outbreak Detection
l Web and Video Filtering:
l Web Filtering
l Video Filtering
l Application Firewall
l Single Sign-On mobility agent
l Zero Trust Network Access. Note that the zero trust
network access feature is always installed on a macOS
endpoint, regardless of whether this option is enabled or
disabled.
l Privileged Access Agent
Disable to exclude features from the FortiClient deployment
package.
If you enable a feature in the deployment package that is disabled in Feature Select, the feature is installed on the
endpoint, but is disabled and does not appear in the FortiClient GUI. For example, when Web Filter is disabled in
Feature Select, if you enable Web Filtering in a deployment package, the deployment package installs Web Filter on
the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient
GUI.

Fortinet Inc.
6. Click Next. On the Advanced tab, set the following options:
Enable desktop shortcut Configure the FortiClient deployment package to create a desktop shortcut on
the endpoint.
Enable start menu shortcut Configure the FortiClient deployment package to create a Start menu shortcut
on the endpoint.
Enable Installer ID Configure an installer ID. Select an existing installer ID or enter a new installer
ID. If creating an installer ID, select a group path or create a new group in the
Group Path field. FortiClient EMS automatically groups endpoints according to
installer ID group assignment rules. See Group assignment rules on page 157.
If you manually move the endpoint to another group after EMS places it into
the group defined by the installer ID group assignment rule, EMS returns the
endpoint to the group defined by the installer ID group assignment rule.
In an environment with a large number of endpoints, since you can configure
each deployment package with only one installer ID, it may be inefficient to
create a deployment package for each installer ID. See Deploying different
installer IDs to endpoints using the same deployment package on page 168.
Enable Endpoint VPN Profile Select an endpoint VPN profile to include in the installer. EMS applies the VPN
profile to the endpoint once it has installed FortiClient. This option is necessary
if users require VPN connection to connect to EMS.
Enable Endpoint System Select an endpoint system profile to include in the installer. EMS applies the
Profile system profile to the endpoint once it has installed FortiClient. This option is
necessary if it is required to have certain security features enabled prior to
contact with EMS.
Invalid Certificate Action Select the action to take when FortiClient attempts to connect to EMS with an
invalid certificate:
l Warn: warn the user about the invalid server certificate. Ask the user
whether to proceed with connecting to EMS, or terminate the connection

attempt. FortiClient remembers the user's decision for this EMS, but
displays the warning prompt if FortiClient attempts to connect to another
EMS (using a different EMS FQDN/IP address and certificate) with an
invalid certificate.
l Allow: allows FortiClient to connect to EMS with an invalid certificate.
l Deny: block FortiClient from connecting to EMS with an invalid certificate.
Invitation Select an invitation to include in the deployment package. If you have not
created an invitation, you can create one by clicking Create Invitation. See
Invitations on page 454.
7. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which manage
FortiClient once it is installed on the endpoint.
l If you selected Create installer, Click Finish. The FortiClient deployment package is added to FortiClient EMS
and displays on the Deployment Installers > FortiClient Installer pane. The deployment package may include
.exe (64-bit), .msi, .dmg, .rpm, and .deb files depending on the configuration. The end user can download these
files to install FortiClient on their machine with the desired configuration.
l If you selected Create installer config file, click Download. This downloads a config.json file to your device. You
can upload this file to a cloud server to create a custom deployment package.

Fortinet Inc.
To upload packaged installers:

2. Click Add.
3. On the Version tab, set the following options:
Installer Type Select Upload packaged installers.
4. Click Next. On the General tab, set the following options:
Name Enter the FortiClient deployment package name.
Notes (Optional) Enter notes about the FortiClient deployment package.
Repacked installers Upload a zip file that contains 64-bit Windows, macOS, and/or Linux custom
installers. You can download FortiClient installers to use with FortiClient EMS
from Fortinet Customer Service & Support. This requires a support account
with a valid support contract. You can also download installers from
FortiClient.com. Download the Windows, macOS, or Linux installation file. The
installation files on the Fortinet Customer Service & Support and
FortiClient.com websites are not available in .zip format. You must package
the installer as a .zip file to upload it.
5. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which manage
FortiClient once it is installed on the endpoint.
6. Click Finish. The FortiClient deployment package is added to FortiClient EMS and displays on the Deployment
Installers > FortiClient Installer pane. The deployment package may include .exe (64-bit), .msi, .dmg, .rpm, or .deb
files depending on the configuration. The end user can download these files to install FortiClient on their machine
with the desired configuration.
Viewing deployment packages
After you add FortiClient deployment packages to FortiClient EMS, you can view them on the Deployment & Installers >
FortiClient Installer pane.
The Deployment Packages pane displays the following information about each deployment package:
l Name of the FortiClient deployment package
l Operating system (Windows and/or macOS)
l Version of FortiClient software for each OS
l Whether Auto Update is enabled or disabled
l Location of the FortiClient deployment package FortiClient EMS. Endpoint users can access this location to
download and install FortiClient on endpoints.
Selecting a deployment package displays the following additional information:
l Enabled FortiClient features
l Configured endpoint profile
l Connection to FortiClient EMS
l Auto registration enabled/disabled
l Desktop shortcut enabled/disabled
l Start menu shortcut enabled/disabled

Fortinet Inc.
l Configured installer ID
l Notes included when creating the deployment package
You can also create or delete a deployment package and refresh the deployment package list.
Deleting a FortiClient deployment package
To delete a FortiClient deployment package:

2. Click the desired deployment package, then click Delete. A confirmation dialog displays.
3. Click Yes. FortiClient EMS deletes the FortiClient deployment package.

Fortinet Inc.
You can create endpoint policies to assign endpoint profiles and on-fabric detection rules to groups of Windows, macOS,
and Linux endpoints. The Endpoint Policy & Components > Manage Policies page provides a comprehensive summary
of which endpoint policies are applied to which endpoint groups.
Manage Policies
Adding an endpoint policy
To add an endpoint policy:
1. Go to Endpoint Policy & Components > Manage Policies.

2. Click Add.
3. Complete the following fields:
Endpoint Policy Name Enter the desired name for the endpoint policy.
Endpoint Groups Select the device and/or user group to apply the policy to. You can select a
group from all imported domains and workgroups.
Users Search for and select desired domain users to apply the policy to.
If an endpoint is applicable for both a user-based and a group-based policy,
EMS applies the user-based policy, which takes precedence, to the endpoint.
When using a user-based policy, disabling the Windows switch users option is
recommended to ensure EMS applies the policy correctly.
Profile (Off-Fabric) Configure the desired endpoint profiles to apply to the endpoint when it is off-
fabric according to the on-fabric detection rules configured in this policy. For
example, you may want to apply more restrictive profiles to the endpoint when
it is determined to be off-fabric. From the dropdown list, select the desired
endpoint profiles.
If including an off-fabric profile in a policy, also including on-fabric detection
rules in the policy is recommended. Otherwise, EMS may not apply on-fabric
and off-fabric profiles as desired.
When you enable this toggle, the Profile field displays two sets of endpoint
profile dropdown lists. You can configure the desired endpoint profiles for an
off-fabric endpoint using the dropdown lists on the right.
Profile From the dropdown lists, configure the desired endpoint profiles to apply to
endpoints that EMS has applied the policy to. FortiClient EMS displays
enabled endpoint profiles with a green circle and disabled endpoint profiles
with a gray circle.

Fortinet Inc.
Download Profile XML Download the XML configuration file for the profiles by clicking the Profile XML
button. This downloads one XML file that contains the XML configuration for all
selected endpoint profiles.
If Profile (Off-Fabric) is enabled, you can use the Off-Fabric Profile XML button
to download an XML file that contains the XML configuration for all selected
endpoint profiles for off-fabric endpoints.
On-Fabric Detection Rules Select the on-fabric detection rules to include in the policy. You can select
multiple rules.
You must have already created on-fabric detection rules to include them in an
endpoint policy. See On-fabric Detection Rules on page 183.
Comments Enter any comments desired for the endpoint policy.
Enable the Policy Toggle to enable or disable the endpoint policy. You can enable or disable the
policy at a later time from Endpoint Policy & Components > Manage Policies.
4. Click Save. You can view the newly created policy in Endpoint Policy & Components > Manage Policies.
EMS pushes these settings to the endpoint with the next Telemetry communication.

Fortinet Inc.
Editing an endpoint policy
To edit an endpoint policy:
1. Go to Endpoint Policy & Components Manage Policies.

2. Select the endpoint policy.
3. Click Edit.
4. Edit as desired.
5. Click Save.
Deleting an endpoint policy

2. Click the desired endpoint policy.
3. Click Delete.
Enabling/disabling an endpoint policy

2. Select or deselect the Enabled checkbox for the desired endpoint policy.
Managing endpoint policy priority levels
An endpoint may be eligible for multiple endpoint policies. When an endpoint is eligible for multiple endpoint policies, the
following factors determine which endpoint policy EMS applies to the endpoint:
1. EMS only applies endpoint policies to endpoints if they are enabled on the Endpoint Policy & Components Manage
Policies page.
2. If an endpoint is eligible for multiple enabled endpoint policies, EMS applies the policy with the highest priority to the
endpoint.
To change endpoint policy priority levels:

3. Click and hold the policy name, then drag to the desired position.
4. Click Save Priority.

In the examples, there are three endpoint policies:

Fortinet Inc.
Name Endpoint groups Priority level
Seattle_general All Groups/Seattle 1
SF_general All Groups/SF 2
Seattle_HR All Groups/Seattle/HR 3
In this example, all three policies are enabled. The All Groups/Seattle/HR subgroup is eligible for both the Seattle_
general and Seattle_HR policies. In this scenario, EMS applies the first eligible endpoint policy, Seattle_general, to the
All Groups/Seattle/HR subgroup.
In this example, the Seattle_general endpoint policy has been disabled. The All Groups/Seattle/HR group is still eligible
for both policies. Since the Seattle_general policy is disabled, EMS applies Seattle_HR to the All Groups/Seattle/HR
group.
Consider that you then make the following changes:

l Enable Seattle_general
l Move policies so that they have the following priorities:
l SF_general: 1
l Seattle_HR: 2
l Seattle_general: 3
In this example, the All Groups/Seattle/HR group is eligible for two policies: Seattle_HR and Seattle_general. Since
Seattle_HR comes before Seattle_general in the priority list, EMS applies Seattle_HR to All Groups/Seattle/HR.
Even though SF_general is set to priority 1, EMS does not apply it to All Groups/Seattle/HR, since All Groups/Seattle/HR
is not eligible for that policy.

Fortinet Inc.
To change policy priority levels via a text file:

3. Click Bulk Policy Order Update. This option is only available if you have multiple non-default policies configured.
4. Click Export.
5. Open the downloaded text file. The file lists the policies in their configured priority levels. Edit the order as desired
and save.
6. Click Next.
7. Browse to and import the updated text file. The priority levels update in EMS.
Editing endpoint policy view
You can select columns to display in Endpoint Policy & Components Manage Policies.
To edit endpoint policy view:

2. Click Edit Columns.
3. Enable or disable the columns as desired.
4. Click Save.
FortiClient management based on Active Directory user/user groups
You can assign FortiClient policies based on endpoint devices in organizational units.
To assign device groups, user groups, and users to a policy:
1. Go to Endpoint Policy. Create a new policy or select an existing one.

2. In the Endpoint Groups field, click Edit. In the Add Endpoint Groups dialog, select the desired device and/or user
groups. Click Save.

Fortinet Inc.
3. In the Users field, select the desired users.

4. Click Save.
When FortiClient connects to EMS, the following occurs:
1. If a policy is assigned to the FortiClient user, EMS assigns that policy to the endpoint.
2. If there are policies for the FortiClient group container and/or user groups, EMS assigns the policy with the highest
global priority.
3. If there are inherited policies for group containers and/or user groups, EMS assigns the inherited policy with the
highest global priority.
In Endpoint Policy & Components Manage Policies, you can click Edit Columns to select which columns to display.
The Manage Policies page displays a progress line that indicates each policy's FortiClient synchronization status. The
Endpoint Count column shows the number of FortiClient endpoints with the policy assigned and the number of endpoints
that have not been seen for the past 30 days.
Click the endpoint count to see the endpoint list.

Fortinet Inc.
To deploy FortiClient to endpoints with user-based management:
1. (Optional) Create a custom installer.

2. Go to System Settings > Feature Select. Select the features to globally show and hide. In 6.4.0, you no longer select
available features for each deployment package.
3. Create a deployment package.
4. Create a deployment configuration.
For details on this deployment process, see the FortiClient EMS Administration Guide.
In Deployment & Installers > Management Deployment, the Deployment Package column displays a progress line
indicating each deployment package's deployment state.
CA Certificates
If FortiOS is connected to EMS using the EMS API, deep inspection is enabled, and the Fabric connection between
FortiOS and FortiClient EMS has already been configured, EMS automatically imports the FortiOS CA certificate. You
then only need to apply the certificate in the desired endpoint profile. See System Settings on page 338. In this scenario,
you do not need to manually upload or import CA certificates to EMS.
If you manually delete the imported certificate from EMS, EMS does not automatically reimport the certificate from
FortiOS, even when EMS and FortiOS remain connected via the Fabric connector. EMS also does not automatically
delete an already imported certificate if the Fabric connection between FortiOS and EMS is removed.
If FortiOS is not sending the CA certificate to EMS, you can manually upload or import CA certificates as the following
describes.
After uploading or importing a certificate, you must configure it in a profile using the Install CA Certificate on Client option
to provision it to endpoints. See System Settings on page 338.
To upload a CA certificate:
You can locally upload a CA certificate.

1. Go to Endpoint Policy & Components > CA Certificates.
2. Select Upload.

Fortinet Inc.
3. In the Upload Local Certificate window, click Browse and locate the certificate.
4. Click Upload.
To import a CA certificate:
1. Go to Endpoint Policy & Components > CA Certificates.

2. Select Import.
3. In the Import Certificates from FortiGate window, enter the following information:
IP address/Hostname Enter the server IP/hostname in the following format: <ip address> :
<port>.
VDOM Enter the VDOM name.
Username Enter the username.
Password Enter the password.
4. Click Import to import the certificate.

Fortinet Inc.
On-fabric Detection Rules
You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-
fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in
the applied endpoint policy. See Adding an endpoint policy on page 175.
When a user switches accounts between a local non-domain account and a domain account on the same machine,
FortiClient EMS may not apply the correct policy to the endpoint.
To add an on-fabric detection rule set:
1. Go to Endpoint Policy & Components > On-fabric Detection Rules.

2. Click Add.
3. In the Name field, enter the desired name.
4. Enable or disable the rule set by toggling Enabled on or off.
5. Click Add Rule.
6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection
type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to
satisfy the entire rule set:
Detection type Description
DHCP Server On the IP/MAC Address tab, configure the IP and/or MAC address for the
desired DHCP server. On the DHCP Code tab, configure the DHCP code for
the desired DHCP server. You can configure just the IP/MAC Address tab, just
the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the
MAC Address field is optional.
The DHCP code is synonymous with the old option 224, which FortiClient
would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It
used to be the FortiGate serial number. Now, it can be any string configured in
the DHCP server as option 224. You may still use FortiGate serial number as
the DHCP code if desired. See To configure the DHCP code: on page 185.
EMS considers the endpoint as satisfying the rule if it is connected to a DHCP
server that matches the specified configuration. You can configure multiple IP
and MAC addresses and DHCP codes using the + button on each tab.
DNS Server Configure at least one IP address for the desired DNS server. EMS considers
the endpoint as satisfying the rule if it is connected to a DNS server that
matches the specified configuration. You can configure multiple IP addresses
using the + button.
EMS Connection The only available option for this detection type is that EMS considers the
endpoint as satisfying the rule if it is online with EMS.

Fortinet Inc.
Detection type Description
Local IP/Subnet In the IP Range field, enter a range of IP addresses. In the Default Gateway
MAC Address field, optionally enter the default gateway MAC address. EMS
considers the endpoint as satisfying the rule if its Ethernet or wireless IP
address is within the range specified and if its default gateway MAC address
matches the one specified, if it is configured. Configuring the MAC address is
optional. You can configure multiple addresses using the + button.
This is the only detection type that applies to endpoints running FortiClient
6.4.0 and earlier versions. Other detection types do not apply to these
endpoints.
Default Gateway In the IP Address field, enter the default gateway IP address. In the
MAC Address field, optionally enter the default gateway MAC address. EMS
considers the endpoint as satisfying the rule if its default gateway configuration
matches the IP address specified and MAC address, if it is configured.
Configuring the MAC address is optional. You can configure multiple
addresses using the + button.
Ping Server In the IP Address field, enter the server IP address. EMS considers the
endpoint as satisfying the rule if it can access the server at the specified IP
address. You can configure multiple addresses using the + button.
Public IP In the IP Address field, enter the desired IP address. EMS considers the
endpoint as satisfying the rule if its public (WAN) IP address matches the one
specified. You can configure multiple addresses using the + button.
Connection Media From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not
Connected. EMS considers the endpoint as satisfying the rule if its network
settings match all configured fields.
VPN Tunnel In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the
endpoint as satisfying the rule if it is connected to a VPN tunnel with a
matching name. You can configure tunnels using the + button.
7. Click Add Rule.

8. Click Save.
To edit an on-fabric detection rule set:

2. Select the rule set.
3. Click Edit.
4. Edit as desired.
5. Click Save.
To delete an on-fabric detection rule set:

2. Click the desired rule set.

Fortinet Inc.
3. Click Delete.
To delete an on-fabric detection rule from a rule set:

2. Click the desired rule set.
3. Under Rules, select the desired rule.
4. Click Delete Rule.
5. Click Save.
To enable/disable an on-fabric detection rule:

2. Select or deselect the Enabled checkbox for the desired rule set.
An endpoint has an offline off-fabric status when it cannot connect FortiClient Telemetry to EMS and is outside any of the
on-fabric networks.
An endpoint has an offline on-fabric status when it cannot connect FortiClient Telemetry to EMS but is inside one of the
on-fabric networks, or if no on-fabric rules are configured within the assigned policy.
To configure the DHCP code:
FortiClient can use a DHCP code/option 224 to determine on-/off-net status. A FortiGate automatically includes this
option when used as a DHCP server. The following describes how to configure the option 224 when using a Windows
server to handle DHCP.
1. On the Windows server, open DHCP settings.
2. Right-click IPv4, then select Set Predefined Options.
3. In the Option name dropdown list, confirm that option 224 has not been created.
4. Click Add.
5. In the Code field, enter 224.
6. Complete other fields as desired, then click OK.
7. Click Edit Array.
8. Click Add.

Fortinet Inc.
9. Enter the desired FortiGate serial number. Click OK.
Source IP address anchoring for IPsec VPN
FortiOS requires endpoints' public IP addresses to achieve source IP address anchoring for IPsec VPN. FortiClient
includes an enhancement to ensure that FortiClient provides a correct and reliable public IP address. You can then use
the IP address in an on-Fabric detection rule in EMS.
This example configures an on-Fabric detection rule using the public IP address 208.91.115.30. The rule causes
FortiClient to become on-Fabric or off-Fabric depending on if its public IP address is 208.91.115.30.
To configure an on-Fabric detection rule using a public IP address:
1. Add an on-Fabric rule:

a. In EMS, go to Endpoint Policy & Components > On-fabric Detection Rules.
b. Click Add.
c. Click Add Rule.
d. From the Detection Type dropdown list, select Public IP.
e. In the IP Address field, enter the desired IP address.
f. Click Add Rule.
g. Click Save.
2. Go to Endpoint Profiles > Remote Access.
3. Create two Remote Access profiles, one for off-Fabric endpoints and one for on-Fabric endpoints. The profile for on-
Fabric endpoints is disabled, while the profile for off-Fabric endpoints is enabled.

Fortinet Inc.

5. Click Add.
6. Enable Profile (Off-Fabric).
7. Configure the on- and off-Fabric VPN profiles as you configured.
8. Configure other fields as desired, then click Save. Once FortiClient receives the configuration, since it is on-Fabric,
the Remote Access tab is not visible in FortiClient. If the FortiClient IP address does not match the one defined in
the on-Fabric detection rule, the endpoint is considered off-Fabric and the Remote Access tab appears in
FortiClient.

Fortinet Inc.
Chromebook Policy
You can create Chromebook policies to assign endpoint profiles to domains of Chromebook endpoints. The
Chromebook Policy > Manage Chromebook Policies page provides a comprehensive summary of which policies are
applied to which groups within the Google domain.
This option is only available if you enable the EMS for Chromebooks Settings option in System Settings > EMS Settings.
Chromebook policies function identically to Windows, macOS, and Linux endpoint policies except that you apply them to
Chromebook endpoints and can only include a Chromebook profile. For details on configuring a Chromebook policy,
refer to the equivalent sections in Endpoint Policy & Components on page 175.

Fortinet Inc.
Endpoint Profiles
FortiClient EMS has separate endpoint profiles for the following features:
l Remote Access on page 192
l ZTNA Destinations on page 293
l Web Filter on page 303
l Video Filter on page 316
l Vulnerability Scan on page 318
l Malware Protection on page 320
l Sandbox on page 330
l Firewall on page 333
l System Settings on page 338
For each endpoint profile type, you can use the default profile or create various profiles for different configurations and
situations. You can then configure the desired combination of profiles in an endpoint policy and apply the policy to
endpoints. See Adding an endpoint policy on page 175.
You can also import profiles to EMS.
Editing a default profile
You can edit a default profile to add or remove settings.
To edit a default profile:
1. Go to Endpoint Profiles, then select the desired profile type.

2. Click the desired default profile, then click Edit.
3. Configure the settings on the tabs.
4. Click Save to save the profile.
Creating a new profile
This section describes how to create a profile. You can use this profile to configure FortiClient software on endpoints by
including it in an endpoint policy and deploying the policy to endpoints.
To create a profile to configure FortiClient:
1. Go to Endpoint Profiles.
2. Select the desired profile type.
3. Click the Add button.

Fortinet Inc.
Endpoint Profiles

a. To create a Windows, macOS, and Linux profile, click Add Profile.
b. To create a Chromebook profile, click Add Chrome Profile.
5. Configure the settings as desired.
Adding a new Chromebook profile
When you enable Chromebook management on EMS, EMS creates default Web Filter and System Settings profiles for
Chromebooks. By default, EMS includes these profiles in the default Chromebook policy, which it applies to any Google
domains you add to FortiClient EMS.
You can add new Chromebook profiles to deploy different settings to Chomebook endpoints.
Adding Yandex search engine to the blocklist in the profile is recommended.
To add a new profile:
2. Go to Web Filter or System Settings.
3. Click Add, then click Add Chrome Profile.
4. Configure the profile as desired.
5. Click Save.
Managing profiles
You can manage profiles from the Endpoint Profiles pane.
Editing a profile
When you edit a profile that is assigned to endpoints or domains as part of an endpoint policy, FortiClient EMS
automatically pushes the changes to the endpoints or Chromebooks with the next Telemetry communication after you
save the profile.
To edit a profile:
1. Go to Endpoint Profiles, and select a profile.

2. Click Edit. The profile settings display in the content pane.
3. Edit the settings.
4. Click Save.

Fortinet Inc.
Endpoint Profiles
Cloning a profile
To clone a profile:
1. Go to Endpoint Profiles > Manage Profiles.

2. Select a profile, and click the Clone button. The cloned profile displays in the content pane.
3. In the Profile Name field, enter a name for the profile.
4. Configure the settings on the tabs.
5. Click Save.
Syncing profile changes
For profiles imported from FortiGate or FortiManager, you can manually sync profiles so that they are updated with the
latest changes from the FortiGate or FortiManager that you imported them from.
1. Go to Endpoint Profiles > Import from FortiGate / FortiManager.
2. Select the desired profile.
3. Click Sync Now.
Editing sync schedules
For profiles imported from FortiGate or FortiManager, you can edit the sync schedule.
3. Click Edit Sync Schedule.
4. In the Synchronization Settings window, configure the following options:
a. One Time Pull: If selected, FortiClient EMS does not automatically sync profile changes from the FortiGate or
FortiManager. You can manually sync profile changes after importing the profile. See Syncing profile changes
on page 191.
b. Group Schedule: Select to configure a group synchronization schedule for all selected profiles. Select the next
date and time to automatically update the profiles, and the profile update interval in days, hours, or seconds.
c. Individual Schedule: Select to configure an individual synchronization schedule for each selected profile.
Select the next date and time to automatically update each profile, and the profile update interval in days,
hours, or seconds.
Exporting a profile
You can export FortiClient endpoint profiles from EMS. When exporting the profile, all configured components are
included. Profiles are exported as their XML configuration.
To export a profile:
1. Go to Endpoint Policy & Components > Manage policies.

2. Select the desired profile to export, then select Edit.
3. Select the button next to Download Profile XML. Your browser downloads a file named "profile.conf”. Renaming this
file to reflect the profile name is recommended.

Fortinet Inc.
Endpoint Profiles
Importing a profile
You can import a profile to EMS. When importing a profile, you can choose which components to import. After importing
a profile, you can edit and include it in an endpoint policy.
To import a profile:
2. Select the desired profile type.
a. If you selected Web Filter, go to Import > Import from File.
b. If you selected another profile type, click Import from File.
5. In the XML field, browse to and upload the desired profile.
6. If desired, enable Chrome Profile. This is only available for Web Filter and System Settings profiles.
a. Enable Import All Components.
b. From the Components dropdown list, select the desired components to import from the profile. If Chrome
Profile is enabled, only Web Filter and System Settings are available for selection.
8. Click Upload.
Deleting profiles
You cannot delete the default profiles.

2. Click desired profile, then click the Delete button. A popup displays.
3. Click Yes. EMS deletes the profile.
Remote Access
This topic contains descriptions of general remote access settings.
Configuration Description
Remote Access Enable or disable remote access.

Enable or disable the eye icon to show or hide this feature from the
end user in FortiClient.
General
Allow Personal VPN Allow users to create, modify, and use personal VPN configurations.
Disable Connect/Disconnect Disable the Connect/Disconnect button when using Auto Connect
with VPN.

Fortinet Inc.
Endpoint Profiles
Show VPN before Logon Allow users to select a VPN connection before logging into the
system.
Use Windows If allowing users to select a VPN connection before logging into the
Credentials system, enable this option to allow them to use their current Windows
username and password.
Minimize FortiClient Console on Connect Minimize FortiClient after successfully establishing a VPN
connection.
Show Connection Progress Display information on FortiClient dashboard while establishing

connections.
Suppress VPN Notifications Block FortiClient from displaying any VPN connection or error
notifications.
Use Vendor ID Use vendor ID. Enter the vendor ID in the Vendor ID field.
Enable Secure Remote Access FortiClient denies or allows the endpoint to connect to a VPN tunnel
based on the tunnel's Host Tag configuration. See the Host Tag field
description in SSL VPN on page 194 and IPsec VPN on page 198.
Current Connection Select the current VPN tunnel.
Auto Connect Select a VPN tunnel for endpoints to automatically connect to when
the end user logs into the endpoint. The end user must have
established VPN connection manually at least once from FortiClient
GUI.
Auto Connect Only Autoconnect to the selected VPN tunnel only when EMS considers
When Off-Fabric the endpoint off-fabric. See On-fabric Detection Rules on page 183.
Always Up Max Tries Maximum number of attempts to retry a VPN connection lost due to
network issues. If set to 0, it retries indefinitely.
Network Lockdown Configure network lockdown for off-fabric endpoints when they are
not connected to SSL VPN.
When network lockdown is configured, when an endpoint goes off-
fabric, a grace period that the EMS administrator configured comes
into effect. During the grace period, an endpoint can continue to
access LAN and the Internet without restrictions.
If the endpoint does not connect to SSL VPN by the end of the grace
period, the endpoint cannot access LAN and the internet. It can still
access IP addresses and applications that the EMS administrator has
configured as exceptions. FortiClient blocks both incoming and
outgoing connection traffic unless the EMS administrator has
configured it as an exception.

Fortinet Inc.
Endpoint Profiles
After the end of the grace period, the endpoint can connect to VPN to
regain internet access. For a full tunnel VPN, LAN is only accessible if
exclusive routing is disabled. The administrator configures a limited
number of attempts for the end user to enter valid VPN credentials.
Once the user reaches the limit, the endpoint is in network lockdown.
This feature only supports SSL VPN on FortiClient (Windows).
Grace Period Configure a grace period in seconds during which an off-fabric

endpoint that is not connected to SSL VPN can continue to access
LAN and the internet without restrictions.
Maximum Connection Attempts Configure the maximum number of attempts for the end user of an off-
fabric endpoint to enter valid SSL VPN credentials.
Paths to Excluded Applications Enter the path to applications that an off-Fabric endpoint that is not
connected to SSL VPN can still access.
Excluded IPs Enter IP addresses that an off-Fabric endpoint that is not connected
to SSL VPN can still access.
SSL VPN
This topic contains descriptions of SSL VPN settings.
To view and configure SSL VPN settings, you must enable SSL VPN visibility in System
Settings > Feature Select. See Feature Select on page 494.
SSL VPN Enable SSL VPN.
DNS Cache Service Control FortiClient disables Windows DNS cache when it establishes an SSL VPN
tunnel. The DNS cache is restored after FortiClient disconnects from the
SSL VPN tunnel. If you observe that Fortinet single sign on clients do not
function correctly when an SSL VPN tunnel is up, use Prefer SSL VPN
DNS to control the DNS cache.
Prefer SSL VPN DNS When disabled, EMS does not add the custom DNS server from SSL VPN
to the physical interface. When enabled, EMS prepends the custom DNS
server from SSL VPN to the physical interface.
Do Not Accept Invalid Server Certificate FortiClient does not complete the requested VPN connection when an
invalid SSL VPN server certificate is used.
Enable Invalid Server Certificate FortiClient displays a warning to the user when an invalid
Warning SSL VPN certificate is used.
Split Tunnel Route Metric Set route metric for certain subnet as needed.

Fortinet Inc.
Endpoint Profiles
For example, you may want to set negative split routes with a higher
metric, so these routes can be deactivated when another VPN product is
being used and sets the same routes as FortiClient negatives split routes
but with a lower metric.
This configuration is not recommended for most use cases. This element
only takes effect when you enable negative split tunnel.
When you click the Add Tunnel button in the VPN Tunnels section, you can create an SSL VPN tunnel using manual
configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available
for manual SSL VPN tunnel creation:
Basic Settings
Name Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols
or accented characters.
Type Select SSL VPN.
Remote Gateway Enter the remote gateway IP address/hostname. You can configure multiple remote
gateways by clicking the + button. If one gateway is not available, the tunnel connects
to the next configured gateway.
Port Enter the access port. The default port is 443.
Require Certificate Require a certificate.
Android Certificate Location Configure a certificate location for FortiClient (Android) to automatically go to when
doing the following:
l When selecting a certificate
l When the user clicks Connect to connect to this tunnel
See Certificate path configuration for automated certificate selection on page 228.
Prompt for Username Prompt for the username when accessing VPN.
Split Tunnel
Application Based Enable application-based split tunnel. FortiClient (Windows) supports source
application-based split tunnel, where you can specify which application traffic to
exclude from or include in the VPN tunnel. You can exclude high bandwidth-
consuming applications for improved performance. For example, you can exclude
applications like the following from the VPN tunnel:
l Microsoft Office 365
l Microsoft Teams
l Skype
l GoToMeeting
l Zoom
l WebEx
l YouTube
Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the
physical interface.

Fortinet Inc.
Endpoint Profiles
Type Select Include or Exclude to configure whether to include or exclude certain

application traffic from the VPN tunnel.
Local You can only exclude local applications from the VPN tunnel. Click Add. In the Add
Applications Application(s) field, specify which application traffic to exclude from the VPN tunnel
and redirect to the endpoint physical interface. You can specify an application using
its process name, full path, or the directory where it is installed. When entering the
directory, you must end the value with \. You can enter file and directory paths using
environment variables, such as %LOCALAPPDATA%, %programfiles%, and
%appdata%. Do not use spaces in the tail or head, or add double quotes to full paths
with spaces. You can add multiple entries by separating them with a semicolon.
For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can
enter any of the following combinations:
l Application Name: teams.exe;firefox.exe
l Full Path:
C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Pr
ogram Files\Mozilla Firefox\firefox.exe
l Directory:
C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program
Files\Mozilla Firefox\
To find a running application's full path, on the Details tab in Task Manager, add the
Image path name column.
Select the application checkbox, then click Remove to remove it from the list.
Cloud You can exclude or include cloud applications. Click Add. In the list, select the desired
Applications applications, then click Add.
Domain You can exclude or include domains. After you exclude a domain, any associated
traffic does not go through the VPN tunnel when accessed through a popular browser
such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the
desired domains, using ; to configure multiple entries.
For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com
and *.youtube.com are excluded from the tunnel.
Advanced
Settings
Enable Single User Mode Enable single user mode.
Save Username Save your username.
Allow Non-Administrators to Allow non-administrator users to use local machine certificates.

Use Machine Certificates
Enforce Acceptance of Enable and enter a disclaimer message that appears when the user attempts VPN
Disclaimer Message connection. The user must accept the message to allow connection.
Enable SAML Login Enable SAML SSO login for this VPN tunnel.

Fortinet Inc.
Endpoint Profiles
FortiClient provides an option to the end user to save their VPN login password with or
without SAML configured. When using SAML, this feature relies on persistent
sessions being configured in the identity provider (IdP), discussed as follows:
l Azure
l Okta
If the IdP does not support persistent sessions, FortiClient cannot save the SAML
password. The end user must provide the password to the IdP for each VPN
connection attempt.
The FortiClient save password feature is commonly used along with autoconnect and
always-up features as well.
The <use_gui_saml_auth> XML option affects how FortiClient presents SAML
authentication in the GUI. See SSL VPN.
FQDN Resolution Enable FortiClient to remember the IP address with which it contacts the FortiGate
Persistence and reuse it throughout the connection phase. This feature helps support load
balancing SSL VPN gateways with one FQDN. This feature is only available for
FortiClient (Windows). See Load balancing SSL VPN gateways with one FQDN on
page 224.
Use External Browser as Display the SAML authentication prompt in an external browser instead of in the
User-agent for SAML Login FortiClient GUI. See Using a browser as an external user-agent for SAML
authentication in an SSL VPN connection on page 211.
Enable Azure Auto Login Configure FortiClient to automatically connect to a specified VPN tunnel immediately
after it installs and receives its configuration from EMS, authenticating the connection
using Microsoft Entra ID (formerly known as Azure Active Directory) credentials. See
Autoconnect on logging in as an Entra ID user on page 217.
Redundant Sort Method How FortiClient determines the order in which to try connection to the SSL VPN
servers when more than one is defined. FortiClient calculates the order before each
SSL VPN connection attempt.
When Server is selected, FortiClient tries the order explicitly defined in the server
settings.
When Ping Speed is selected, FortiClient determines the order by the ping response
speed.
When TCP Round Trip Time is selected, FortiClient determines the order by the TCP
round trip time.
Tag Select Allow or Prohibit, then select the desired security posture tag from the Select a
Tag dropdown list. Tags only display in the list if they are already configured. See
Security Posture Tags on page 367.
You can use this feature to prohibit endpoints from connecting to the VPN tunnel
when they do not meet certain criteria. For example, if you want to prohibit endpoints
without up-to-date antivirus signatures from connecting to the VPN tunnel, you would
do the following:
1. Configure a security posture tagging rule that tags all endpoints without up-to-
date AV signatures. See Adding a security posture tagging rule set on page 367.
2. For the VPN tunnel settings, select Prohibit, then select the configured tag from
the Select a Tag dropdown list.

Fortinet Inc.
Endpoint Profiles
Endpoints without up-to-date AV signatures are prohibited from connecting to the

VPN tunnel.
Customize Host Check Fail Enable and configure a custom message to display to the user when EMS prohibits
Warning the endpoint from connecting to the VPN tunnel due to its applied security posture tag.
For the example configuration described in the Host Tag field description, you could
configure a custom message to direct the user to update their AV signature, so that
they can connect to the VPN tunnel afterward.
Show "Remember Show option to have the VPN tunnel remember the password. You must also enable
Password" Option this option on the FortiGate.
Show "Always Up" Option Show option to have the VPN tunnel always up. You must also enable this option on
the FortiGate.
Show "Auto Connect" Option Automatically connect the VPN tunnel. You must also enable this option on the
FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up
with a user profile set to automatic logon.
On Connect Enable the on connect script. Enter your script.

Script
On Enable the disconnect script. Enter your script.

Disconnect
Script
IPsec VPN
This topic contains descriptions of IPsec VPN settings.
IPsec VPN Enable IPsec VPN.
Beep If Connection Fails PC beeps if connection to the IPsec VPN tunnel fails.
Use Windows Store Certificates Enable using Windows store certificates.
Current User Certificates from the user store display.

Windows Store
Certificates
Local Computer Certificates from the computer store display.

Windows Store
Certificates
Use Smart Card Certificates Shows certificates on smartcards.
Show Auth Certificates Only Only shows certificates with authentication in certificate features.
Block IPv6 Blocks IPv6 when connected to an IPv4 tunnel.
Enable UDP Checksum Add checksum to UDP packets.

Fortinet Inc.
Endpoint Profiles
Disable Default Route Disable default route to gateway.
Check for Certificate Private Key Does not show certificates if the private key is not directly accessible,
such as for smartcards.
Enhanced Key Usage Mandatory Lists only certificates with private keys that allow enhanced key
usage.
When you click the Add Tunnel button in the VPN Tunnels section, you can create an IPsec VPN tunnel using manual
configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available
for manual IPsec VPN tunnel creation:
Basic Settings
Name Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols
or accented characters.
Type Select IPsec VPN.
Remote Gateway Enter the remote gateway IP address/hostname. You can configure multiple remote
gateways by clicking the + button. If one gateway is not available, the tunnel connects
to the next configured gateway.
Authentication Method Select the authentication method for the VPN.
Android Certificate Location Configure a certificate location for FortiClient (Android) to automatically go to when
selecting a certificate. Available if you selected Smart Card Certificate or System
Store Certificate for Authentication Method.
See Certificate path configuration for automated certificate selection on page 228.
Pre-Shared Key Enter the preshared key required. Available if you selected Pre-Shared Key for
Authentication Method.
Prompt for Username Prompt for the username when accessing VPN.
Split Tunnel
Application Based Enable application-based split tunnel. FortiClient (Windows) supports source
application-based split tunnel, where you can specify which application traffic to
exclude from or include in the VPN tunnel. You can exclude high bandwidth-
consuming applications for improved performance. For example, you can exclude
l Microsoft Teams
l Skype
l GoToMeeting
l Zoom
l WebEx
l YouTube
Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the
physical interface.

Fortinet Inc.
Endpoint Profiles
Type Select Include or Exclude to configure whether to include or exclude certain

application traffic from the VPN tunnel.
Local You can only exclude local applications from the VPN tunnel. Click Add. In the Add
Applications Application(s) field, specify which application traffic to exclude from the VPN tunnel
and redirect to the endpoint physical interface. You can specify an application using
its process name, full path, or the directory where it is installed. When entering the
directory, you must end the value with \. You can enter file and directory paths using
environment variables, such as %LOCALAPPDATA%, %programfiles%, and
%appdata%. Do not use spaces in the tail or head, or add double quotes to full paths
with spaces. You can add multiple entries by separating them with a semicolon.
For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can
enter any of the following combinations:
l Full Path:
C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Pr
ogram Files\Mozilla Firefox\firefox.exe
l Directory:
C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program
To find a running application's full path, on the Details tab in Task Manager, add the
Image path name column.
Cloud You can exclude or include cloud applications. Click Add. In the list, select the desired
Applications applications, then click Add.
Domain You can exclude or include domains. After you exclude a domain, any associated
traffic does not go through the VPN tunnel when accessed through a popular browser
such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the
desired domains, using ; to configure multiple entries.
For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com
and *.youtube.com are excluded from the tunnel.
VPN Settings
IKE Select Version 1 or Version 2.
Mode Select Main or Aggressive.
Options Select Mode Config, Manual Set, or DHCP over IPsec.
Specify DNS Server (IPv4) Specify the DNS server for the VPN tunnel. Available if you selected Manual Set.
Assign IP Address (IPv4) Enter the IP address to assign for the VPN tunnel. Available if you selected Manual
Set.
Split Table Enter the IP address and subnet mask for the VPN tunnel. Available if you selected
Manual Set or DHCP over IPsec.

Fortinet Inc.
Endpoint Profiles
Phase 1 Select the encryption and authentication algorithms used to generate keys for
protecting negotiations and add encryption and authentication algorithms as required.
You need to select a minimum of one and a maximum of two combinations. The
remote peer or client must be configured to use at least one of the proposals that you
define.
Encryption Select the encryption standard.
Authentication Select the authentication method.
DH Groups Select one or more Diffie-Hellman (DH) groups from groups 1, 2, 5, 14, 15, 16, 17, 18,
19, 20, and 21. At least one of the selected groups on the remote peer or client must
match one of the selections on the FortiGate. Failure to match one or more DH groups
results in failed negotiations.
Key Life Enter the time (in seconds) that must pass before the IKE encryption key expires.
When the key expires, a new key is generated without interrupting service. The key
life can be from 120 to 172,800 seconds.
Local ID Enter the local ID.
Enable Implied SPDO Enable implied SPDO. Enter the timeout in seconds.
Dead Peer Detection Select this checkbox to reestablish VPN tunnels on idle connections and clean up
dead IKE peers if required.
NAT Traversal Select the checkbox if a NAT device exists between the client and the local FortiGate.
The client and the local FortiGate must have the same NAT traversal setting (both
selected or both cleared) to connect reliably.
Enable Local LAN Enable local LAN.
Enable IKE Fragmentation Enable IKE fragmentation.
Allow non-administrators to Allow non-administrator users to use local machine certificates to connect IPsec VPN.
use machine certificates
Phase 2 Select the encryption and authentication algorithms that to propose to the remote
VPN peer. You can specify up to two proposals. To establish a VPN connection, at
least one of the proposals that you specify must match configuration on the remote
peer.
Encryption Select the encryption standard.
Authentication Select the authentication method.
DH Group Select one DH group (1, 2, 5, 14, 15, 16, 17, 18, 19, 20, or 21). This must match the
DH group that the remote peer or dialup client uses.
Key Life Set a limit on the length of time that a phase 2 key can be used. The default units are
seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of
processed data, or both. If you select both, the key expires when the time has passed
or the number of KB have been processed. When the phase 2 key expires, a new key
is generated without interrupting service.

Fortinet Inc.
Endpoint Profiles
Enable Replay Detection Replay detection enables the unit to check all IPsec packets to see if they have been
received before. If any encrypted packets arrive out of order, the unit discards them.
Enable Perfect Forward Enable PFS. PFS forces a new DH exchange when the tunnel starts and whenever
Secrecy (PFS) the phase 2 key life expires, causing a new key to be generated each time.
Advanced Settings
Enable One-Time Password Enable one-time password.
Enable XAuth When IKEv1 is selected, enable IKE Extended Authentication (xAuth).
When IKEv2 is selected, enable Extensible Authentication Protocol (EAP).
XAuth Only available if Enable XAuth is enabled. Configure the timeout in seconds. Default
Timeout value is two minutes if not configured. Enter a value between 120 and 300 seconds.
Prompt for Certificate Prompt the user for the certificate.
Enable Single User Mode Enable single user mode.
Show Passcode Display Passcode instead of Password in the VPN tab in FortiClient.
Save Username Save your username.
Enforce Acceptance of Enable and enter a disclaimer message that appears when the user attempts VPN
Disclaimer Message connection. The user must accept the message to allow connection.
Enable SAML Login Enable SAML SSO login for this VPN tunnel.
FortiClient provides an option to the end user to save their VPN login password with or
without SAML configured. When using SAML, this feature relies on persistent
sessions being configured in the identity provider (IdP), discussed as follows:
l Azure
l Okta
If the IdP does not support persistent sessions, FortiClient cannot save the SAML
password. The end user must provide the password to the IdP for each VPN
connection attempt.
The FortiClient save password feature is commonly used along with autoconnect and
always-up features as well.
SAML Port Enter the port number that FortiClient uses to communicate with the FortiGate, which
acts as the SAML service provider.
Failover If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL
SSL VPN Connection VPN tunnel.
Redundant Sort Method How FortiClient determines the order in which to try connection to the IPsec VPN
servers when more than one is defined. FortiClient calculates the order before each
IPsec VPN connection attempt.
When Server is selected, FortiClient tries the order explicitly defined in the server
settings.
When Ping Speed is selected, FortiClient determines the order by the ping response
speed.
When TCP Round Trip Time is selected, FortiClient determines the order by the TCP
round trip time.

Fortinet Inc.
Endpoint Profiles
Tags Select Allow or Prohibit, then select the desired security posture tag from the Select a
Tag dropdown list. Tags only display in the list if they are already configured. See
Security Posture Tags on page 367.
You can use this feature to prohibit endpoints from connecting to the VPN tunnel
when they do not meet certain criteria. For example, if you want to prohibit endpoints
without up-to-date antivirus signatures from connecting to the VPN tunnel, you would
do the following:
1. Configure a security posture tagging rule that tags all endpoints without up-to-
date AV signatures. See Adding a security posture tagging rule set on page 367.
2. For the VPN tunnel settings, select Prohibit, then select the configured tag from
the Select a Tag dropdown list.
Endpoints without up-to-date AV signatures are prohibited from connecting to the
VPN tunnel.
Customize Host Check Fail Enable and configure a custom message to display to the user when EMS prohibits
Warning the endpoint from connecting to the VPN tunnel due to its applied security posture tag.
For the example configuration described in the Host Tag field description, you could
configure a custom message to direct the user to update their AV signature, so that
they can connect to the VPN tunnel afterward.
Show "Remember Show option to have the VPN tunnel remember the password. You must also enable
Password" Option this option on the FortiGate.
Show "Always Up" Option Show option to have the VPN tunnel always up. You must also enable this option on
the FortiGate.
Show "Auto Connect" Option Automatically connect the VPN tunnel. You must also enable this option on the
FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up
with a user profile set to automatic logon.
On Connect Enable the on connect script. Enter your script.

Script
On Enable the disconnect script. Enter your script.

Disconnect
Script
Configuring a profile with application-based split tunnel
FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to
exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications. For example, you can exclude
l Microsoft Teams
l Skype
l GoToMeeting
l Zoom
l WebEx
l YouTube

Fortinet Inc.
Endpoint Profiles
You must configure these settings in the endpoint profile in EMS. The following instructions assume that you have
already configured a remote SSL or IPsec VPN server in FortiOS. See the FortiOS documentation.
This feature does not support explicitly including traffic in the VPN tunnel.
Currently FortiClient (macOS) and FortiClient (Linux) do not support source application-based
split tunnel.
To configure application-based split tunnel using the GUI:
1. In EMS, go to Endpoint Profiles, and select the desired profile.

2. On the VPN tab, select an existing tunnel or create a new tunnel.
3. Under Split Tunnel > Application Based, configure the following fields:
Application Based Enable application-based split tunnel. FortiClient (Windows) supports

source application-based split tunnel, where you can specify which
application traffic to exclude from the VPN tunnel. You can exclude high
bandwidth-consuming applications for improved performance. For
example, you can exclude applications like the following from the VPN
tunnel:
l Microsoft Teams
l Skype
l GoToMeeting
l Zoom
l WebEx
l YouTube
Once the VPN tunnel is up, FortiClient binds the specified excluded
applications to the physical interface.
Type Select Exclude to configure whether to exclude certain application traffic

from the VPN tunnel.
Local You can only exclude local applications from the VPN tunnel. Click Add. In
Applications the Add Application(s) field, specify which application traffic to exclude
from the VPN tunnel and redirect to the endpoint physical interface. You
can specify an application using its process name, full path, or the
directory where it is installed. When entering the directory, you must end
the value with \. You can enter file and directory paths using environment
variables, such as %LOCALAPPDATA%, %programfiles%, and
%appdata%. Do not use spaces in the tail or head, or add double quotes
to full paths with spaces. You can add multiple entries by separating them
with a semicolon.
For example, to exclude Microsoft Teams and Firefox from the
VPN tunnel, you can enter any of the following combinations:

Fortinet Inc.
Endpoint Profiles
l Full Path:
%localappdata%\Microsoft\Teams\current\Teams.exe;C:\Program
Files\Mozilla Firefox\firefox.exe
l Directory: %localappdata%\Microsoft\Teams\current\;C:\Program
To find a running application's full path, on the Details tab in Task
Manager, add the Image path name column.
Select the application checkbox, then click Remove to remove it from the
list.
Cloud You can exclude cloud applications. Click Add. In the list, select the
Applications desired applications, then click Add.
list.
Domain You can exclude domains. After you exclude a domain, any associated
traffic does not go through the VPN tunnel when accessed through a
popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add
Domain(s) field, enter the desired domains, using ; to configure multiple
entries.
For example, if you configure the VPN tunnel to exclude youtube.com,
youtube.com and *.youtube.com are excluded from the tunnel.
list.
This example shows excluding the Microsoft Teams using the application name, full path, and directory. It also
excludes Teams and other web conferencing cloud applications, such as Zoom and Cisco WebEx:

Fortinet Inc.
Endpoint Profiles
4. Assign the profile to the desired endpoints. When VPN is up on those endpoints, FortiClient excludes the application
traffic specified in the profile from the VPN tunnel as configured.

Fortinet Inc.
Endpoint Profiles
Configuring a profile to allow or block endpoint from VPN tunnel connection based
on the applied security posture tag
You can configure a profile to allow or block an endpoint from connecting to a VPN tunnel based on its applied security
posture tag. This feature is only available for Windows endpoints. This example describes configuring an endpoint profile
to prohibit Windows endpoints with critical vulnerabilities from connecting to VPN.
To configure an endpoint profile to prohibit endpoints with critical vulnerabilities from connecting to
VPN:
1. Create a security posture tagging rule set that tags endpoints with critical vulnerabilities with the "Vulnerable
Devices" tag:
a. Go to Security Posture Tags > Security Posture Tagging Rules.
b. Click Add.
c. In the Tag Endpoint As field, create a new "Vulnerable Devices" tag.
d. Toggle Enabled to on.
e. Click Add Rule.
f. For Windows devices, from the Rule Type dropdown list, select Vulnerable Devices.
g. From the Severity Level dropdown list, select Critical.
h. Click Save.
i. Click Save again.
2. Configure the options on the endpoint profile:

a. Go to Endpoint Profiles > Remote Access.
b. Edit the desired profile, or create a new one.
c. Under General, enable Enable Secure Remote Access.
d. Select an existing VPN tunnel, or create a new one by clicking Add Tunnel, then Manual.
e. In Advanced Settings, for Tags, select Prohibit.
f. From the Select a Tag dropdown list, select Vulnerable Devices.
g. Enable Customize Host Check Fail Warning.
h. Enter a message to display to users when FortiClient prohibits their connection to the VPN tunnel due to critical
vulnerabilities on their device.

Fortinet Inc.
Endpoint Profiles
i. Configure other fields as desired and save the configuration.
After the next communication between EMS and FortiClient, endpoints with this profile applied are unable to connect to
this VPN tunnel if they have critical vulnerabilities. The following shows the notification that the end user sees when their
connection to the VPN tunnel is prohibited due to critical vulnerabilities on their device. After the end user fixes the
vulnerabilities, FortiClient allows them to establish the VPN connection.

Fortinet Inc.
Endpoint Profiles
Configuring a backup VPN connection
You can configure FortiClient to connect to a preconfigured SSL VPN tunnel instead when connection to a configured
IPsec VPN tunnel fails. This feature is convenient for connecting to VPN when the IPsec VPN tunnel is blocked or if a
public router or gateway is not preforming IPsec VPN NAT correctly.
This guide assumes that the EMS administrator has already configured an SSL VPN tunnel and IPsec VPN tunnel on the
desired endpoint profile.
To configure a backup VPN connection:

2. Edit the desired profile, then do one of the following:
a. Configure this feature from the GUI. Do the following:
i. Edit the desired IPsec VPN tunnel.
ii. In Advanced Settings, from the Failover SSL VPN Connection dropdown list, select the desired SSL VPN
connection.
iii. Click Save.
b. Configure this feature using XML. On the XML Configuration tab, configure the following for the desired IPsec
VPN tunnel. The following configures the secure_sslvpn tunnel as the backup tunnel:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<connections>
<connection>
<ike_settings>
<failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection>
<ike_settings>
<connection>
<connections>
<ipsecvpn>
<vpn>
This is a balanced but incomplete XML configuration fragment. It includes all closing tags but omits some
important elements to complete the IPsec VPN configuration.
3. After FortiClient receives the next update from EMS, on the Remote Access tab, from the VPN Name dropdown list,
select the IPsec VPN tunnel.
4. Select View the selected connection.

Fortinet Inc.
Endpoint Profiles
5. Verify that the Failover SSL VPN field specifies the SSL VPN tunnel configured in step 2.
6. Attempt connection to the IPsec VPN tunnel when you know that it fails. FortiClient automatically connects to the
configured SSL VPN tunnel instead.

Fortinet Inc.
Endpoint Profiles
Using a browser as an external user-agent for SAML authentication in an SSL VPN

connection
When establishing an SSL VPN tunnel connection, FortiClient can present a SAML authentication request to the end
user in a web browser.
FortiClient (Windows) and (macOS) 7.0.1 and EMS 7.0.1 support this feature. FortiClient (Linux) 7.0.1 does not support
this feature.
This feature is not supported when SSL VPN realms are configured. When SSL VPN realms are configured and the user
provides their SAML authentication credentials in an external browser, FortiClient fails to establish the SSL VPN
connection.
The <use_gui_saml_auth> XML option affects how FortiClient presents SAML authentication in the GUI. See SSL
VPN.
To configure FortiAuthenticator as the identity provider (IdP):
1. In FortiAuthenticator, go to Authentication > SAML IdP > Service Providers.

2. Configure a new service provider (SP) for SAML.
3. Go to Authentication > User Management > Local Users.

4. Create a new user.
To configure FortiGate as a SAML SP:
1. In the FortiOS CLI, create a SAML user. Ensure that the SP and IdP details match the details provided by
FortiAuthenticator:
config user saml
edit "su10"

Fortinet Inc.
Endpoint Profiles
set cert "Fortinet_Factory"

set entity-id "http://192.168.230.56:4433/remote/saml/metadata/"
set single-sign-on-url "https://192.168.230.56:4433/remote/saml/login/"
set single-logout-url "https://192.168.230.56:4433/remote/saml/logout/"
set idp-entity-id "http://172.17.61.118:443/saml-idp/s6rlo1pxemulz84k/metadata/"
set idp-single-sign-on-url "https://172.17.61.118:443/saml-
idp/s6rlo1pxemulz84k/login/"
set idp-single-logout-url "https://172.17.61.118:443/saml-
idp/s6rlo1pxemulz84k/logout/"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
2. Ensure that the SAML redirect port is set to 8020. SAML external browser authentication uses port 8020 by default.
If another service or application is occupying this port, FortiClient displays a message showing that the SAML
redirect port is unavailable.:
config vpn ssl setting
show full-configuration | grep 8020
set saml-redirect-port 8020
next
end
3. Create a user group by going to User & Authentication > User Groups > Create New. Provide the required details
and add the user that you created in step 1 to this group.
4. Go to VPN > SSL-VPN Settings. Under Authentication/Portal Mapping, create a mapping with the user group that
you created in step 3. From the Portal dropdown list, select full-access. Click OK.
5. Go to Policy & Objects > Firewall Policy. Select the SSL VPN firewall policy. Ensure that the Source field includes
the SAML user group.
To configure external browser for authentication in EMS:
1. In EMS, go to Endpoint Profiles > Manage Profiles, and edit the desired profile.
2. On the VPN tab, click Add Tunnel. Provide the correct gateway information. In Advanced Settings, enable Enable
SAML Login. Configure other fields as desired. Save the tunnel.
3. On the XML Configuration tab, under the <sso_enabled> element for the tunnel, add <use_external_
browser>1</use_external_browser>.

Fortinet Inc.
Endpoint Profiles
4. Click Test XML, then save the configuration.
To test the connection in FortiClient:
1. After FortiClient receives the latest configuration update from EMS, go to the Remote Access tab.
2. View the tunnel to verify that the Use external browser as user-agent for saml user authentication field is enabled.
3. Connect to the tunnel by clicking SAML Login. Verify that FortiClient opens your default browser to prompt for
authentication. Provide your credentials and click Login to establish the connection.
Per-machine prelogon VPN connection without user interaction
You can configure per-machine SSL and IPsec VPN tunnels that connect before user logon without user interaction
using XML configuration. The following describes the XML tags required:
XML tag Description Default value

<show_vpn_before_ Show VPN before logon tile when logging in to Windows. 1
logon> Per-machine autoconnect depends on this tag being
enabled to work.
Boolean: [1|0]
<on_os_start_connect> Enter the tunnel name for VPN to connect to when the OS
starts. For per machine autoconnect to work, you must
define a tunnel as the tunnel for per-machine
autoconnect. See the <machine> tag.
<on_os_start_connect_ When per-user and per-machine autoconnect 1
has_priority> configurations both exist, the following occurs:
l If this tag is set to 1, the per-machine autoconnect

Fortinet Inc.
Endpoint Profiles
XML tag Description Default value
configuration remains connected.

l If this tag is set to 0, after logging into Windows, the
per-machine autoconnect configuration drops, and
the per-user autoconnect configuration connects.
<machine> Enabling this tag indicates that FortiClient should use this 0
tunnel for per-machine autoconnect. This tag must be
enabled for per-machine autoconnect to start to connect.
Boolean: [1|0]
<username> Enter the remote gateway authentication username if
xAuth is enabled. If using public key infrastructure (PKI)
authentication, do not configure this tag.
<password> Enter the password for the remote gateway
authentication username if xAuth is enabled. If using PKI
authentication, do not configure this tag.
<keep_running> When this tag is enabled and the network status changes 0
from up to down to up again, the tunnel autoconnects
when the network status is up again. This tag applies
whether before or after logging in to Windows.
Boolean: [1|0]
The following show example XML configurations for SSL and IPsec VPN for per-machine autoconnect. Elements of note
have been bolded for emphasis. Both examples are balanced but incomplete XML configuration fragments. The
fragments include all closing tags, but omits some important elements to complete the configuration.
SSL VPN example
<vpn>
<options>
<on_os_start_connect>myfgt-ssl</on_os_start_connect>
<show_vpn_before_logon>1</show_vpn_before_logon>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
</options>
<sslvpn>
<options>
<enabled>1</enabled>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
</options>
<connections>
<connection>
<name>myfgt-ssl</name>
<description />
<server>172.17.61.39:10439</server>
<ui>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<save_username>0</save_username>
<show_remember_password>1</show_remember_password>
</ui>

Fortinet Inc.
Endpoint Profiles
<machine>1</machine>
<password>11111111</password>
<username>t1</username>
<keep_running>0</keep_running >
<certificate>
<common_name>
<match_type>simple</match_type>
<pattern>
<![CDATA[ems.loc]]>
</pattern>
</common_name>
<issuer>
<pattern>
<![CDATA[L4RTP-AD4-EMS-LAB-CA]]>
</pattern>
</issuer>
</certificate>
<warn_invalid_server_certificate>0</warn_invalid_server_certificate>
<prompt_certificate>1</prompt_certificate>
<prompt_username>1</prompt_username>
</connection>
</connections>
</sslvpn>
</vpn>
IPsec VPN example
<ipsecvpn>
<connections>
<connection>
<name>myfgt-ipsec</name>
<type>manual</type>
<ui>
<show_passcode>0</show_passcode>
</ui>
<ike_settings>
<server>fgt28.com</server>
<authentication_method>System Store X509 Certificate</authentication_method>
<fgt>1</fgt>
<xauth_timeout>120</xauth_timeout>
<xauth>
<use_otp>0</use_otp>
<username>t1</username>
<password>1</password>
</xauth>
<run_fcauth_system>1</run_fcauth_system>
<auth_data>
<certificate>

Fortinet Inc.
Endpoint Profiles
<common_name>
<match_type>wildcard</match_type>
<pattern>*</pattern>
</common_name>
<issuer>
<pattern>L4RTP-AD4-EMS-LABCA</pattern>
</issuer>
</certificate>
</auth_data>
</ike_settings>
<ipsec_settings>
</ipsec_settings>
<host_check_fail_warning></host_check_fail_warning>
<keep_running>0</keep_running>
</connection>
</connections>
</ipsecvpn>
Use cases
In addition to per-machine autoconnect VPN tunnels, you can also configure per-user autoconnect VPN tunnels. The
following describes the expected behavior for different scenarios involving these VPN tunnels:
Scenario Behavior
Only a per-user autoconnect l The per-user tunnel only connects after the user logs in to the device.
tunnel with <keep_running> l The per-user tunnel does not disconnect unless the user manually
disabled is configured. disconnects it.
l When the user manually disconnects the per-user tunnel, the tunnel does not
automatically reconnect.
Only a per-user autoconnect l The per-user tunnel only connects after the user logs in to the device.
tunnel with <keep_running> l The per-user tunnel does not disconnect.
enabled is configured. l When the device disconnects from the network, the per-user tunnel
disconnects.
l When the device reconnects to the network, the per-user tunnel reconnects.
l When the user manually disconnects the per-user tunnel, the tunnel does not
automatically reconnect.
Only a per-machine autoconnect l The per-machine tunnel connects before the user logs in to the device.
tunnel with <keep_running> l After the user logs in to the device, the per-machine tunnel remains
disabled is configured. connected and does not disconnect.
l When the user manually disconnects the per-machine tunnel, the tunnel
does not automatically reconnect.
Only a per-machine autoconnect l The per-machine tunnel connects before the user logs in to the device.
tunnel with <keep_running> l After the user logs in to the device, the per-machine tunnel remains
enabled is configured. connected and does not disconnect.
l When the device disconnects from the network, the per-machine tunnel
disconnects.

Fortinet Inc.
Endpoint Profiles
Scenario Behavior
l When the device reconnects to the network, the per-machine tunnel
reconnects.
l When the user manually disconnects the per-machine tunnel, the tunnel
does not automatically reconnect.
The following tunnels are l The per-machine tunnel connects before the user logs in to the device.
configured: l After the user logs in to the device, the per-machine tunnel disconnects, and
l A per-machine autoconnect the per-user tunnel connects.
tunnel with <keep_ l When the user manually disconnects the per-user tunnel, the tunnel does not
running> disabled automatically reconnect.
l A per-user autoconnect
tunnel with:
l <keep_running>
disabled
l <show_remember_
password> enabled
l <show_
autoconnect>
enabled
The following tunnels are l The per-machine tunnel connects beforethe user logs in to the device.
configured: l After the user logs in to the device, the per-machine tunnel disconnects, and
l A per-machine autoconnect the per-user tunnel connects.
tunnel with <keep_ l When the device disconnects from the network, the per-user tunnel
running> enabled disconnects.
l A per-user autoconnect l When the device reconnects to the network, the per-user tunnel reconnects.
tunnel with <keep_ l When the user manually disconnects the per-user tunnel, the tunnel does not
running> enabled automatically reconnect.
This document is not intended to cover all possible VPN tunnel configuration combinations.
Autoconnect on logging in as an Entra ID user
You can configure FortiClient to automatically connect to a specified VPN tunnel using Microsoft Entra ID credentials.
FortiClient supports two autoconnect methods with Entra ID SAML VPN:
l FortiClient can establish the VPN tunnel seamlessly without manual authentication if the user is already logged in to
an Entra ID domain-joined endpoint. See Method 1: Autoconnect with Entra ID domain-joined FortiClient endpoint
on page 218.
l The user establishes the VPN tunnel using manual authentication for the first time that they establish that VPN
tunnel. Afterward, FortiClient can seamlessly establish the VPN tunnel without manual authentication. See Method
2: Autoconnect with non Entra ID-joined FortiClient endpoint on page 218.
The following describes configuration for both methods.
The following instructions assume that you have already configured your Entra ID environment, that your FortiClient
EMS and FortiGate are part of a Fortinet Security Fabric, and that the FortiGate has been configured in Azure as an
enterprise application for SAML single sign on. See Tutorial: Azure AD SSO integration with FortiGate SSL VPN.

Fortinet Inc.
Endpoint Profiles
The following configuration requires FortiOS 7.2.1 or a later version.

The <use_gui_saml_auth> XML option affects how FortiClient presents SAML authentication in the GUI. See SSL
VPN.
Method 1: Autoconnect with Entra ID domain-joined FortiClient endpoint
To join the endpoint to an Entra ID domain:
1. On the Windows machine, go to Settings > Accounts > Access work or school > Join this device to Microsoft ID.
2. Enter the Entra ID domain account credentials.
3. Reboot the endpoint.
4. Log in with the configured Entra ID credentials.
To configure EMS:

3. Specify the desired tunnel as the autoconnect tunnel:
<vpn>
<options>
<autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>
<autoconnect_on_install>1</autoconnect_on_install>
<options>
<vpn>
After the endpoint receives the updated configuration, when the user is logged in as the Entra ID domain user on the
endpoint, FortiClient seamlessly connects to the VPN tunnel without displaying a prompt for credentials. The user does
not need to manually authenticate the VPN tunnel connection.
To configure FortiOS:
conf user saml

edit "azure_saml"
set auth-url "https://graph.microsoft.com/v1.0/me"
next
end
Method 2: Autoconnect with non Entra ID-joined FortiClient endpoint
To create and configure app registration in Azure:
1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications.

2. Select the FortiGate SSL VPN enterprise application.
3. Note down the application ID and Azure domain.
4. Go to Microsoft Entra ID > App registrations > All applications.
5. Click the application that you selected in step 2.
6. Go to Manage > Authentication > Add a platform > Mobile and desktop applications.

Fortinet Inc.
Endpoint Profiles
7. In the Custom redirect URIs field, enter ms-appx-web://microsoft.aad.brokerplugin/, followed by the application ID
that you noted. For example, if your application ID is 123456, enter ms-appx-
web://microsoft.aad.brokerplugin/123456.
8. Save the configuration.
To configure EMS:

3. Configure the following for the desired tunnel for FortiClient to automatically connect to. This example configures an
SSL VPN tunnel as the tunnel that FortiClient automatically connects to. You can configure the autoconnect tunnel
to be an IPsec VPN tunnel if desired. For details on how to find the tenant domain name and application ID from the
Azure portal, see the following:
l Find the Microsoft Entra tenant ID and primary domain name
l Quickstart: View enterprise applications
Configure the following in Advanced Settings:

a. Toggle on Enable SAML Login.
b. Ensure that Use External Browser as User-agent for SAML Login is disabled. You cannot use an eternal
browser for this method.
c. Toggle on Enable Azure Auto Login.
d. In the Tenant Name field, enter the domain name obtained from the Azure portal.
e. In the Client ID field, enter the application ID obtained from the Azure portal.
4. Save the tunnel.

5. In general VPN settings, specify the desired tunnel as the autoconnect tunnel:
<vpn>
<options>
<options>
<vpn>

Fortinet Inc.
Endpoint Profiles
You must define a user, msgraph, and use it as a member of User & Authentication > User Groups. The following shows
the relevant CLI commands:
config user external-identity-provider
edit "msgraph"
set type ms-graph
set version v1.0
next
end
config user group
edit "SSLVPN_SAML_Entra_ID"
set authtimeout 60
set member "SSLVPN_SAML_Entra_ID" "msgraph"
next
end
config user saml
edit "azure_saml"
set auth-url "https://graph.microsoft.com/v1.0/me"
next
end
To configure EMS:

3. In XML view, configure the following for the desired tunnel for FortiClient to automatically connect to. This example
configures an SSL VPN tunnel as the tunnel that FortiClient automatically connects to. You can configure the
autoconnect tunnel to be an IPsec VPN tunnel if desired. For details on how to find the tenant domain name and
application ID from the Azure portal, see the following:
l Find the Microsoft Entra tenant ID and primary domain name
l Quickstart: View enterprise applications
<vpn>
<sslvpn>
<connections>
<connection>
<name>SSL VPN HQ</name>
<sso_enabled>1</sso_enabled>
<azure_auto_login>
<azure_app>
<tenant_name>Domain name obtained from the Azure portal.</tenant_name>
<client_id>Application ID obtained from the Azure portal</client_id>
</azure_app>
</azure_auto_login>
<connection>
<connections>
<sslvpn>
<vpn>
4. In general VPN settings, specify the desired tunnel as the autoconnect tunnel:
<vpn>
<options>

Fortinet Inc.
Endpoint Profiles
<options>
<vpn>
To manage application permissions:
1. As an end user, log in to an endpoint that has the profile configured in To configure EMS: on page 220 applied.
2. FortiClient automatically attempts to connect to the specified VPN tunnel. If this is the initial attempt to connect to
this VPN tunnel, Windows displays a prompt to select the desired Entra ID account. Select the desired account.
You should now configure one of the following permission options. These steps assume that you have already
configured Azure SAML SSL/IPsec VPN autoconnect as this document describes and you are signed in as a global
administrator of the same tenant.
3. To have Need admin approval shown to users, do the following:
a. In the Azure portal, go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
b. Set Assignment required? to Yes.
c. Add the desired users to Users & Groups.
d. Remove any permissions in App Registration.
e. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
f. Right-click and remove permission.
g. If you want to disallow user consent for all applications, you can disable this by doing the following:
i. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and
permissions > Manage > User consent settings.
ii. For User consent for applications, select Do not allow user consent.

Fortinet Inc.
Endpoint Profiles
4. To have users consent per a permissions request but avoid admin approval, do the following:
a. Go to Enterprise Application > <Your VPN application> > (sidebar) Manage > Properties.
b. Set Assignment required? to No. This allows any valid user from this tenant to use the app. You no longer need
to add users to Users and groups to have access to this app. As per Microsoft documentation, when an
application requires assignment, user consent for that application is not allowed. This is true even if users
consent for that app would have otherwise been allowed.
c. Remove any permissions in App Registration.
d. Go to Home > App Registration > <Your VPN application> > (sidebar) Manage > API permissions.
e. Right-click and remove permission.
f. Allow users to consent:
i. Go to Home > Enterprise Application > <Your VPN application> > (sidebar) Security > Consent and
permissions > Manage > User consent settings.
ii. Select User consent for applications > Allow user consent for apps from verified publishers for selected
permissions.
iii. Go to Manage > Permission classifications.
iv. Ensure the following are listed under Low-risk permissions > Microsoft Graph:
l email
l User.Read
l offline_access

Fortinet Inc.
Endpoint Profiles
l profile
l openid
The next time that the Entra ID user signs in with FortiClient Entra ID autoconnect triggered, the user should see a
popup requesting permissions.
5. To grant admin consent to an enterprise application such that a user does not need to request consent, do one of
the following:
a. To grant this consent through the standard permission UI as a global administrator, do the following:
i. Connect to the VPN. You are prompted as usual to grant permissions for your user account to the
enterprise application.
ii. As a global administrator, there is an extra Consent on behalf of your organization checkbox. Select it to
grant admin consent to the application. Other users do not need to grant consent.
b. To grant this consent in the Azure portal, do the following:
i. Go to Enterprise Application > <Your VPN application> > (sidebar) Security > Permissions.
ii. Click app registration in the sentence To configure requested permissions for apps you own, use the app
registration.
iii. Go to API Permissions > Configured permissions > Add a permission > Request API permissions >
Microsoft APIs > Microsoft Graph > Delegated Permissions.

Fortinet Inc.
Endpoint Profiles
iv. Select the following:

l openID permissions:
l offline_access
l openid
l profile
l email
l User > User.Read
v. Add the permissions.

vi. After the permissions are added, they appear in the table on the same screen. Click Grant admin consent
for <Tenant name>.
vii. Return to Enterprise Applications Permissions by clicking Enterprise applications in the sentence To view
and manage consented permissions for individual apps, as well as your tenant's consent settings, try
Enterprise applications.
viii. The Grant admin consent for <Tenant name> button is blue instead of being grayed out. Click the button.
A popup opens that requires you to sign in as a global administrator and to allow the application
permissions. The permissions that you used in App Permissions fill in the following table.
After you complete either step, users no longer need to request consent and can autoconnect to VPN without
having to give consent.
The prompt to grant permissions does not appear if the Azure domain or tenant administrator
has already granted permission on behalf of the organization.
Load balancing SSL VPN gateways with one FQDN
When connecting to SSL VPN with an FQDN, FortiClient remembers the IP address with which it contacts the FortiGate
and reuses it throughout the connection phase. This feature is available for FortiClient (Windows) and unavailable for
FortiClient (macOS) or (Linux).
Prior to this enhancement, users experienced failed connections when load balancing SSL VPN gateways with one
FQDN. The failed connections were due to the DNS server returning results using round robin while FortiClient tried to
establish the SSL VPN connection during the login phase, leading to the connections going to different FortiGates.
With this enhancement, before SSL VPN authentication, FortiClient resolves the FQDN to an IP address and saves it to
the hosts file. This keeps FortiClient connected to the same FortiGate during the entire tunnel establish process,
including authentication and tunnel creation.
To support this feature, the DNS server must return the same IP addresss to multiple name lookup requests (sticky
session).
To configure load balancing SSL VPN gateways with one FQDN:
1. Configure multiple remote gateways and map them to one FQDN on the DNS server. In this example, the remote
gateways are 172.17.161.168 and 172.17.162.10. The FQDN is fortigatessl.fortinet.local.

Fortinet Inc.
Endpoint Profiles
2. In EMS, go to Endpoint Profiles > Remote Access.

3. Create a VPN tunnel with the following settings:
a. In Basic Settings, for Type, select SSL VPN.
b. In the Remote Gateway field, enter the FQDN. In this example, it is fortigatessl.fortinet.local.
c. In the Port field, enter the port number for SSL VPN tunnel establishment.
d. In Advanced Settings, enable Enable SAML Login, FQDN Resolution Persistence, and Use External Browser
as User-agent for SAML Login.
e. Configure other settings as desired, and save the profile.
The following shows the XML configuration for this tunnel:
<vpn>
<options>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<minimize_window_on_connect>1</minimize_window_on_connect>
<disable_connect_disconnect>0</disable_connect_disconnect>
<suppress_vpn_notification>0</suppress_vpn_notification>
<show_negotiation_wnd>0</show_negotiation_wnd>
<keep_running_max_tries>1</keep_running_max_tries>
<use_windows_credentials>0</use_windows_credentials>
<secure_remote_access>0</secure_remote_access>
<on_os_start_connect/>

Fortinet Inc.
Endpoint Profiles
<allow_personal_vpns>1</allow_personal_vpns>
</options>
<sslvpn>
<connections>
<connection>
<name>Test</name>
<uid>EC71C6B4-8C6D-460F-A141-F8982338867B</uid>
<username/>
<password/>
<certificate/>
<fgt>1</fgt>
<is_fgd_cloud>0</is_fgd_cloud>
<disclaimer_msg/>
<keep_fqdn_resolution_consistency>1</keep_fqdn_resolution_consistency>
<use_external_browser>1</use_external_browser>
<azure_auto_login>
<azure_app>
<tenant_name/>
<client_id/>
</azure_app>
</azure_auto_login>
<single_user_mode>0</single_user_mode>
<ui>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<RedundantSortMethod>0</RedundantSortMethod>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<server>fortigatessl.fortinet.local:444</server>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
</on_disconnect>

Fortinet Inc.
Endpoint Profiles
<traffic_control>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
<dnscache_service_control>0</dnscache_service_control>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<no_dns_registration>0</no_dns_registration>
</options>
</sslvpn>
</vpn>
</forticlient_configuration>
To verify the configuration:
1. In FortiClient, on the Remote Access tab, select the desired tunnel from the VPN Name dropdown list.
2. Click SAML Login.
3. Open the hosts file. Confirm that an entry was added to resolve the SSL VPN tunnel FQDN:
# Copyright (c) 1993-2009 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
172.17.161.168 fortigatessl.fortinet.local
4. Enter valid SAML credentials to successfully establish the SSL VPN tunnel.
5. Confirm that the entry in the hosts file was removed after FortiClient established the SSL VPN tunnel connection:
# space.

Fortinet Inc.
Endpoint Profiles

# For example:
#
# ::1 localhost
6. Disconnect from the VPN tunnel.

7. Start a new connection to the same VPN tunnel.
8. Confirm that an entry was added to resolve the SSL VPN tunnel FQDN to a different remote gateway:
# space.
# For example:
#
# ::1 localhost
172.17.162.20 fortigatessl.fortinet.local
9. Confirm that the entry in the hosts file was removed after FortiClient established the SSL VPN tunnel connection.
Certificate path configuration for automated certificate selection
The EMS administrator can configure a certificate location in a Remote Access profile for SSL and IPsec VPN.
FortiClient (Android) automatically goes to the certificate location when doing the following:
l When selecting a certificate
l When the user clicks Connect to connect to SSL VPN
To configure certificate path for automated certificate selection:

2. Create a new profile or edit an existing one.
3. Click Add VPN Tunnel.

Fortinet Inc.
Endpoint Profiles

a. For an SSL VPN tunnel, enable Require Certificate.
To view and configure SSL VPN settings, you must enable SSL VPN visibility in
System Settings > Feature Select. See Feature Select on page 494.
b. For an IPsec VPN tunnel, from the Authentication Method dropdown list, select Smart Card Certificate or
System Store Certificate.
5. In the Android Certificate Location field, enter the certificate location for the Android device. In this example, the
location is certdir/. You should already have created this directory in the Android device internal storage. The
certificate path can be only one level deep. For example, you could configure this field as Folder/clientcert.p12.
6. Connect FortiClient (Android) to EMS.
7. After FortiClient (Android) receives the configuration changes, do the one of the following:
a. For SSL VPN, connect to VPN. Clicking Connect automatically navigates to certdir, the configured certificate
location. Clicking the certificate options in Settings for the VPN tunnel also goes to sslcertdir.
b. For IPsec VPN, go to the tunnel, then Settings > Server settings > Certificate. FortiClient (Android)
automatically navigates to certdir, the configured certificate location. Select the certificate, enter the password,

Fortinet Inc.
Endpoint Profiles
then click Connect. The tunnel establishes successfully.
Autoconnect to IPsec VPN using Entra ID logon session information
This feature enables seamless and secure connectivity for users accessing corporate resources by automatically
establishing IPsec VPN connections based on Microsoft Entra ID (formerly known as Azure Active Directory or AD)
logon session information.
In the example use case, an organization has implemented a comprehensive security strategy that includes using IPsec
VPN for securing communications between its network resources. To enhance user experience and streamline the
connectivity process, the organization wants to implement IPsec VPN autoconnect, leveraging Entra ID logon session
information. With automated IPsec VPN connections, users can focus on their tasks without the burden of manual VPN
setup processes. Leveraging Entra ID logon session information ensures that only compliant and authenticated users
can establish IPsec VPN connection.
The following instructions assume the following:

l You have configured an enterprise application on your Entra ID domain.
l The FortiClient (Windows) endpoint is connected to that Entra ID domain.

Fortinet Inc.
Endpoint Profiles
To configure FortiOS for this use case:
1. Configure the msgraph user:

config user external-identity-provider
edit "msgraph"
set type ms-graph
set version v1.0
next
end
2. Assign the msgraph user to the msgraphgrp group:

config user group
edit "msgraphgrp"
set member "msgraph"
next
end
3. Create an IPsec VPN tunnel that uses IKEv2. This example uses childless IKE authentication. Ensure that you
enable the azure-ad-autoconnect option:
config vpn ipsec phase1-interface
edit "Azure"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-
prfsha384 chacha20poly1305-prfsha256
set comments "VPN: Azure (Created by VPN wizard)"
set dhgrp 5
set authusrgrp "msgraphgrp"
set childless-ike enable
set azure-ad-autoconnect enable
set ipv4-start-ip 192.168.1.1
set ipv4-end-ip 192.168.1.255
set dns-mode auto
set ipv4-split-include "Azure_split"
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
IdtpOOstic/GXm0KwTMjMVlhWoZIcHWPCM5RMfvk9Q7jLbgSwhHhkdyo35bMrNzdUglsq8saXNGM5fcnczN
C1X9Yn1E3F3THUE5U+g1XoIgXJt98VoEs4ROYGZaCOQTBusqMgBmtmRGSY3kZVzgk+Ym+lCpEPaPvTLxmzX
T5h7xl4MFMuOT+6v3cmb6Rz/xoq1zXFg==
next
end

Fortinet Inc.
Endpoint Profiles
To configure EMS for this use case:

3. In XML view, configure the following for the desired tunnel for FortiClient to automatically connect to. This example
configures an IPsec VPN tunnel as the tunnel that FortiClient automatically connects to. For <client_id>, enter
the Entra ID application ID. For <tenant_name>, enter the Entra ID tenant ID. You can find these values in the
Entra ID portal:
<vpn>
<sslvpn>
<connections/>
<options>
<disallow_invalid_server_certificate>0</disallow_invalid_server_
certificate>
<negative_split_tunnel_metric/>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
</options>
</sslvpn>
<ipsecvpn>
<connections>
<connection>
<azure_auto_login>
<azure_app>
<client_id>Example client ID</client_id>
<tenant_name>Example tenant ID</tenant_name>
</azure_app>
</azure_auto_login>
<name>IPSEC</name>
<uid>AECD683C-310E-4747-815A-B53C86983CFB</uid>
<disclaimer_msg/>
<type>manual</type>
<ui>
</ui>
<tags>
<allowed/>
<prohibited/>
</tags>

Fortinet Inc.
Endpoint Profiles
<ike_settings>
<server>172.19.200.113</server>
<authentication_method>Preshared Key</authentication_method>
<fgt>1</fgt>
<xauth>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid/>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>96</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>0</enable_local_lan>
<enable_ike_fragmentation>0</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<auth_data>
<preshared_key>Enc
8000cad35ca0ce889e17d2f949042781fd02a57a1ae7afb13be95840b7e4</preshared_key>
</auth_data>
<dhgroup>5;14</dhgroup>
<proposals>
<proposal>AES128|SHA1</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>

Fortinet Inc.
Endpoint Profiles
<ip>0.0.0.0</ip>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
</proposals>
</ipsec_settings>
<android_cert_path/>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<disable_default_route>0</disable_default_route>
<usesmcardcert>1</usesmcardcert>
certificate>
<block_ipv6>1</block_ipv6>
<usewincert>1</usewincert>

Fortinet Inc.
Endpoint Profiles
<use_win_current_user_cert>1</use_win_current_user_cert>
<show_auth_cert_only>0</show_auth_cert_only>
<check_for_cert_private_key>0</check_for_cert_private_key>
<uselocalcert>0</uselocalcert>
<beep_if_error>0</beep_if_error>
<enable_udp_checksum>0</enable_udp_checksum>
</options>
</ipsecvpn>
<lockdown>
<exceptions>
<apps/>
<ips/>
</exceptions>
<max_attempts>3</max_attempts>
<grace_period>120</grace_period>
</lockdown>
<options>
<allow_sslvpn>0</allow_sslvpn>
<autoconnect_tunnel>IPSEC</autoconnect_tunnel>
</options>
</vpn>
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>
</ui>
</endpoint_control>
After the profile changes sync to the endpoint, it autoconnects to the IPsec VPN tunnel.

Fortinet Inc.
Endpoint Profiles
To verify the connection:
1. From the endpoint, ping the internal server located behind the edge FortiGate. The ping succeeds.
2. In FortiOS, go to Dashboard > Network and expand the IPsec widget. Observe that the tunnel is up.
3. View debug logs on FortiOS by running diagnose debug enable and diagnose debug application
ike-1 commands. The following shows the example output, which includes the endpoint IP address, hostname,
and serial number:
Debug messages will be on for 30 minutes.
(root) # 2023-11-28 15:52:07.878432 ike 0: comes
172.19.200.185:500>172.19.200.113:500,ifindex=3,vrf=0....
2023-11-28 15:52:07.878511 ike 0: IKEv2 exchange=SA_INIT
id=d9ae37737ffaa01f/0000000000000000 len=468
2023-11-28 15:52:07.878517 ike 0: in
D9AE37737FFAA01F00000000000000002120220800000000000001D42200006C0200003401010005030
0000C0100000C800E008003000008020000020300000803
000002030000080400000E000000080400000500000034020100050300000C0100000C800E010003000
00802000005030000080300000C030000080400000E0000000804000005280000C80005000029C52815
C
D2472B215CE446B390FE2DF7C6F052B8D7944B839A10FCF82153A4B45D3B643A6E1780214D599926C29
C343BEE53AFA1E9E5E2D21E8E50A2401E36EC5C50C087E8BEB44C42E63AE180B6AD200B7C9D0CC38307
1
2BFBFE094239F2D8DDD688CCF47ACFEC2E6BF0AA12741D464C3DB27B281D592D6380E8D7B0CFB5EDEA3
AD2C708EF3DF586208F6FD4546D5C2BA940B753D85B167F1B579189E4799963B0A52D5F25715F7FADA4
A

Fortinet Inc.
Endpoint Profiles
374429CDA00A47867F430F12BE423EB60FB026B762B000014B8CC569F7DF724021D79F462613E502E2B
0000144C53427B6D465D1B337BB755A37A7FEF29000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000
0
1C00004004E899574FF8046F347253D49303195705324AB60F2900001C000040051601420DB7DE78D20
5377D3EC86A5AC8FBE790D6290000080100F1060000000801004022
2023-11-28 15:52:07.878529 ike 0:d9ae37737ffaa01f/0000000000000000:31: responder
received SA_INIT msg
2023-11-28 15:52:07.878533 ike 0:d9ae37737ffaa01f/0000000000000000:31: VID
forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF
2023-11-28 15:52:07.878538 ike 0:d9ae37737ffaa01f/0000000000000000:31: VID Fortinet
Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E
2023-11-28 15:52:07.878541 ike 0:d9ae37737ffaa01f/0000000000000000:31: received
notify type NAT_DETECTION_SOURCE_IP
notify type NAT_DETECTION_DESTINATION_IP
notify type AZURE_AD_AUTOCONNECT
notify type CHILDLESS_IKEV2_SUPPORTED
2023-11-28 15:52:07.878771 ike 0:d9ae37737ffaa01f/0000000000000000:31: ignoring
unauthenticated notify payload (CHILDLESS_IKEV2_SUPPORTED)
2023-11-28 15:52:07.878983 ike 0:d9ae37737ffaa01f/0000000000000000:31: incoming
proposal:
2023-11-28 15:52:07.878987 ike 0:d9ae37737ffaa01f/0000000000000000:31: proposal id
= 1:
2023-11-28 15:52:07.879196 ike 0:d9ae37737ffaa01f/0000000000000000:31: protocol =
IKEv2:
2023-11-28 15:52:07.879199 ike 0:d9ae37737ffaa01f/0000000000000000:31:
encapsulation = IKEv2/none
2023-11-28 15:52:07.879203 ike 0:d9ae37737ffaa01f/0000000000000000:31:
type=ENCR, val=AES_CBC (key_len = 128)
2023-11-28 15:52:07.879205 ike 0:d9ae37737ffaa01f/0000000000000000:31:
type=INTEGR, val=AUTH_HMAC_SHA_96
2023-11-28 15:52:07.879419 ike 0:d9ae37737ffaa01f/0000000000000000:31:
type=PRF, val=PRF_HMAC_SHA
2023-11-28 15:52:07.879423 ike 0:d9ae37737ffaa01f/0000000000000000:31:
type=DH_GROUP, val=MODP1536.
2023-11-28 15:52:07.879426 ike 0:d9ae37737ffaa01f/0000000000000000:31:
= 2:
IKEv2:
2023-11-28 15:52:07.879643 ike 0:d9ae37737ffaa01f/0000000000000000:31:
2023-11-28 15:52:07.879646 ike 0:d9ae37737ffaa01f/0000000000000000:31:

Fortinet Inc.
Endpoint Profiles

2023-11-28 15:52:07.879649 ike 0:d9ae37737ffaa01f/0000000000000000:31:
type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2023-11-28 15:52:07.879860 ike 0:d9ae37737ffaa01f/0000000000000000:31:
type=PRF, val=PRF_HMAC_SHA2_256
2023-11-28 15:52:07.879863 ike 0:d9ae37737ffaa01f/0000000000000000:31:
2023-11-28 15:52:07.879866 ike 0:d9ae37737ffaa01f/0000000000000000:31:
2023-11-28 15:52:07.879874 ike 0:d9ae37737ffaa01f/0000000000000000:31: matched
proposal id 2
= 2:
IKEv2:
2023-11-28 15:52:07.880336 ike 0:d9ae37737ffaa01f/0000000000000000:31:
2023-11-28 15:52:07.880339 ike 0:d9ae37737ffaa01f/0000000000000000:31:
2023-11-28 15:52:07.880342 ike 0:d9ae37737ffaa01f/0000000000000000:31:
type=INTEGR, val=AUTH_HMAC_SHA2_256_128
2023-11-28 15:52:07.880344 ike 0:d9ae37737ffaa01f/0000000000000000:31:
type=PRF, val=PRF_HMAC_SHA2_256
2023-11-28 15:52:07.880345 ike 0:d9ae37737ffaa01f/0000000000000000:31:
2023-11-28 15:52:07.880347 ike 0:d9ae37737ffaa01f/0000000000000000:31:
lifetime=86400
2023-11-28 15:52:07.880351 ike 0:d9ae37737ffaa01f/0000000000000000:31: SA proposal
chosen, matched gateway Azure
2023-11-28 15:52:07.880369 ike 0:Azure: created connection: 0x10bdc0b0 3
172.19.200.113->172.19.200.185:500.
2023-11-28 15:52:07.880375 ike 0:Azure:31: processing notify type NAT_DETECTION_
SOURCE_IP
2023-11-28 15:52:07.880391 ike 0:Azure:31: processing NAT-D payload
2023-11-28 15:52:07.880396 ike 0:Azure:31: NAT not detected
2023-11-28 15:52:07.880398 ike 0:Azure:31: process NAT-D
2023-11-28 15:52:07.880400 ike 0:Azure:31: processing notify type NAT_DETECTION_
DESTINATION_IP
2023-11-28 15:52:07.880407 ike 0:Azure:31: processing NAT-D payload
2023-11-28 15:52:07.880409 ike 0:Azure:31: NAT not detected
2023-11-28 15:52:07.880411 ike 0:Azure:31: process NAT-D
2023-11-28 15:52:07.880413 ike 0:Azure:31: processing notify type AZURE_AD_
AUTOCONNECT
2023-11-28 15:52:07.880425 ike 0:Azure:31: enable FortiClient endpoint compliance
check, use 169.254.1.1
2023-11-28 15:52:07.880436 ike 0:Azure:31: responder preparing SA_INIT msg
2023-11-28 15:52:07.880460 ike 0:Azure:31: generate DH public value request queued

Fortinet Inc.
Endpoint Profiles
2023-11-28 15:52:07.880660 ike 0:Azure:31: compute DH shared secret request queued

2023-11-28 15:52:07.880668 ike 0:Azure:31: create NAT-D hash local
172.19.200.113/500 remote 172.19.200.185/500
2023-11-28 15:52:07.880674 ike 0:Azure:31: out
D9AE37737FFAA01FE0E51AE3ED77F208212022200000000000000168220000300000002C02010004030
0000C0100000C800E01000300000802000005
030000080300000C0000000804000005280000C80005000019215B62D25A7F7A5E7B358E5B2C1C3C700
84FD3A606A456015CF1A74314BCD7B5372C2CFBA2AB3F4DEA7A5531C27B59CC043D3BAE9002875A6496
6
DFA7E6A953742D24719C5E3D8D5D45D50A46C700DB099C0D7A0C719CAD5E0D6B061FE75CF3B1E5E492E
9AFDC8D5E0020FA2E93A4208BE12604E8E1EE4A6B68C6131164DE13D03DF19214F9685C2ADAA3CE8768
D
0E47654EBA43016F0E61C5FEE550FA44A822334501F56199BD0DDD7BB19C0D8BF5AC626D6D9F7069ECE
2F932191A0D30E22900001456BC1469291826AE59A604D454BFF2BF2900001C00004004F6DBD029D92D
8
03928AE0CE23033027A9C20CAE92900001C000040054F8EE7A0730C99FD82681C8CAF9D7F488C6EE751
0000000801004022
2023-11-28 15:52:07.880692 ike 0:Azure:31: sent IKE msg (SA_INIT_RESPONSE):
172.19.200.113:500->172.19.200.185:500, len=360, vrf=0,
id=d9ae37737ffaa01f/e0e51ae3ed77f20
8
2023-11-28 15:52:07.880725 ike 0:Azure:31: IKE SA d9ae37737ffaa01f/e0e51ae3ed77f208
SK_ei 32:021F8486C8956677F0B0F1F2BA452F75DD9833DA841D47DA772126AFE49CBF1B
SK_er 32:A5EF924BD16BCE20AE70FE0FD61EAF70781D575E6EFA8F788A666B6700EA2DED
SK_ai 32:382A41BB8F3AD7A75964AA0E686052E71E63E3CC2C932EF15987A44DB3F5911A
SK_ar 32:4C1FC87AE6A0912DAA2636F2A81FBA793E702DA73FBEEAA3504EEAB68B32F193
2023-11-28 15:52:07.993013 ike 0: comes 172.19.200.185:500-
>172.19.200.113:500,ifindex=3,vrf=0....
2023-11-28 15:52:07.993062 ike 0: IKEv2 exchange=AUTH
id=d9ae37737ffaa01f/e0e51ae3ed77f208:00000001 len=464
2023-11-28 15:52:07.993290 ike 0: in
D9AE37737FFAA01FE0E51AE3ED77F2082E20230800000001000001D0230001B4E7B1C9245F45F810624
FFD12C9F2A28B2F2C08E9401A2AA912E7A53BE340A62EF5
5B7617F3B1EA24AAC418B700B79127C1763D611430D75C12D7AAF4AB48289536DF9812D23A742255846
E785CA1F93405BBD31240155DED929C1AA9AEB2C6E4DE29DE2B305EC3B4ADFDB2ECD31FEF13A5B20C9A
B
5FE18E83F3A5A8A8FB9826512545661675ED918D7687429FDFCA7156FECD7E95DFEF9FE399A760167F0

Fortinet Inc.
Endpoint Profiles
292EAA7601FE9E02BF4265EE6A3291747029E483D4C5C319F4885C2A5C4E1AA74BFF38857285E4B9128
F
6BD7875A193D27C63692C6A082B2E3AF4C97ECE69486688397470A7160AF07604F168298F44EE433FDD
91A23A6746B4A34232D0C60EDCE3A869F46D00340FD314E3A19E23813DCD55D6F001C9A461A9151FC43
4
7212AE54D139BFBD95072184D6BCD96BFE91A77484A14EF21A510947AF72004E73188BDCA2D90B99B26
C6ADAE0DED61096A5A9033250DB16CAFB8330F8B86374EE426F22A37F1B5E4B4C03B785064601CD9D78
6
B97F1A5915AE1FF0AAB9548C0AB645E8817AA421E16F2190F38F708FDA1ED0FB8E242B1251D36A4AEF3
B84CDF858D6CA30118400B7DE7CD32AB86E5BCBFEAFA38E
2023-11-28 15:52:07.993602 ike 0:Azure:31: dec
D9AE37737FFAA01FE0E51AE3ED77F2082E20230800000001000001A9230000042900000C01000000AC1
3C8B92900000800004000270001010000F100
5645523D310A4643545645523D372E322E332E303931380A5549443D434643363241413233463334343
23335423544384136313835354537464636440A49503D3137322E31392E3230302E3138350A4D41433D
3
0302D31352D35642D35312D30332D30343B0A484F53543D4445534B544F502D3043444F4633560A5553
45523D476F70696368616E644D75726172690A4F535645523D4D6963726F736F66742057696E646F777
3
20313020456E74657270726973652045646974696F6E2C2036342D62697420286275696C64203139303
435290A5245475F5354415455533D300A454D53534E3D464354454D53383832333039313730320A002F
0
0002802000000A5C200F5D13E654044C91714F1EC7BBC77964528DB2A56F03CBD82F7EECCEBEF290000
44010000000007001046435438303030353332303235303330000100000002000000030000000400000
0
0D000070010000540A0000540B000070000000001900000000000800004022
2023-11-28 15:52:07.993807 ike 0:Azure:31: responder received AUTH msg
2023-11-28 15:52:07.994029 ike 0:Azure:31: processing notify type INITIAL_CONTACT
2023-11-28 15:52:07.994083 ike 0:Azure:31: processing notify type FORTICLIENT_
CONNECT
2023-11-28 15:52:07.994277 ike 0:Azure:31: received FCT data len = 249, data =
'VER=1
FCTVER=7.2.3.0918
UID=CFC62AA23F344235B5D8A61855E7FF6D
IP=172.19.200.185
MAC=00-15-5d-51-03-04;
HOST=DESKTOP-0CDOF3V
USER=MCarey
OSVER=Microsoft Windows 10 Enterprise Edition, 64-bit (build 19045)
REG_STATUS=0
EMSSN=FCTEMS123456

Fortinet Inc.
Endpoint Profiles
'
2023-11-28 15:52:07.994510 ike 0:Azure:31: received FCT-UID :
CFC62AA23F344235B5D8A61855E7FF6D
2023-11-28 15:52:07.994714 ike 0:Azure:31: received EMS SN : FCTEMS123456
2023-11-28 15:52:07.994736 ike 0:Azure:31: EMS SN check passed
2023-11-28 15:52:07.994939 ike 0:Azure:31: processing notify type CHILDLESS_IKEV2_
SUPPORTED
2023-11-28 15:52:07.994965 ike 0:Azure:31: peer identifier IPV4_ADDR 172.19.200.185
2023-11-28 15:52:07.995168 ike 0:Azure:31: re-validate gw ID
2023-11-28 15:52:07.995178 ike 0:Azure:31: gw validation OK
2023-11-28 15:52:07.995413 ike 0:Azure:31: auth verify done
2023-11-28 15:52:07.995628 ike 0:Azure:31: responder AUTH continuation
2023-11-28 15:52:07.995634 ike 0:Azure:31: authentication succeeded
2023-11-28 15:52:07.995874 ike 0:Azure:31: mode-cfg type 7 request
16:'46435438303030353332303235303330'
2023-11-28 15:52:07.996080 ike 0:Azure:31: mode-cfg received APPLICATION_VERSION
'FCT8000532025030'
2023-11-28 15:52:07.996086 ike 0:Azure:31: mode-cfg type 1 request 0:''
2023-11-28 15:52:07.996312 ike 0:Azure: mode-cfg allocate 192.168.1.1/0.0.0.0
2023-11-28 15:52:07.996319 ike 0:Azure:31: mode-cfg using allocated IPv4
192.168.1.1
2023-11-28 15:52:07.996769 ike 0:Azure:31: mode-cfg WINS ignored, no WINS servers
configured
2023-11-28 15:52:07.997215 ike 0:Azure:31: mode-cfg UNITY type 28673 requested
2023-11-28 15:52:07.997451 ike 0:Azure:31: mode-cfg type 21514 requested
2023-11-28 15:52:07.997460 ike 0:Azure:31: mode-cfg type 21515 requested
2023-11-28 15:52:07.997468 ike 0:Azure:31: mode-cfg UNITY type 28672 requested
2023-11-28 15:52:07.997472 ike 0:Azure:31: mode-cfg no banner configured, ignoring
2023-11-28 15:52:07.997483 ike 0:Azure:31: responder preparing AUTH msg
2023-11-28 15:52:07.997489 ike 0:Azure: IPv6 pool is not configured
2023-11-28 15:52:07.997494 ike 0:Azure: adding new dynamic tunnel for
172.19.200.185:500
2023-11-28 15:52:07.997513 ike 0:Azure_0: tunnel created tun_id
192.168.1.1/::10.0.0.11 remote_location 0.0.0.0
2023-11-28 15:52:07.997592 ike 0:Azure_0: added new dynamic tunnel for
172.19.200.185:500
2023-11-28 15:52:07.997598 ike 0:Azure_0:31: established IKE SA
d9ae37737ffaa01f/e0e51ae3ed77f208
2023-11-28 15:52:07.997606 ike 0:Azure_0:31: check peer route: if_addr4_rcvd=0, if_

Fortinet Inc.
Endpoint Profiles
addr6_rcvd=0, mode_cfg=1
2023-11-28 15:52:07.997614 ike 0:Azure_0:31: processing INITIAL-CONTACT
2023-11-28 15:52:07.997617 ike 0:Azure_0: flushing
2023-11-28 15:52:07.997635 ike 0:Azure_0: flushed
2023-11-28 15:52:07.997638 ike 0:Azure_0:31: processed INITIAL-CONTACT
2023-11-28 15:52:07.997655 ike 0:Azure_0:31: mode-cfg assigned (1) IPv4 address
192.168.1.1
2023-11-28 15:52:07.997658 ike 0:Azure_0:31: mode-cfg assigned (2) IPv4 netmask
255.255.255.255
2023-11-28 15:52:07.997662 ike 0:Azure_0:31: mode-cfg send (13)
0:192.168.150.0/255.255.255.0:0
2023-11-28 15:52:07.997664 ike 0:Azure_0:31: mode-cfg send (3) IPv4 DNS(1)
96.45.45.45
2023-11-28 15:52:07.997667 ike 0:Azure_0:31: mode-cfg send (3) IPv4 DNS(2)
96.45.46.46
2023-11-28 15:52:07.997669 ike 0:Azure_0:31: mode-cfg send APPLICATION_VERSION
'FortiGate-VM64-HV v7.2.5,build8347,230829 (GA)'
2023-11-28 15:52:07.997671 ike 0:Azure_0:31: mode-cfg send (28673) UNITY_SAVE_
PASSWD
2023-11-28 15:52:07.997674 ike 0:Azure_0:31: mode-cfg send (21514) FNT_AUTO_
NEGOTIATE
2023-11-28 15:52:07.997676 ike 0:Azure_0:31: mode-cfg send (21515) FNT_KEEP_ALIVE
2023-11-28 15:52:07.997678 ike 0:Azure_0:31: add INTERFACE-ADDR4 169.254.1.1
2023-11-28 15:52:07.997685 ike 0:Azure_0:31: enc
2700000C01000000AC13C8712F00002802000000032B2600E754DD686A012B0F6F15B5AACF188C6E360
430E082BCDFDA0C720EC129000078020000
0000010004C0A8010100020004FFFFFFFF000D0008C0A89600FFFFFF0000030004602D2D2D000300046
02D2E2E0007002E466F727469476174652D564D36342D48562076372E322E352C6275696C6438333437
2
C3233303832392028474129700100020001540A00020001540B000200010000000C0000F0F9A9FE0101
0706050403020107
2023-11-28 15:52:07.997699 ike 0:Azure_0:31: out
D9AE37737FFAA01FE0E51AE3ED77F2082E2023200000000100000100240000E4F3993F243D0F8263A84
37BAE5FA374BDCCB76F12A529CF6D140BDB
7D16F4A31BCF8A01BF7FF565745E7A34CEF5DA87D60248CE37ECC09215900856FFD63450E0051F59931
0EAF799FB34362432B731B6A1CFD33A47923089B4989C08F2E8ADB97CB6DC62FE3D5B8A2F556B9A9F7B
2
1455AF2B117804AEFFAB89332A0CEAFF6C1D45AFDAB9C8158074F8D9F1440500FA0BEB08B873C299BD9
E554688D9A5BD986DD42974E0F247CC80DA4025BF026C05CEB1248A95C86483ECB765FBA232F6E07D0E
6
7FBAEB45416899D51C253077D91C4E9D8BD7DDACDC5425510CAC1BC0B1CF
2023-11-28 15:52:07.997721 ike 0:Azure_0:31: sent IKE msg (AUTH_RESPONSE):
172.19.200.113:500->172.19.200.185:500, len=256, vrf=0,

Fortinet Inc.
Endpoint Profiles
:00000001
2023-11-28 15:52:08.110149 ike 0: comes 172.19.200.185:500-
>172.19.200.113:500,ifindex=3,vrf=0....
2023-11-28 15:52:08.110199 ike 0: IKEv2 exchange=INFORMATIONAL
2023-11-28 15:52:08.110432 ike 0: in
D9AE37737FFAA01FE0E51AE3ED77F2082E20250800000002000008C0290008A49B6A9D7BD4E662F6667
AF723F93D5160ED6B11316EEA6DF7D75902415CD63031EF
F10A6D97A8409055084EB77803F990D01B2156EF6465F3087AE502976340903689A8D9D4ED842DBA99E
4321FF23844FA93051D39987C5AAB2D1376805066E44D318566A0A1AAFB8443C9E53B04B0BEF5519A6E
3
4FF0351BAAB2343987A9845665B4A4B902C6F684284C156A5FC0F71D8B32D2F8A8C6BD0C1780723915C
D9ABC36299EFF3D7FAF9EEB8C05BEFDB0396241E37AC740E9B37EFA80849FA5F610E34D315A9B6800EB
9
EE7D6264772E78FF2A1E829B183DF08BCCB5F6FE7EF97E3DFD7721416E587584AE570BDA90F51B854FB
E491269323A8B2769092658EFF3603786B4D6F9A42BDDA28ADA53FB57ACE83A002F8E22C73B1BAAAB95
C
13843E0F13E0BB38A35E134276DBA0028775D43D9E63626FA740CD2ADE5B1E044FB136498C1391E1318
0A878A011D1EAFEF705959F04EDAAFB1F4D0B4D7BE32595BF0626B48A8B4A4FE60BF3E3F258D07EA447
4
2F763EA6021A209BE7026F3B694D078B4D083B0AB5E018D8FDD4E236E0428CC22A6A5E3F14D01E0D0E5
74DB9CD058ADCDBA705E3A3FA9E445BFEB9015B367C458AF0510072C3B7FCF59346FDA3D9B90D69FA28
3
E553773E6F9C8CCC17630F33DCA445D5847DF9F5599CD8A9E1E65F99113F3BC18D88A70BB11D7EAAA98
58DA284B488F58B49EC7E879FE1FE7126BDCCCFFB2CD62447203DE15485F957A602160D739B38F57EB1
8
023F4023C1C8C30729D87EF932701E69BA474478222FA4A427F38EA36B314F452CCD29C57F75A7BD159
6AA4300C42714BEF3E3A538786F30668B714880F2A2715C6B18AAA61DBFAA98C22302319917BEB5219A
1
70B7250B69402A84697685055CDCE5B276B047FB172501DEA4FC7EF51A4B3FE06B590F212C9DCBB6AEF
859A8FD3E4A5118B603E75218294C3DF97A009F2CDD5D31CA9E28CB9C5A1D5CA56B3B6C0DF9BA7DED12
E
0A44CE3A2C8B0101B2812B8FD3EC43A0AF07F3701AC6B0F5EA182C9797DCFF215207238A9DC5F3F544A
919B6E147C20847F20AD9CFD602734224EBB3E18A7200DFA06FA9EE6A4F665AE6559587F963C1116A43
E
6D673601ABEA502DC789085D9537AC26DCB75A582AD12962C858910EF7AA42E9E04742B80483B02870C
B600AEF9F050A84A44213FDF23B283F73F7E064C9167FCFC63C9DBBBBB8DC8727E27EB62A2B412CF798
9

Fortinet Inc.
Endpoint Profiles
665E248B5514E87264EAE9BE7E870D8243558548706092E2F2FB7B69307808CAA903BCE0B0EDACE95FC
E7BD5DD6D93EEB901BD4C541999D7E16A8ABF7B3FA99B163119CC27D851D42E7820659EBDA3E1649062
A
3DE4544F7DC568665A5D5A52D6A62E252D9C6240AB32930B0066ECFBF9E4845768F8708E89A8A699786
237D741659FB7F36E45F649F860C04523820584F0A668519DC200A16A9AE6F94714A5C9AFAA9CEA3B15
9
8836482ADA061F3E6BC73CDF18B441E3939F938A407E2FAB66563F32EFDE4EA1D26756B4983CDA33282
5B6CC71A64B3A2790CED7156AE0C7A9D684BBAF50095283C23ADF9882E4901C6DDA7E8132B632B9D33B
6
961D1558323FAB4447CC6C1B6E0A543CF289566955CD045D42B3853934E98575FF0EB4F9DDCCD33E16E
E3989185CBD4C536CBEB55F2DE760AD87D0D0896952425F6099EC3775DABEC43669B3060371818B55CB
1
09420BC54D6819785BE1D4380878ACA24502D20B8552E035B3FA728340CEC7114D557E9AFE7C6051053
E4CF702D9C9CEB88F066EDC7C41ED7A2C331EAF1331DBEB965988F564515A11AD7023C4F5EECF73C870
A
6B41C9006ADDA326377969F7309E42BEB220F6B8BB0DC4581304B5A26EFBFC91A3E6AF4B5E25DBDEA2A
B79EF700948B05677B7B613D7C45D273B7A9F1E14809D90154C0B7E57E3144063DECEC730EC22D4AE45
0
FA064F428DBDAD2E7225AE832C66C4A79CA327EF8DE1B9DC1325CC5D7891A4F3619E813374306AA1379
836A4B7CD50A826E709D33FF24BF4E311DBB960732269470EBCA42F5A68A7038352B0C7DA6454541B3F
3
348CED47D7FEFE7131FB3610D7D884B4E71BFEF414235CB6AC577F3D5B4EC816682CDA2480B8D232894
AEEF9D8578A97197D9C33A9D2C4E524A59FA0167D8759D3C2B089D715B005F5FB9403E822A1B5723531
A
DD1527A4BEEC54C673470017057E7D6C0A64D1F4463E7453F61A1FA5C60BAD683E11F57ADF8C4147DE3
37897FD913FF451A663E511515A1EEF1B64BC66125E310F729712CCBAF97316874986C52D96AB16C758
7
31171EEBDAC8948D173532A92473AB990F853657A6E2F299C3C32C534D6560FDAF66C3C2E5CE690C3E0
381E2883E09C9E8F2E039B2403526419A810E048C9BFFB863EB00D4EEA8C2980799AF8FFE4D0FDA92C2
E
8AEB30AB1D044CF5E806414B8BF4F630DD54274235295540A230B1E58CBBE6642A0D91AD0DE920B4DE3
85975A10F97AB58C01508D43F40531F04EF403E626C06F1D70E6A5649721F60F9CED9ACB70997A26511
0
83E1E2F373049A1CB0012C181244F90DF3B917B7D337679F4EA3E4F5781929793E57DCE57426DE306E1
C7348B05FF5412AD20CBD323C9ACD9B381462F428EFB084DE2DF4AAA39F3A2498EBE0903E190C89B3CB
6

Fortinet Inc.
Endpoint Profiles
9FE70EF451C17C337F2965F0F2FCEA63036DAC1735305113720441A040920DE11C76E597D2346766AC2
31966E200FB6908954B049B57E077C8F9FF1E43019D22DCB75839C0BE084385510FE6CC225A84E8AE56
D
9854C739545EB19DA193E031D59D58270E12D9A5F6E86E4870DD775F1C3C4DB80F5138B20521E746304
5E48EF1C1BE55D40F7AACC65BFA78B2D7C50832A08CAEE1534C9EF0D9309321D685102EA34BC45A62BE
B
A927141839B4756BC3D33B33DD6F829762D9FEC37E8C5F6C28D3E0D513967D3E878D597A0F262263D47
E696C443B3AD33742944F1EA8094AA1147E189EA3DC2E1838C12186A9ADA2534485D026E8456996E981
5
0675B20DC5F337A0A90BDFE5516668AD234AF0FA4F0141F8145BF7F931E80C2B62E5517900CBAE94B37
748E713A895CBB415319FA485C69C4CBE89F689DA9926597548CD5FC1F509F584330B07686F0EDE7EE1
B
FCD55949
2023-11-28 15:52:08.110903 ike 0:Azure_0:31: dec
D9AE37737FFAA01FE0E51AE3ED77F2082E202508000000020000089F290000040000087F0000F107657
94A30655841694F694A4B563151694C434A
756232356A5A534936496D704B4D314A6B55304A7653484A4B4F4570574D6B5A54646A687A595646596
24668336457773357484D325A4656786347307A5A316F74616C45694C434A68624763694F694A53557A
4
9314E694973496E673164434936496C5178553351745A457855646E6C58556D6434516C38324E7A5A31
4F47747957464D7453534973496D74705A434936496C5178553351745A457855646E6C58556D6434516
C
38324E7A5A314F47747957464D7453534A392E65794A68645751694F6949774D4441774D4441774D793
0774D4441774C5441774D444174597A41774D4330774D4441774D4441774D4441774D4441694C434A70
6
3334D694F694A6F64485277637A6F764C334E30637935336157356B6233647A4C6D356C644338315A44
6B324D4463335A4330794F47566D4C5451774E5749744F474A6A4E53307A5A6A6333595452695A47526
B
5A6D59764969776961574630496A6F784E7A41784D6A45794E546B794C434A75596D59694F6A45334D4
445794D5449314F544973496D5634634349364D5463774D5449784F4445344F53776959574E6A644349
3
64D43776959574E79496A6F694D534973496D467062794936496B4657555546784C7A68575155464251
545A48644463765230647553545259516D566C615538356343394C65454931563235434E46553363474
E
6B596D4A4B546B7036626E52525931523052474E545158526B54445A3254334E32536D30304B3231726
56B3835627974355445343157556C715169397454304A59626B783365577451526A67334F5374516255
6

Fortinet Inc.
Endpoint Profiles
877636E6C6D616E45324D465259636B564650534973496D46746369493657794A77643251694C434A79
633245694C434A745A6D45695853776959584277583252706333427359586C755957316C496A6F69644
7
567A6447647663476B694C434A68634842705A434936496A59334D574978597A5A684C5464694E6A4D7
44E474E6C595330344F4463334C544D304D544A695A5463344E546B7A59794973496D467763476C6B59
5
74E79496A6F694D434973496D526C646D6C6A5A576C6B496A6F694D7A41355954526D4D7A4574593249
34596930305A6D4A6D4C546B785A6A67744F474E6B4D324E6D4D574D775932566949697769615752306
5
5841694F694A316332567949697769615842685A475279496A6F694D6A41344C6A6B784C6A45784E533
47A4D434973496D3568625755694F694A486233427059326868626D51675458567959584A7049697769
6
2326C6B496A6F694E4467324E4451324E6D45744F546B774F4330305A6A49324C546C6C4D7A41744F57
55344D3249344D6A49305A47526D4969776963477868644759694F69497A49697769634856705A43493
6
496A45774D444D794D4441794E445133516A45314D5463694C434A776432526664584A73496A6F69614
8523063484D364C79397762334A305957777562576C6A636D397A62325A30623235736157356C4C6D4E
7
662533944614746755A32565159584E7A643239795A4335686333423449697769636D67694F6949774C
6B46576130466D5557565857475534623163775130783456446B7A6345777A5A4639335455464251554
6
4251554642515864425155464251554642515546445A45464F627934694C434A7A593341694F694A765
A6D5A736157356C5832466A5932567A63794276634756756157516763484A765A6D6C735A5342566332
5
6794C6C4A6C595751675A573168615777694C434A7A615764756157356663335268644755694F6C7369
6132317A61534A644C434A7A645749694F694A61596D4D7964546C7955486C57636C4A4F6154464F5A3
1
524A65484E4352575A44566C6C4D52304A72615667795A3168324D6B354A4D325A4A496977696447567
55957353058334A6C5A326C76626C397A593239775A534936496B35424969776964476C6B496A6F694E
5
751354E6A41334E3251744D6A686C5A6930304D4456694C546869597A55744D3259334E324530596D52
6B5A475A6D49697769645735706358566C58323568625755694F694A6E6258567959584A7051455A766
3
6E5270513278705A5735304D6A41756232357461574E7962334E765A6E5175593239744969776964584
275496A6F695A323131636D46796155424762334A3061554E7361575675644449774C6D397562576C6A
6

Fortinet Inc.
Endpoint Profiles
36D397A62325A304C6D4E7662534973496E563061534936496A457864484A365447397A4D6A4174636D
5534556D4E6D64463951515763694C434A325A5849694F6949784C6A41694C434A336157527A496A706
2
496A59795A546B774D7A6B304C5459355A6A55744E44497A4E7930354D546B774C5441784D6A45334E7
A45304E5755784D434973496D49334F575A695A6A526B4C544E6C5A6A6B744E4459344F5330344D5451
7
A4C546332596A45354E4755344E5455774F534A644C434A3462584E6664474E6B644349364D5459324E
7A45784D4451794D33302E4C5173624B7A695A52504F39505971495071754B4C316B39704F477A54776
B
35376E3854676B4A616C79327362325333635A763541313736426539594A5A4D7978424F366F6349677
731324663304B4841316E354A474E5A36526E74674D73574457476F6968506E756B503474725F554976
6
74A567A4578516D67554D6C3545723361635A7849577A41766E3353383259306E6F6245733461526865
417231387A6271364D435F6137344C7668307332367263435A473675755767656D457A5F52376866503
9
3473586D4A68506F42564A427175357372662D3366766758615647525559456A6F746441496E744A485
2414263784B5647654E506C7276696C4F6B454D7577694A753544312D4F465064696C7A63686A644A34
3
2576B5A7A4D6F583250645849706938416F4565784D55435F49425A5A696379514F6A67307776724650
537531464A675539364F3637424841464C2D77
2023-11-28 15:52:08.110922 ike 0:Azure_0:31: received informational request
2023-11-28 15:52:08.110925 ike 0:Azure_0:31: processing notify type AZURE_AD_TOKEN
2023-11-28 15:52:08.110948 ike 0:Azure_0:31: received Azure AD token (len=2167)
2023-11-28 15:52:08.110949 ike 0:Azure_0:31: initiating Azure AD token
authentication
2023-11-28 15:52:08.110951 ike 0:Azure_0: Azure AD token (len=2167)
2023-11-28 15:52:08.110953 ike 0:Azure: auth group msgraphgrp
2023-11-28 15:52:08.111007 ike 0:Azure_0: Azure AD auth 1975011919 pending
2023-11-28 15:52:08.111012 ike 0:Azure_0:31: enc 0F0E0D0C0B0A0908070605040302010F
2023-11-28 15:52:08.111021 ike 0:Azure_0:31: out
D9AE37737FFAA01FE0E51AE3ED77F2082E202520000000020000005000000034ABDA11BFF7F1B3E0DE3
7C51CC74D97E9E750351C4C59506A84CEC1
E9D726613718F6C5928D05641F3BA20B17F06A0E39
2023-11-28 15:52:08.111037 ike 0:Azure_0:31: sent IKE msg (INFORMATIONAL_RESPONSE):
172.19.200.113:500->172.19.200.185:500, len=80, vrf=0, id=d9ae37737ffaa01f/e0e51ae3
ed77f208:00000002
2023-11-28 15:52:08.506195 ike 0:Azure_0:31: Azure AD auth 1975011919 result FNBAM_
SUCCESS
2023-11-28 15:52:08.507752 ike 0:Azure_0: FNBAM_SUCCESS
2023-11-28 15:52:08.508794 ike 0:Azure_0: Azure AD auth succeeded (msgraphgrp)
2023-11-28 15:52:08.510216 ike 0:Azure_0:31: send AD_AUTH_SUCCESS

Fortinet Inc.
Endpoint Profiles
2023-11-28 15:52:08.511426 ike 0:Azure_0:15: sending NOTIFY msg

2023-11-28 15:52:08.512857 ike 0:Azure_0:31:15: send informational
2023-11-28 15:52:08.514534 ike 0:Azure_0:31: enc 000000080000F1080706050403020107
2023-11-28 15:52:08.516395 ike 0:Azure_0:31: out
D9AE37737FFAA01FE0E51AE3ED77F2082E20250000000000000000502900003413256E2704001DC9F80
EBD2A735175246557478164D30E355013BC
69A0BDED148E2E2A603EF6D28DD13A932FAF61EC74
2023-11-28 15:52:08.519714 ike 0:Azure_0:31: sent IKE msg (INFORMATIONAL):
172.19.200.113:500->172.19.200.185:500, len=80, vrf=0,
2023-11-28 15:52:08.522490 ike 0: comes 172.19.200.185:500-
>172.19.200.113:500,ifindex=3,vrf=0....
2023-11-28 15:52:08.524446 ike 0: IKEv2 exchange=INFORMATIONAL_RESPONSE
id=d9ae37737ffaa01f/e0e51ae3ed77f208 len=80
2023-11-28 15:52:08.526370 ike 0: in
D9AE37737FFAA01FE0E51AE3ED77F2082E202528000000000000005000000034925EA6E305C033FBF32
AEB5403FF3390A6AA68943E6E95FFD42F9A9DB5F2211EA2
E5030A8DCDCC68A0D952C49B7C104C
2023-11-28 15:52:08.529516 ike 0:Azure_0:31: dec
D9AE37737FFAA01FE0E51AE3ED77F2082E202528000000000000002000000004
2023-11-28 15:52:08.531826 ike 0:Azure_0:31: received informational response
2023-11-28 15:52:08.533168 ike 0:Azure_0:15: received NOTIFY acknowledgement
2023-11-28 15:52:08.534569 ike 0:Azure_0:31:15: processing informational
acknowledgement
2023-11-28 15:52:09.446751 ike 0: comes 172.19.200.185:500-
>172.19.200.113:500,ifindex=3,vrf=0....
2023-11-28 15:52:09.448432 ike 0: IKEv2 exchange=CREATE_CHILD
2023-11-28 15:52:09.450319 ike 0: in
D9AE37737FFAA01FE0E51AE3ED77F2082E20240800000003000001C0210001A4D1C2C49AECAEBA124A5
DE2DF944A81ECC42E35F47089131AAAA1D089F60E74845C
A77B0F46616B3946EC1DB6386B95B3E4AAD48624AD098716B7C09377070A34A4A8FA29C5205A53FB705
FB95FB1196320A24E54F123C45E7EAA07DA2F7E5C73D5D68FCC29711163372CC0601061A1629C10D4B4
D
29240FEB22BF758E73A0BF47D3EF2311B547683FBED69DE40960A30FDCACEFA83C5B002C117EF1849D9
EFCBF5D5C594424160C6DDAE59D72CA0FE69109D677B36A3E52251B12E609EBC39105228F03821F52DC
C
A8F48FFCD2B1E467EFD6D22C944A2FE1668F52111B863790EAB4B70AC111BBBEA1BD4E400920E6002F5
41DBBFA5B1270DB7F9A8E17DB837A55A161A848FBD3CEE545C59673114BC6C7192CB8FC3A2222664776
9
A47C5EC14F9A927A2DC22D3AEC869F7D22728EA36AE72C79BCAEC678F832D868F4AF4A9F11316AB525E
E29E83D7FE4B36B4C907FD695FC958F391CC53A55BA3D70768458374E0DEB496B4EE2C764259816EB4A
5

Fortinet Inc.
Endpoint Profiles
1C500F83A98A8E134A7E5287057AC06D0DFB99A6403EB711B5ED4A0AD431D342BDF4E9674B614C0EA63
AD879BE72F0F6FB
2023-11-28 15:52:09.463679 ike 0:Azure_0:31: dec
30404B6309E870300000C0100000C800E00
800300000803000002030000080400000500000008050000000000003002030404B6309E870300000C0
100000C800E0100030000080300000C0300000804000005000000080500000022000014B152C3DB9D7C
4
DCB76B245B1B1E537752C0000C80005000013FC512EBBD59D5EE5926D399D13FE2811F9D965F6489E67
27340F15F2588D0B37347D70C4DB2A056AEDE07A0B83D0BC6C124CFBEFD8B8EC28E3BE927E3ADDCB585
5
6010430E13A03A123A11C1A1F5F603093844ED7CA9CA65C97BF77689456F933584C0D706024321EB1BA
2DEAB6C7CDBF9D8C6B3CAEF02B8D98F10B8EF0B7F975EB3F922360B21B419E71D91DC8A86BF7361500B
E
FD67B0AB19F0F89423D8E9229B2A71FD283FEAC4845F4DB2092A48ECECCD84C12CA552C234A2B6614FA
F02D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF0
0
000000FFFFFFFF
2023-11-28 15:52:09.476082 ike 0:Azure_0:31: received create-child request
2023-11-28 15:52:09.477573 ike 0:Azure_0:31: responder received CREATE_CHILD
exchange
2023-11-28 15:52:09.479026 ike 0:Azure_0:31: responder creating new child
2023-11-28 15:52:09.480311 ike 0:Azure_0:31:16: peer proposal:
2023-11-28 15:52:09.481643 ike 0:Azure_0:31:16: TSi_0 0:0.0.0.0-255.255.255.255:0
2023-11-28 15:52:09.483041 ike 0:Azure_0:31:16: TSr_0 0:0.0.0.0-255.255.255.255:0
2023-11-28 15:52:09.484917 ike 0:Azure_0:31:Azure:16: comparing selectors
2023-11-28 15:52:09.486431 ike 0:Azure_0:31:Azure:16: matched by rfc-rule-2
2023-11-28 15:52:09.488240 ike 0:Azure_0:31:Azure:16: phase2 matched by subset
2023-11-28 15:52:09.489819 ike 0:Azure_0:31:Azure:16: using mode-cfg override
0:192.168.1.1-192.168.1.1:0
2023-11-28 15:52:09.493018 ike 0:Azure_0:31:Azure:16: accepted proposal:
2023-11-28 15:52:09.494773 ike 0:Azure_0:31:Azure:16: TSi_0 0:192.168.1.1-
192.168.1.1:0
2023-11-28 15:52:09.496728 ike 0:Azure_0:31:Azure:16: TSr_0 0:0.0.0.0-
255.255.255.255:0
2023-11-28 15:52:09.498785 ike 0:Azure_0:31:Azure:16: dialup
2023-11-28 15:52:09.500228 ike 0:Azure_0:31:Azure:16: incoming child SA proposal:
2023-11-28 15:52:09.502191 ike 0:Azure_0:31:Azure:16: proposal id = 1:
2023-11-28 15:52:09.504280 ike 0:Azure_0:31:Azure:16: protocol = ESP:
2023-11-28 15:52:09.506390 ike 0:Azure_0:31:Azure:16: encapsulation = TUNNEL
2023-11-28 15:52:09.508479 ike 0:Azure_0:31:Azure:16: type=ENCR, val=AES_
CBC (key_len = 128)
2023-11-28 15:52:09.510929 ike 0:Azure_0:31:Azure:16: type=INTEGR, val=SHA
2023-11-28 15:52:09.513041 ike 0:Azure_0:31:Azure:16: type=DH_GROUP,

Fortinet Inc.
Endpoint Profiles
val=MODP1536
2023-11-28 15:52:09.514921 ike 0:Azure_0:31:Azure:16: type=ESN, val=NO
2023-11-28 15:52:09.517047 ike 0:Azure_0:31:Azure:16: matched proposal id 1
2023-11-28 15:52:09.518363 ike 0:Azure_0:31:Azure:16: proposal id = 1:
2023-11-28 15:52:09.519673 ike 0:Azure_0:31:Azure:16: protocol = ESP:
2023-11-28 15:52:09.521199 ike 0:Azure_0:31:Azure:16: encapsulation = TUNNEL
2023-11-28 15:52:09.522991 ike 0:Azure_0:31:Azure:16: type=ENCR, val=AES_
CBC (key_len = 128)
2023-11-28 15:52:09.524846 ike 0:Azure_0:31:Azure:16: type=INTEGR, val=SHA
2023-11-28 15:52:09.526296 ike 0:Azure_0:31:Azure:16: type=DH_GROUP,
val=MODP1536
2023-11-28 15:52:09.527909 ike 0:Azure_0:31:Azure:16: type=ESN, val=NO
2023-11-28 15:52:09.529345 ike 0:Azure_0:31:Azure:16: lifetime=43200
2023-11-28 15:52:09.531065 ike 0:Azure_0:31:Azure:16: PFS enabled, group=5
2023-11-28 15:52:09.532636 ike 0:Azure_0:31:Azure:16: generate DH public value
request queued
2023-11-28 15:52:09.535270 ike 0:Azure_0:31:Azure:16: compute DH shared secret
request queued
2023-11-28 15:52:09.538204 ike 0:Azure_0:31:Azure:16: replay protection enabled
2023-11-28 15:52:09.540564 ike 0:Azure_0:31:Azure:16: set sa life soft
seconds=43185.
2023-11-28 15:52:09.543517 ike 0:Azure_0:31:Azure:16: set sa life hard
seconds=43200.
2023-11-28 15:52:09.545940 ike 0:Azure_0:31:Azure:16: IPsec SA selectors #src=1
#dst=1
2023-11-28 15:52:09.548329 ike 0:Azure_0:31:Azure:16: src 0 7 0:0.0.0.0-
255.255.255.255:0
2023-11-28 15:52:09.549967 ike 0:Azure_0:31:Azure:16: dst 0 7 0:192.168.1.1-
192.168.1.1:0
2023-11-28 15:52:09.551724 ike 0:Azure_0:31:Azure:16: add dynamic IPsec SA
selectors
2023-11-28 15:52:09.553656 ike 0:Azure_0:31:Azure:16: added dynamic IPsec SA
proxyids, new serial 1
2023-11-28 15:52:09.555661 ike 0:Azure:16: add route 192.168.1.1/255.255.255.255 gw
192.168.1.1 oif Azure(17) metric 15 priority 1
2023-11-28 15:52:09.558385 ike 0:Azure_0:31:Azure:16: tunnel 1 of VDOM limit 0/0
2023-11-28 15:52:09.559849 ike 0:Azure_0:31:Azure:16: add IPsec SA:
SPIs=089ed054/b6309e87
2023-11-28 15:52:09.559855 ike 0:Azure_0:31:Azure:16: IPsec SA dec spi 089ed054 key
16:7266651ABA6DF54EA23C5F16ACA4323A auth 20:E5DE2B49D803AD657613D5E7A217019449E172E
D
2023-11-28 15:52:09.559859 ike 0:Azure_0:31:Azure:16: IPsec SA enc spi b6309e87 key
16:E5FC462D5B45E3D2D2CDBE80354F766A auth 20:B4FD4EC142626C58359AAC6278370986E4B9C4F
8
2023-11-28 15:52:09.559883 ike 0:Azure_0:31:Azure:16: added IPsec SA:
SPIs=089ed054/b6309e87
2023-11-28 15:52:09.560126 ike 0:Azure_0: tunnel up event assigned address
192.168.1.1

Fortinet Inc.
Endpoint Profiles
2023-11-28 15:52:09.560352 ike 0:Azure_0:31:Azure:16: sending SNMP tunnel UP trap

2023-11-28 15:52:09.560772 ike 0:Azure_0: sent tunnel-up message to EMS: (fct-
uid=CFC62AA23F344235B5D8A61855E7FF6D, intf=Azure_0, addr=192.168.1.1, vdom=root)
2023-11-28 15:52:09.561092 ike 0:Azure_0:31:Azure:16: responder preparing CREATE_
CHILD message
2023-11-28 15:52:09.561320 ike 0:Azure_0:31: enc
280000340000003001030404089ED0540300000C0100000C800E0080030000080300000203000008040
0000500000008050000002200001480626D
7A23F5008349B6CC4289825B292C0000C800050000C26CB6DC83F23198EFB6B595A44AD7A2D4506D048
F7E3BA27ED14CB47FF12B2C20ED2F7C59022E698A8EEB22AC1269DE785F4E4D674261E2268E6D5219EA
8
DBCD598D59CE007D831420E3654A93ED0733AA1AC51B2908611CA39D64B17ABA6E3EFC338A700480CC5
CB65549BDA2B527FDAC9B68A4CAFBFE90ACEE70333451F31BA79FFA53B7028879E38682E2A2E74E692D
6
03B41ACA394E5EAEBEDAD923ADF8DF6E5B60C19A17860A9F72079F2A9B162244DA2ED48931DA94505F8
A9784C6AE2D00001801000000070000100000FFFFC0A80101C0A8010100000018010000000700001000
0
0FFFF00000000FFFFFFFF0F0E0D0C0B0A0908070605040302010F
2023-11-28 15:52:09.561585 ike 0:Azure_0:31: out
D9AE37737FFAA01FE0E51AE3ED77F2082E2024200000000300000190210001747521BEB5752BC8166B8
70187B8184577A936B1617899657B3F61B0
ACE844FACE72E945DEC6A91FC5AB1001D8120A73ED5732605FE6D0DD57CDDFD2EB624A38490841A6381
72E86FAD3C27C255DF6508AE96D3C127C2FF9B479FD8007EE12B1E59227220F4A817A0BF29D9695C420
F
5C0B9F5D74F910345D843AD638946098D38C7F2C5C19FD854F2BE128DD336328DBF1072308F4AAFD103
AEE529495D8D7A48233F6565104F277EFC9E8371A81A6B9EB59CA9AF66AD93332F3F767585522A750AD
9
1B124CD84C903BE6A64B3D63BA3E6D212E73C744D59DED2AE2580A12EB0550AD140F7CDB7587A531291
0586972D01A39110DBF639CDF077B9B66799AA1C0F2A39C0106887F1D7E43B135B170A478A9DBF01B18
7
C20E21A04A953B0BDC4E71A00BCED1C0B2F95C5188F701EB0372CFF5FD0DD347BD7765540E45AB0E641
9EC8EB139099561E1A95F7C5056AB3B18E023338A23B26C32421BD7D5CB1C1308CA9EBAE191A87E5025
6
83811AB0C5E644
2023-11-28 15:52:09.561966 ike 0:Azure_0:31: sent IKE msg (CREATE_CHILD_RESPONSE):
172.19.200.113:500->172.19.200.185:500, len=400, vrf=0,
id=d9ae37737ffaa01f/e0e51ae3
ed77f208:00000003
2023-11-28 15:52:13.239889 ike 0: comes 172.19.200.185:500-
>172.19.200.113:500,ifindex=3,vrf=0....
2023-11-28 15:52:13.239970 ike 0: IKEv2 exchange=INFORMATIONAL

Fortinet Inc.
Endpoint Profiles
2023-11-28 15:52:13.239976 ike 0: in
D9AE37737FFAA01FE0E51AE3ED77F2082E202508000000040000005000000034BFA2DC51F014978F5F6
95462630406B37D7311206880F4BA747BA1E786092E7F6F
34C63B6D3B48A8E6531AABAA72FE55
2023-11-28 15:52:13.240004 ike 0:Azure_0:31: dec
2023-11-28 15:52:13.240222 ike 0:Azure_0:31: received informational request
2023-11-28 15:52:13.240230 ike 0:Azure_0:31: enc 0F0E0D0C0B0A0908070605040302010F
2023-11-28 15:52:13.240443 ike 0:Azure_0:31: out
D9AE37737FFAA01FE0E51AE3ED77F2082E2025200000000400000050000000349815B795B19825052A1
CEB3BFBDF0890035F90BFBAB8D3DC8B2D24
3C0F347C253853573C4692A2FAB41271E0935FD0BE
2023-11-28 15:52:13.240670 ike 0:Azure_0:31: sent IKE msg (INFORMATIONAL_RESPONSE):
172.19.200.113:500->172.19.200.185:500, len=80, vrf=0, id=d9ae37737ffaa01f/e0e51ae3
ed77f208:00000004
2023-11-28 15:52:17.875738 ike shrank heap by 344064 bytes
IPsec VPN SAML-based authentication
FortiClient IPsec VPN IKEv2 supports SAML authentication with identity providers (IdP) such as Microsoft Entra ID,
Okta, and FortiAuthenticator. This configuration also supports pushing authentication tokens. This provides a similar
experience as using SAML-based authentication for SSL VPN.
The following instructions assume that you have already configured your Entra ID environment, that your FortiClient
EMS and FortiGate are part of a Fortinet Security Fabric, and that the FortiGate has been configured in Azure as an
enterprise application for SAML single sign on.
The following provide configuration examples for Entra ID, Okta, and FortiAuthenticator:
l Use case 1: SAML authentication with Entra ID as IdP on page 252
l Use case 2: SAML authentication with Okta as IdP on page 257
l Use case 3: SAML authentication with FortiAuthenticator as IdP on page 260
The examples use the following product versions:
Product Version
FortiClient
7.2.4
FortiClient EMS
FortiGate 7.4.3
FortiAuthenticator 6.5.3
Use case 1: SAML authentication with Entra ID as IdP
To configure SAML authentication with Entra ID as IdP:
1. The following shows an example enterprise application for SAML single sign on in Azure. Key to this configuration is
that the endpoint can resolve the FortiGate fully qualified domain name (FQDN) (in this example, it is

Fortinet Inc.
Endpoint Profiles
remote...de01). Note the port number, which in this example is 10428. Under SAML Certificates, beside Certificate
(Base64), click Download.
2. Configure FortiOS:
a. Import the certificate that you downloaded from the Azure portal to FortiOS by going to System > Certificates >
Create/Import > Remote Certificate and selecting the desired certificate.
b. Define a user IKE SAML authentication port:
config system global
set auth-ike-saml-port 10428
end
c. Configure SAML user settings. In this example, remote...de01 is the remote gateway. Port 10428 is the
IKE SAML authentication port that you defined in step 2a:
i. Configure a SAML user:
config user saml
edit "IPSec-SAML-FAC"

Fortinet Inc.
Endpoint Profiles
set entity-id "https://remote...de01:10428/remote/saml/metadata"

set single-sign-on-url "https://remote...de01:10428/remote/saml/login"
set single-logout-url "https://remote...de01:10428/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/f1a72219-.../"
set idp-single-sign-on-url
"https://login.microsoftonline.com/f1a72219-.../saml2"
set idp-single-logout-url
"https://login.microsoftonline.com/f1a72219-.../saml2"
set group-name "saml-group"
next
end
ii. Configure a user group. The example user group is ipsec-saml-group, which includes the SAML user that
you configured. You use this group in a FortiOS firewall policy to control access permission to protected
resources:
config user group
edit "ipsec-saml-group"
set member "IPSec-SAML-FAC"
next
end
d. Configure the IKE SAML server for the FortiOS interface used for VPN connection. This example uses port1 as
the WAN interface, which the configuration uses for IPsec VPN IKEv2 connection:
edit "port1"
set ike-saml-server IPSec-SAML-FAC
next
end
e. Configure the IPsec VPN IKEv2 tunnel:
i. Configure an IP address range for the IPsec VPN tunnel to use. In this example, there is a file server with
IP address 192.168.235.180 sitting on the FortiOS LAN network 192.168.235.0/24. Substitute your own
values as needed.
edit "IPSec_Tunnel_Addr1"
set type iprange
set start-ip 192.168.1.100
set end-ip 192.168.1.108
next
end
edit "LAN2-192.168.235.0"
set subnet 192.168.235.0 255.255.255.0
next
end
ii. Create an IPsec VPN IKEv2 tunnel. This example uses a preshared key as the authentication method.
Ensure that you set eap enable and eap-identity send-request correctly:
edit "v4-PSK-IKEv2"
set type dynamic
set ike-version 2
set peertype any
set mode-cfg enable

Fortinet Inc.
Endpoint Profiles
set ipv4-dns-server1 172.17.60.6

set ipv4-dns-server2 8.8.8.8
set proposal aes128-sha1 aes256-sha256
set dpd on-idle
set dhgrp 5
set eap enable
set eap-identity send-request
set assign-ip-from name
set ipv4-split-include "LAN2-192.168.235.0"
set ipv4-name "IPSec_Tunnel_Addr1"
set psksecret 11111111
set dpd-retryinterval 60
next
end
edit "v4-PSK-IKEv2"
set phase1name "v4-PSK-IKEv2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set dhgrp 5
next
end
iii. Add the SAML group to the firewall policy for the VPN tunnel. In this example, ipsec-saml-group is the
SAML group name, and port3 is the FortiGate LAN interface. Modify the commands to fit your
environment:
edit "LAN2_port3 address"
set type interface-subnet
set subnet 192.168.235.0 255.255.255.0
next
end
config firewall policy
edit 117
set name "v4-PSK-IKEv2 -> LAN"
set srcintf "v4-PSK-IKEv2"
set dstintf "port3"
set action accept
set srcaddr "IPSec_Tunnel_Addr1"
set dstaddr "LAN2_port3 address"
set schedule "always"
set service "ALL"
set nat enable
set groups "ipsec-saml-group"
next
end
iv. (Optional) FortiClient validates the certificate configured in FortiOS. To prevent an invalid server certificate
prompt, the certificate common name (CN) should match the VPN remote gateway FQDN (remote...de01
in this example) and you should import the certificate authority (CA) as a trusted root CA authority.
FortiClient also verifies certificates for IdPs such as FortiAuthenciator, Azure, and Okta.
config user setting
set auth-cert "remote...de01-oldca"
end

Fortinet Inc.
Endpoint Profiles
3. Configure a new IPsec VPN IKEv2 tunnel in EMS:

a. In EMS, go to Endpoint Profiles > Remote Access.
c. Under VPN Tunnels, click Add Tunnel.
d. Select Manual.
e. Configure Basic Settings:
i. In the Name field, configure the desired tunnel name.
ii. For Type, select IPsec VPN.
iii. In the Remote Gateway field, enter the remote gateway. In this example it is remote...de01.
iv. From the Authentication Method dropdown list, select Pre Shared Key.
v. In the Pre-Shared Key field, enter the same key that you configured in step 2.e.ii.
f. Configure Advanced Settings:

i. Disable Prompt for Certificate.
ii. Toggle on Enable SAML Login.
iii. In the SAML Port field, enter the port that you noted from the Azure portal. In this example, it is 10428.
iv. Enable Show "Remember Password" Option.
v. Enable Show "Always Up" Option.
vi. Enable Show "Auto Connect" Option.
g. Leave other fields at their default values, and save. For the XML configuration for the tunnel, see IPsec VPN
tunnel XML configuration on page 260.

Fortinet Inc.
Endpoint Profiles
4. After FortiClient receives the configuration changes from EMS, connect to the tunnel:
a. In FortiClient, go to the Remote Access tab.
b. From the VPN Name dropdown list, select the IPsec VPN tunnel.
c. Click Connect.
d. An authentication dialog appears. Enter the Entra ID credentials to establish the VPN connection.
5. After the VPN tunnel is up, attempt access to a resource that a FortiOS firewall policy protects. The following shows
diagnose firewall auth list output for such access:
192.168.1.100, [email protected]
type: fw, id: 0, duration: 74, idled: 74
server: IPSec-SAML-FAC
packets: in 0 out 0, bytes: in 0 out 0
group_id: 6
group_name: ipsec-saml-group
----- 1 listed, 0 filtered ------
To view IKE debug log output for this access, see IKE debug log reference on page 266.
Use case 2: SAML authentication with Okta as IdP
Configuring IPsec VPN SAML authentication using Okta as the IdP is similar to Use case 1: SAML authentication with
Entra ID as IdP on page 252. The following shows an example configuring the SAML user for Okta (step 2.c.i):
config user saml
set entity-id "https://remote...de01:10428/remote/saml/metadata/"
set single-sign-on-url "https://remote...de01:10428/remote/saml/login/"
set single-logout-url "https://remote...de01:10428/remote/saml/logout/"
set idp-entity-id "http://www.okta.com/exk5v..."
set idp-single-sign-on-url "https://dev-....okta.com/app/dev-..._samlloginfgt39_
1/exk5v.../sso/saml"

Fortinet Inc.
Endpoint Profiles
set idp-single-logout-url "https://dev-....okta.com/app/dev-..._samlloginfgt39_

1/exk5v.../slo/saml"
next
end
1. After the VPN tunnel is up, attempt access to a resource that a FortiOS firewall policy protects. Run get ipsec
vpn tunnel details in the FortiOS CLI. Following is the expected output:
gateway
name: 'v4-PSK-IKEv2_0'
local-gateway: 10.152.35.161:0 (static)
remote-gateway: 10.152.35.170:0 (dynamic)
dpd-link: on
mode: ike-v2
interface: 'port1' (3) vrf:0
rx packets: 18 bytes: 2259 errors: 13
tx packets: 0 bytes: 0 errors: 0
dpd: on-idle/negotiated idle: 60000ms retry: 3 count: 0
selectors
name: 'v4-PSK-IKEv2'
auto-negotiate: disable
mode: tunnel
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:192.168.1.100-192.168.1.100:0
SA

Fortinet Inc.
Endpoint Profiles
lifetime/rekey: 43200/43101
mtu: 1438
tx-esp-seq: 1
replay: enabled
qat: 0
inbound
spi: 758626b4
enc: aes-cb 37491f896e23475bcbc98cb98fe6511c
auth: sha1 01cfde3affa4edcca94626c9fcc474fe55113e36
outbound
spi: 80b1a046
enc: aes-cb 88c755eec85f512ca31ce65b687932bb
auth: sha1 d2953b6376c145b82e88a05983dfec180e33dbc4
NPU acceleration: none
2. Run diagnose sniffer packet <gateway name> to view the packet sniffer information. Following is the
expected output:
Using Original Sniffing Mode
interfaces=[v4-PSK-IKEv2]
filters=[none]
pcap_lookupnet: v4-PSK-IKEv2: no IPv4 address assigned
8.902304 192.168.1.100 -> 192.168.235.180: icmp: echo request
8.902770 192.168.235.180 -> 192.168.1.100: icmp: echo reply
9.910518 192.168.235.180 -> 192.168.1.100: icmp: echo reply
10.926070 192.168.235.180 -> 192.168.1.100: icmp: echo reply
11.942012 192.168.235.180 -> 192.168.1.100: icmp: echo reply
49.061039 192.168.235.180 -> 192.168.1.100: icmp: echo reply
50.067084 192.168.235.180 -> 192.168.1.100: icmp: echo reply
51.082633 192.168.235.180 -> 192.168.1.100: icmp: echo reply
52.097898 192.168.235.180 -> 192.168.1.100: icmp: echo reply
3. Run diagnose firewall auth list. Following is the expected output:

192.168.1.100, [email protected]
type: fw, id: 0, duration: 664, idled: 458
server: IPSec-SAML-FAC
packets: in 8 out 8, bytes: in 480 out 480
group_id: 6
group_name: ipsec-saml-group
----- 1 listed, 0 filtered ------

Fortinet Inc.
Endpoint Profiles
Use case 3: SAML authentication with FortiAuthenticator as IdP
Configuring IPsec VPN SAML authentication using FortiAuthenticator as the IdP is similar to Use case 1: SAML
authentication with Entra ID as IdP on page 252. The following shows an example configuring the SAML user for
FortiAuthenticator (step 2.c.i). Ensure the endpoint can resolve the remote gateway FQDN (in this example
remote...de01) and the FortiAuthenticator FQDN (in this example fac.example.fct.local):
config user saml
set entity-id "https://remote...de01:10428/remote/saml/metadata/"
set single-sign-on-url "https://remote...de01:10428/remote/saml/login/"
set single-logout-url "https://remote...de01:10428/remote/saml/logout/"
set idp-entity-id "http://fac.example.fct.local/saml-idp/lxat.../metadata/"
set idp-single-sign-on-url "https://fac.example.fct.local/saml-idp/lxat.../login/"
set idp-single-logout-url "https://fac.example.fct.local/saml-idp/lxat.../logout/"
next
end
IPsec VPN tunnel XML configuration
The following shows the XML configuration for the IPsec VPN tunnel configured in Use case 1: SAML authentication with
Entra ID as IdP on page 252 step 3. Note the <sso_enabled> and <ike_saml_port> elements:
<?xml version="1.0" ?>
<vpn>
<sslvpn>
<options>
<use_gui_saml_auth>0</use_gui_saml_auth>
</options>
<connections/>
</sslvpn>
<ipsecvpn>
<options>

Fortinet Inc.
Endpoint Profiles
</options>
<connections>
<connection>
<name>IPSec-V2-EAP-SAML</name>
<uid>BA387F1D-E421-4753-AAA4-657C4C8202AF</uid>
<disclaimer_msg/>
<type>manual</type>
<ui>
</ui>
<tags>
<allowed/>
<prohibited/>
</tags>
<ike_settings>
<server>remote...de01</server>
<fgt>1</fgt>
<xauth>
</xauth>
<localid/>
<dpd>1</dpd>

Fortinet Inc.
Endpoint Profiles
<ike_saml_port>10428</ike_saml_port>
<auth_data>
<preshared_key>Enc
380ffd71e1570436106bf459ff8fc41e43a7279260bec9b01e7dd3bfc3c8dfc0</preshared_key>
</auth_data>
<proposals>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<pfs>1</pfs>
<virtualip>
<ip>0.0.0.0</ip>
</virtualip>
<proposals>
</proposals>
</ipsec_settings>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>

Fortinet Inc.
Endpoint Profiles
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<mode>1</mode>
</traffic_control>
</connection>
<connection>
<name>IPSec-V2-SAML-LM0</name>
<uid>186A1714-E2EA-44D1-AC8D-60B21922C48A</uid>
<disclaimer_msg/>
<type>manual</type>
<ui>
</ui>
<tags>
<allowed/>
<prohibited/>
</tags>
<ike_settings>
<server>remote...de01</server>
<authentication_method>System Store X509
Certificate</authentication_method>
<fgt>1</fgt>
<xauth>
</xauth>

Fortinet Inc.
Endpoint Profiles
<localid/>
<dpd>1</dpd>
<proposals>
</proposals>
<auth_data/>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<pfs>1</pfs>
<virtualip>
<ip>0.0.0.0</ip>
</virtualip>
<proposals>
</proposals>
</ipsec_settings>

Fortinet Inc.
Endpoint Profiles
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
</ipsecvpn>
<lockdown>
<exceptions>
<ips/>
<apps/>
</exceptions>
</lockdown>
<options>

Fortinet Inc.
Endpoint Profiles
</options>
</vpn>
<endpoint_control>
<ui>
</ui>
</endpoint_control>
IKE debug log reference
Following is a FortiOS IKE debug log as reference:

VPN-ZTNA-FGT1 # diagnose debug reset
VPN-ZTNA-FGT1 # diagnose debug application ike -1

VPN-ZTNA-FGT1 # diagnose debug application samld -1
VPN-ZTNA-FGT1 # diagnose debug enable
VPN-ZTNA-FGT1 # ike :config update start

ike :ike_embryonic_conn_limit = 10000
ike :ikecrypt DH multi-process enabled
ike V=root:0: sync=no FGCP:disabled role:master, FGSP:disabled id:0 slave-add-
routes:disabled
ike V=root:0:V4-PSK: local-addr 10.152.35.161
ike V=root:0:V4-PSK: oif 3, vrf 0
ike V=root:0:v4-Cert: local-addr 10.152.35.161
ike V=root:0:v4-Cert: oif 3, vrf 0
ike V=root:0:v4-PSK-IKEv2: local-addr 10.152.35.161
ike V=root:0:v4-PSK-IKEv2: oif 3, vrf 0
ike V=root:0:port3: add addr 192.168.235.0-192.168.235.255
ike V=root:0:ipsec-saml-group:6: update auth group
ike config clean start 10
ike config clean done 10
ike :config update done
samld_process_request [145]: len=453, cmd=0, pid=2293, job_id=563454
samld_process_request [162]: Received 453, 0x1272e30
__samld_sp_create_auth_req [433]: SAML SP algo: 0 -> lasso=1. Binding Method:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
__samld_sp_create_auth_req [453]:
**** AuthnRequest URL ****

Fortinet Inc.
Endpoint Profiles
https://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2
EkdIAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2B
R%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDo
kOzJV9ZUZdlnjf7Zbmu6HpRsTqvbqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kR
zvljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkOR
XsgyEt1YJ2HOaksGoREuG7UBSj3Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI
7gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZr
WaiV%2FXkIahf83NkvYXFF9PMxSPhk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&Re
layState=magic%3D060806859681f2ed&SigAlg=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%
23rsa-sha1&Signature=RkHlyfm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcbl7pfcuipF%2
B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQ
xRFv1RRxm9TFiORyyWJCSCf94THDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJs2l2cKotLmS
pPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzc
g7TGnFC1pAw%2FsSXfzp%2FdHSym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5WiaIA%3D%3D
***********************
**** AuthnRequest ****
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_
14B8833DC689A095A1B3AFAD0EB510B4" Ve
rsion="2.0" IssueInstant="2024-03-06T03:57:28Z"
Destination="https://login.microsoftonline.com/f1a72219-.../saml2" SignType="0"
SignMethod=
"0" ForceAuthn="false" IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://remote...d
e01:10428/remote/saml/login"><saml:Issuer>https://remote...de01:10428/remote/saml/metad
ata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SA
ML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest>
***********************
**** SP Login Dump ****
<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.
0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_
14B8833DC689A095A1B3AFAD0EB510B4" Version="2.0" IssueInstant="2024-03-06T03:57:28Z"
Desti
nation="https://login.microsoftonline.com/f1a72219-.../saml2" SignType="0"
SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBind
ing="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

Fortinet Inc.
Endpoint Profiles
AssertionConsumerServiceURL="https://remote...de01:10428/remote/saml/login"><saml:Issue
r>https://rem
ote...de01:10428/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/
></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.windows.net/f
1a72219-.../</lasso:RemoteProviderID><lasso:MsgUrl>h
ttps://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2E
kdIAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2BR
%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDok
OzJV9ZUZdlnjf7Zbmu6HpRsTqvbqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kRz
vljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORX
sgyEt1YJ2HOaksGoREuG7UBSj3Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI7
gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrW
aiV%2FXkIahf83NkvYXFF9PMxSPhk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&amp
;RelayState=magic%3D060806859681f2ed&SigAlg=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.w3.org%2F2000%2F09%2Fx
mldsig%23rsa-sha1&Signature=RkHlyfm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcb
l7pfcuipF%2B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBw
UsXWbgrENrQxRFv1RRxm9TFiORyyWJCSCf94THDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJ
s2l2cKotLmSpPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7
Z%2F%2FyXzcg7TGnFC1pAw%2FsSXfzp%2FdHSym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5W
iaIA%3D%3D</lasso:MsgUrl><lasso:MsgRelayState>magic=060806859681f2ed</lasso:MsgRelaySta
te><lasso:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_14B
8833DC689A095A1B3AFAD0EB510B4</lasso:RequestID></lasso:Login>
***********************
samld_send_common_reply [91]: Code: 0, id: 563454, pid: 2293, len: 3517, data_len 3501
samld_send_common_reply [99]: Attr: 14, 2352, <lasso:Login
xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.
0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_
14B8833DC689A095A1B3AFAD0EB510B4" Versi
on="2.0" IssueInstant="2024-03-06T03:57:28Z"
Destination="https://login.microsoftonline.com/f1a72219-.../saml2" SignType="0"
SignMethod="0"
ForceAuthn="false" IsPassive="false"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://remote...de01
:10428/remote/saml/login"><saml:Issuer>https://remote...de01:10428/remote/saml/metadata
</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:

Fortinet Inc.
Endpoint Profiles
1.1:nameid-format:unspecified"
AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https:
//sts.windows.net/f1a72219-.../</lasso:RemoteProviderID><lasso:MsgUrl>https://login.mic
rosoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2Ekd
IAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2BR%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWz
I5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTqv
bqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kRzvljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQ
W7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj3
Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI7gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1Qxhktsv
K5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMxS
Phk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&RelayState=magic%3D060806859681f2ed&
amp;SigAlg=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Sign
ature=RkHlyfm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcbl7pfcuipF%2B0tt%2FctYzOQYMXmai3zBrmOW
L%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiOR
yyWJCSCf94THDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJs2l2cKotLmSpPRvK9%2BG%2BYxDcUwDDXyfTz
IW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2Fs
SXfzp%2FdHSym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5WiaIA%3D%3D</lasso:MsgUrl><lasso:MsgRe
layState>magic=060806859681f2ed</lasso:MsgRelayState><lasso:HttpRequestMetho
d>4</lasso:HttpRequestMethod><lasso:RequestID>_
14B8833DC689A095A1B3AFAD0EB510B4</lasso:RequestID></lasso:Login>
samld_send_common_reply [99]: Attr: 11, 1149,
https://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2
Ek
dIAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2BR%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bW
zI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTq
vbqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kRzvljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlX
QW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj
3Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI7gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1Qxhkts
vK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMx
SPhk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&RelayState=magic%3D060806859681f2ed&Sig
Alg=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=RkHly
fm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcbl7pfcuipF%2B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdyS
EPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiORyyWJCSCf94T
HDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJs2l2cKotLmSpPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO
3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2FsSXfzp%2FdHS
ym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5WiaIA%3D%3D

Fortinet Inc.
Endpoint Profiles
samld_send_common_reply [119]: Sent resp: 3517, pid=2293, job_id=563454.

samld_process_request [145]: len=10189, cmd=2, pid=2293, job_id=563454
samld_process_request [162]: Received 10189, 0x1272e30
__samld_sp_login_resp [815]:
SP Login Response Msg Body (7536)
<samlp:Response ID="_d41828f1-07df-448b-af4d-d59b291280eb" Version="2.0"
IssueInstant="2024-03-06T03:57:28.827Z" Destination="https://remote...de01:10428
/remote/saml/login" InResponseTo="_14B8833DC689A095A1B3AFAD0EB510B4"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:
assertion">https://sts.windows.net/f1a72219-.../</Issuer><samlp:Status><samlp:StatusCod
e Value="urn:oasis:names:tc:SAML:2.0:status:Success"
/></samlp:Status><Assertion ID="_af843ea7-5620-4f6b-bf20-4fb6db7f1100"
IssueInstant="2024-03-06T03:57:28.824Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:ass
ertion"><Issuer>https://sts.windows.net/f1a72219-.../</Issuer><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><Canonicali
zationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#
_af843ea7-5620-4f6b-bf20-4fb6db7f1100"><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform
Algorithm="http://www.w
3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>SxoMOgM7+7Chj+VhUVBdW
5moKwv+PwCErZyb49+g
CSY=</DigestValue></Reference></SignedInfo><SignatureValue>fgdYi3m3yz3ns7pdC3GFNg6Lu4Ow
vXiw1qh4AR5zXlcq0uQiXMgqQzRKFb1fWuI8zGtOfb451kOlACyD7gLjmdVTcNe4mQJHAKxOWWRi
VpUw10r2NMXOvxF1hlCxpYdAYljAUt/Omu94QYShzZHQI49JrF9wA49cEPptiH83kYR+xU3u11jCpwovz1y4CRX
/g6/png6cqstX2nDvwvYPbnsAsMSYovUAvG/pqGjtwzO771TdYSDDCEPVTvGZMzYgJdLfZB2qVzc
0pU419vIYgoFitgJZG9sP1WOecOBJO2ozaU69QxpRIZsNBntnOm2nzPqEAwpXUmmF6xiDV5R/SQ==</Signatur
eValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQReSC88H5bbBLd
kflSF49uzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBD
ZXJ0aWZpY2F0ZTAeFw0yMzEwMTUwNDQwMDhaFw0yNjEwMTUwNDQwMDhaMDQxMjAwBgNVBAMTKU1p
Y3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMII
BCgKCAQEAtwvk0AblPyElViGWIIup8qDUBeFoBV469YOUY87DFmQNGyTPbujE6iheWrLtBPwAnIZ
1A75FBaUNXY980vj/Oc6E+kbOy7nCm9GWueI0NvGLnS7HUKi2TrM+EcHhAR+ftV0egq/3MrdBKFKITYYYwO6P0W
0JtBjyCMY+XwGoxzREkajSXJnpsscNPwj/XdUBio7I6hnLCRzrTNy9l84nxXIFLZk+O/jzfdaYur
blfJJVa8895sMu/Ka5PBow5KJHGnFpjbOJegPBc5kdXjNGisAgpLoZEMNjA8kFSGhlOD6BBs4XGMx7SvM7w/+BP
GGbjVyRn94YCoII9KWd7ZHpmQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAs1OVASBqPuz09n0Xqt

Fortinet Inc.
Endpoint Profiles
koSnCgmQufBObUF5FpY990LBEPs/0Uv8LfPUuOukiJJOzbqewgBeIAJLtxfs8ckq40kiL+PjZWvRRVolJGUOiuU
O+l+WqdI6O2D3euadlguERdOK3yjs7tFTPhgqtEcQ60QuAWjwEdpjZL0UT2NTdlJz67LRXAjCjB+
bXHQ7SndSQfbMtI+DhGo6n+J5XDWQRvhrKI4f1XqzvhkwlPvxUH1f3xo+KnhCYNPY8Ge0yRHHKzS+pHKv4O16Ge
G34SmJX0Rv17xr8xXuSY2fDQOK9JnHiLWHYRVuB+Mp5lyY+5EpGd7zErPjU7jycmSJcbWMgNH</X
509Certificate></X509Data></KeyInfo></Signature><Subject><NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:emailAddress">[email protected]</
NameID><SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_
14B8833DC689A095A1B3AFAD0EB510B4" NotOnOrAfter="
2024-03-06T04:57:28.694Z"
Recipient="https://remote...de01:10428/remote/saml/login"/></SubjectConfirmation></Subj
ect><Conditions NotBefore="2024-03-06T03
:52:28.694Z" NotOnOrAfter="2024-03-
06T04:57:28.694Z"><AudienceRestriction><Audience>https://remote...de01:10428/remote/sam
l/metadata</Audience></Audience
Restriction></Conditions><AttributeStatement><Attribute
Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>f1a72219-.
..</AttributeValue></Attribute><Attribute
Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>a6
de82a6-05c4-4093-8288-65af3624
2d67</AttributeValue></Attribute><Attribute
Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>Yuyue
Li</AttributeValue></Attribute><A
ttribute
Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>ht
tps://sts.windows.net/f1a72219-.../</Attrib
uteValue></Attribute><Attribute
Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http:
//schemas.microsoft.com/ws/2008/06/identity/
authenticationmethod/password</AttributeValue></Attribute><Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids"><AttributeValue>88d
8e3e3-8
f55-4a1e-953a-9b9898b8876b</AttributeValue><AttributeValue>62e90394-69f5-4237-9190-
012177145e10</AttributeValue><AttributeValue>b79fbf4d-3ef9-4689-8143-76b194e8550
9</AttributeValue></Attribute><Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>
Yuyue</AttributeValue></Attribute><
Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>Li
</AttributeValue></Attribute><Attribute Name="http://schemas.xmlso
ap.org/ws/2005/05/identity/claims/name"><AttributeValue>[email protected]</A
ttributeValue></Attribute><Attribute Name="username"><AttributeValue>yyl
[email protected]</AttributeValue></Attribute><Attribute
Name="group"><AttributeValue>e6bbee59-c1d8-49e6-916b-
2fe6339a3d1e</AttributeValue><AttributeVa
lue>1cd4e267-054c-4e6c-b1ed-fc0f62dde5e6</AttributeValue><AttributeValue>3ccdd7c1-b59c-

Fortinet Inc.
Endpoint Profiles
41c3-a985-229ab4ded5a2</AttributeValue></Attribute></AttributeStatement><Aut
hnStatement AuthnInstant="2024-03-06T03:51:23.739Z" SessionIndex="_af843ea7-5620-4f6b-
bf20-4fb6db7f1100"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAM
L:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Asser
tion></samlp:Response>
__samld_sp_login_resp [836]:
**** Assertion Dump ****
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_af843ea7-5620-4f6b-bf20-
4fb6db7f1100" IssueInstant
="2024-03-06T03:57:28.824Z"
Version="2.0"><Issuer>https://sts.windows.net/f1a72219-.../</Issuer><Signature
xmlns="http://www.w3.org/2000/09
/xmldsig#"><SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-m
ore#rsa-sha256"/><Reference URI="#_af843ea7-5620-4f6b-bf20-
4fb6db7f1100"><Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-
c14n#"/></Transforms><DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>SxoMOg
M7+7Chj+VhUVBdW5moKwv+PwCErZyb49+gCSY=</DigestValue></Reference></SignedInfo><Signature
Value>fgdYi3m3yz3ns7pdC3GFNg6Lu4OwvXiw1qh4AR5zXlcq0uQiXMgqQzRKFb1fWuI8zGtOfb
451kOlACyD7gLjmdVTcNe4mQJHAKxOWWRiVpUw10r2NMXOvxF1hlCxpYdAYljAUt/Omu94QYShzZHQI49JrF9wA
49cEPptiH83kYR+xU3u11jCpwovz1y4CRX/g6/png6cqstX2nDvwvYPbnsAsMSYovUAvG/pqGjtw
zO771TdYSDDCEPVTvGZMzYgJdLfZB2qVzc0pU419vIYgoFitgJZG9sP1WOecOBJO2ozaU69QxpRIZsNBntnOm2n
zPqEAwpXUmmF6xiDV5R/SQ==</SignatureValue><KeyInfo><X509Data><X509Certificate
>MIIC8DCCAdigAwIBAgIQReSC88H5bbBLdkflSF49uzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3
NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzEwMTUwNDQwMDhaFw0yNj
EwMTUwNDQwMDhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlM
IIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtwvk0AblPyElViGWIIup8qDUBeFoBV469
YOUY87DFmQNGyTPbujE6iheWrLtBPwAnIZ1A75FBaUNXY980vj/Oc6E+kbOy7nCm9GWueI0NvGLnS7HUKi2TrM+
EcHhAR+ftV0egq/3MrdBKFKITYYYwO6P0W0JtBjyCMY+XwGoxzREkajSXJnpsscNPwj/XdUBio7I
6hnLCRzrTNy9l84nxXIFLZk+O/jzfdaYurblfJJVa8895sMu/Ka5PBow5KJHGnFpjbOJegPBc5kdXjNGisAgpLo
ZEMNjA8kFSGhlOD6BBs4XGMx7SvM7w/+BPGGbjVyRn94YCoII9KWd7ZHpmQIDAQABMA0GCSqGSIb
3DQEBCwUAA4IBAQAs1OVASBqPuz09n0XqtkoSnCgmQufBObUF5FpY990LBEPs/0Uv8LfPUuOukiJJOzbqewgBeI
AJLtxfs8ckq40kiL+PjZWvRRVolJGUOiuUO+l+WqdI6O2D3euadlguERdOK3yjs7tFTPhgqtEcQ6

Fortinet Inc.
Endpoint Profiles
0QuAWjwEdpjZL0UT2NTdlJz67LRXAjCjB+bXHQ7SndSQfbMtI+DhGo6n+J5XDWQRvhrKI4f1XqzvhkwlPvxUH1f
3xo+KnhCYNPY8Ge0yRHHKzS+pHKv4O16GeG34SmJX0Rv17xr8xXuSY2fDQOK9JnHiLWHYRVuB+Mp
5lyY+5EpGd7zErPjU7jycmSJcbWMgNH</X509Certificate></X509Data></KeyInfo></Signature><Subj
ect><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
[email protected]</NameID><SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_
14B8833DC689A0
95A1B3AFAD0EB510B4" NotOnOrAfter="2024-03-06T04:57:28.694Z"
Recipient="https://remote...de01:10428/remote/saml/login"/></SubjectConfirmation></Subj
ect><C
onditions NotBefore="2024-03-06T03:52:28.694Zike :shrank heap by 172032 bytes
ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=456....
ike V=root:0: IKEv2 exchange=SA_INIT id=91d7e3bfd6eb8287/0000000000000000 len=456
ike 0: in
91D7E3BFD6EB828700000000000000002120220800000000000001C82200005C0200002C010100040300000
C0100000C800E00800300000802000002030000080300000200000008040000050
000002C020100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005
280000C800050000A5F0F0154C1F23D09D2C498ABD86C9875EFFC0E746A12E55AE182E3FBAFA
D9BA91FCAA52E25EB1E78AD3C6BD6A389E119BDBB8D07480F81680DACAF5D162042DF7FDAD3A091A9E0C2A0
26388A39B658D8913B2376AF01B2F02E2AC22E6FC9309393388CF76676F136DB18B5BCE96EE1
87E06C3F481C0214A4392641C4F0163F2DA7A8B4F2C7168FE09C7F485C17A02360BA1A3358DEC4992DA2784
338ACD23A03ADABB04146732E3D51C4A4F1530F66E5951E668DAD51BB9FA1EF9D9C45F302B2B
000014FC1604191670582A2C223ECA5E6FD1862B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B
4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781914CA43E29000
01C000040049CFF24AC5C389CA04560B76DE2EA4DAD3980D4E90000001C00004005C736780986F56FDCFB69
E529BD4EFEB9405FBB47
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: responder received SA_INIT msg
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: VID forticlient connect license
4C53427B6D465D1B337BB755A37A7FEF
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: VID Fortinet Endpoint Control
B4F01CA951E9DA8D0BAFBBD34AD3044E
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: VID unknown (16):
C1DC4350476B98A429B91781914CA43E
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: received notify type NAT_DETECTION_
SOURCE_IP
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: received notify type NAT_DETECTION_
DESTINATION_IP
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: incoming proposal:
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: proposal id = 1:
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: protocol = IKEv2:
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: encapsulation = IKEv2/none
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=ENCR, val=AES_CBC (key_len =
128)

Fortinet Inc.
Endpoint Profiles
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=INTEGR, val=AUTH_HMAC_SHA_96

ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=PRF, val=PRF_HMAC_SHA
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=DH_GROUP, val=MODP1536.
256)
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=INTEGR, val=AUTH_HMAC_SHA2_256_
128
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0: cache rebuild start
ike V=root:0:V4-PSK: cached as dynamic
ike V=root:0:v4-Cert: cached as dynamic
ike V=root:0:v4-PSK-IKEv2: cached as dynamic
ike V=root:0: cache rebuild done
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: matched proposal id 1
128)
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=INTEGR, val=AUTH_HMAC_SHA_96
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=PRF, val=PRF_HMAC_SHA
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: lifetime=86400
ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: SA proposal chosen, matched gateway
v4-PSK-IKEv2
ike V=root:0:v4-PSK-IKEv2: created connection: 0xe9bf900 3 10.152.35.161-
>10.152.35.170:500.
ike V=root:0:v4-PSK-IKEv2:14: processing notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:v4-PSK-IKEv2:14: processing NAT-D payload
ike V=root:0:v4-PSK-IKEv2:14: NAT not detected
ike V=root:0:v4-PSK-IKEv2:14: process NAT-D
ike V=root:0:v4-PSK-IKEv2:14: processing notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:v4-PSK-IKEv2:14: processing NAT-D payload
ike V=root:0:v4-PSK-IKEv2:14: NAT not detected
ike V=root:0:v4-PSK-IKEv2:14: process NAT-D
ike V=root:0:v4-PSK-IKEv2:14: FEC vendor ID received FEC but IP not set
ike V=root:0:v4-PSK-IKEv2:14: responder preparing SA_INIT msg
ike V=root:0:v4-PSK-IKEv2:14: generate DH public value request queued
ike V=root:0:v4-PSK-IKEv2:14: compute DH shared secret request queued
ike V=root:0:v4-PSK-IKEv2:14: create NAT-D hash local 10.152.35.161/500 remote
10.152.35.170/500
ike 0:v4-PSK-IKEv2:14: out

Fortinet Inc.
Endpoint Profiles
91D7E3BFD6EB8287032B6561653DE267212022200000000000000160220000300000002C010100040300000
C0100000C800E008003000008020000020300000803000002
0000000804000005280000C80005000065955E1E4681E843C5618C637FE43851C15AD4D34C8E1738B09188C
6B3DA57CFFC88346E35095286C904E5751B1722F8FA0455F59AE7489A67180C2A36D65DAC6FA
FA4B9DADCE79F8B35851C2A22B8F452110665B6D16342709F5979D43F95CCE0617C40786355FF35D5E45864
6564356ED08A1A1CF29EA7C046246F09EFD49D3574DCC9D980EAFB1D08685642169ECB1E7081
9DB02E208F0C130FA97F071ADBD53F16E79384BA05CB0B8B18C6A0D125834119877FE45C11E7CDC77FFFA63
B8729000014473843BD329EC550DD27667C37BFDA7A2900001C00004004B752F27710DE7BFDF
FDDC48461DDFE77FE24B70F0000001C000040054F2308001BB502EDADE2CF75B498CCFD47FCEE4A
ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (SA_INIT_RESPONSE): 10.152.35.161:500-
>10.152.35.170:500, len=352, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267, oif=3
ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_ei
16:8B1FC416E2A711C0A33BF3074485A78F
ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_er
16:A4BB868B7D8FBB81EDE5C9FD1555365E
ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_ai
20:2CB9528C9AE4B625B6F4A931ED07641416A51DCA
ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_ar
20:7F182EEB73D4DE03695AF202E620B2C741CF503A
ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000001 len=620
ike 0: in
91D7E3BFD6EB8287032B6561653DE2672E202308000000010000026C230002508DC5174C77E069C310D8A83
82293B7125A27239C47932A34F2C27458FC9774DC6FB3E3E179F8777D69A7E54EE
CDC0F4291E3B33E953B0761FC06B39882FA1EC00FFCB4CEB559AAD7272918C485A2A125CCD4B35B34CE7244
BDD04B5183E43AFF419452A1AE12917BDF31AB2D758983B60ED97A2183EE38A98BCD8FEFA0CD
4DF478699267107DC508EFF092359589355084DAEC722EBF52DD7699B409295987A6648989CF760D2FD44F2
EB83B2F897D2653D52FB5A073BAD3687CE0913A55CD36C6D481F362F5133CEBA3D623C64F360
4F2D7187A5130A479A7029EE4291F9A9E54AC3338AC79B151F97CE9900B50FC3C986F348FABDC430B5A5357
477AA0B58F4E29C08904A43DDA6938BCE9520D0CE4193B904CED247770B70F62A0BFE41C4396
DB9386B505910AE947DFDC37E8D75C6F71E202CF163EB4B90C5E68FF5F9817D7255EA3C3AB8C8DDAE99B04D
619BC1E56CD282EAE3873316290E349578360AC5F8136C69A7C2ABD0E4F2F419AE710899F1AD
6AE8A3A50EDC29574AC4D9F3ED065D6504344E2FA553E620F7D488D19FC4232556CC35EF4A84BE3A865E31A
B4C169F0280975271DEDFCD43E53B1E60D75DFACC56801D09E0AE14B3D39161963AB92402263
65F39E975EF85E988A3BD1D2419E2CA7C0A1B354CF920DC0B453B5FCBED5CC48F5617C15869185F0501380F
2687B30709328485EE6520AFCB174F49B2292FFAE97F11474672E1AE754A5132CCFB5A0DBEC4
AD9BCF9DEEE1EC905E464F83A8448CEA16FFE33938A96485B283A40732CA6B25AF0870A974239DA5ED7CD83
62308A4C438FC7DC4512E4
ike 0:v4-PSK-IKEv2:14: dec

Fortinet Inc.
Endpoint Profiles
91D7E3BFD6EB8287032B6561653DE2672E2023080000000100000244230000042900000C010000000A9823A
A29000008000040002F0001380000F1005645523D310A4643
545645523D372E322E342E303937320A5549443D45363946374145304438343434344634413141463844463
039424445383539330A49503D31302E3135322E33352E3137300A4D41433D30302D31352D356
42D32332D61382D30313B0A484F53543D4445534B544F502D5550494E42524A0A555345523D453639463741
45304438343434344634413141463844463039424445383539330A4F535645523D4D6963726F
736F66742057696E646F777320313020456E74657270726973652045646974696F6E2C2036342D626974202
86275696C64203139303435290A5245475F5354415455533D300A454D53534E3D464354454D5
3313034333537353533320A454D5349443D3030303030303030303030303030303030303030303030303030
3030303030300A00210000540100000000070010464354383030313434383131303439300001
0000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540
A0000540B0000700000002C0000540200002801030403E03A386C0300000C0100000C800E008
0030000080300000200000008050000000000002802030403E03A386C0300000C0100000C800E0100030000
080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF00
00001801000000070000100000FFFF00000000FFFFFFFF
ike V=root:0:v4-PSK-IKEv2:14: responder received AUTH msg
ike V=root:0:v4-PSK-IKEv2:14: processing notify type INITIAL_CONTACT
ike V=root:0:v4-PSK-IKEv2:14: processing notify type FORTICLIENT_CONNECT
ike V=root:0:v4-PSK-IKEv2:14: received FCT data len = 304, data = 'VER=1
FCTVER=7.2.4.0972
UID=E69F7AE0D84444F4A1AF8DF09BDE8593
IP=10.152.35.170
MAC=00-15-5d-23-a8-01;
HOST=DESKTOP-UPINBRJ
USER=E69F7AE0D84444F4A1AF8DF09BDE8593
REG_STATUS=0
EMSSN=FCTEMS1043575532
EMSID=00000000000000000000000000000000
'
ike V=root:0:v4-PSK-IKEv2:14: received FCT-UID : E69F7AE0D84444F4A1AF8DF09BDE8593
ike V=root:0:v4-PSK-IKEv2:14: peer identifier IPV4_ADDR 10.152.35.170
ike V=root:0:v4-PSK-IKEv2:14: re-validate gw ID
ike V=root:0:v4-PSK-IKEv2:14: gw validation OK
ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP identity request
ike 0:v4-PSK-IKEv2:14: enc
2700000C010000000A9823A13000001C0200000066323F7A3C4C726A3D4D29D163A1D2EE26A29F160000000
9018C0005010E0D0C0B0A0908070605040302010E
91D7E3BFD6EB8287032B6561653DE2672E202320000000010000007C2400006019975696D3E610D0A55FCE2
141CE07B6CADD98E08E17E48B28D411CC7807751490126226

Fortinet Inc.
Endpoint Profiles
6AC460CEB8EF355E8DF5E1990674923144292715C8A7FFBE5186369083671645EB6300E98FAEE17C0613A79
BBE3934314FCE2BABD0835112
ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500-
>10.152.35.170:500, len=124, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000001, oi
f=3
ike 0: in
91D7E3BFD6EB8287032B6561653DE2672E202308000000020000006C30000050D355C65E627AB11AA4880DB
9B65E4660D5CE9F3414AD9C4ED0F64CCF1A4A250265D56EE573F5AF208A1E4EA6F
BC2CEED73E7EE8AB356C80FEC7B02D78C7CC1E7328CEF9F039CA8F6D3D9175B
91D7E3BFD6EB8287032B6561653DE2672E20230800000002000000493000000400000029028C00250145363
9463741453044383434343446344131414638444630394244
4538353933
ike V=root:0:v4-PSK-IKEv2:14: responder received EAP msg
ike V=root:0:v4-PSK-IKEv2:14: send EAP message to FNBAM
ike V=root:0:v4-PSK-IKEv2:14: initiating EAP authentication
ike V=root:0:v4-PSK-IKEv2: EAP user "E69F7AE0D84444F4A1AF8DF09BDE8593"
ike V=root:0:v4-PSK-IKEv2: auth candidate group 'ipsec-saml-group' 6
ike V=root:0:v4-PSK-IKEv2: EAP 300162803 pending
ike V=root:0:v4-PSK-IKEv2:14 EAP 300162803 result FNBAM_CHALLENGED
ike V=root:0:v4-PSK-IKEv2: EAP challenged for user "E69F7AE0D84444F4A1AF8DF09BDE8593"
ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP pass through message
00000025018D00211A018D001C10127D990A0E60029A5973F7E9DB3C302D686F73746170640A09080706050
40302010A
91D7E3BFD6EB8287032B6561653DE2672E202320000000020000006C3000005023BDD3F892B81FF71C36F5A
1F8818AAC1B5E266CA932E002099308830C1AD89103AE2A6C
BF22418D54EF94C27A081D1BDF9AFC403110DF51F2ACDC00FDCF48A3CB4FAC40AAEC2DA278FD1019
f=3
ike 0: in
91D7E3BFD6EB8287032B6561653DE2672E202308000000030000009C30000080C3287818C3211DB53758AFF
EA523DCFCA3299F4AFBEBBBE50EC3DB44EA5D914B612529B169CD10D41F0220488
8F1AEEB193BA3640B87DA27AF7772921FC74494B837E26EEA63393ABF21AC2CD3532B128AF2BFBE362DE8A1
0A4DD97775353B65175262B421E4483DBA79842E0CA09D2C3F52DD7149658445582DC8C1
91D7E3BFD6EB8287032B6561653DE2672E202308000000030000007F300000040000005F028D005B1A028D0
05631C828BD1F5DC09E2EAE44A295D803BD5E000000000000
00000D807F3A068A31FDCDBEA9D6273968C91D3F1F5EB1CFFB7E00453639463741453044383434343446344
1314146384446303942444538353933

Fortinet Inc.
Endpoint Profiles

ike V=root:0:v4-PSK-IKEv2:14 EAP 300162803 result FNBAM_CHALLENGED
ike V=root:0:v4-PSK-IKEv2: EAP challenged for user "E69F7AE0D84444F4A1AF8DF09BDE8593"
0000003C018E00381A038D0033533D433037373736363541423444333736423632393936343636424544383
53036354246413742433338204D3D4F4B03020103
91D7E3BFD6EB8287032B6561653DE2672E202320000000030000007C3000006062B69000FB6AEE38971A70E
ACE9897104893B4B65D8E8CB390C129332713613C9F1EE27F
B09FDDBCA849ACA0E9852F3BA62AF9472271F3A29BFF603E74E5BF2B45A818A679B93D29F4C24B1A33761B9
50B654B4EF14D417BF1E40510
f=3
ike 0: in
91D7E3BFD6EB8287032B6561653DE2672E202308000000040000004C30000030BC217F9ADF27626EC3E13C2
2D86598BEC75E9887C9407B868045ED29084660F870974CD011CFAFDEF02D58C5
91D7E3BFD6EB8287032B6561653DE2672E202308000000040000002A300000040000000A028E00061A03
ike V=root:0:v4-PSK-IKEv2:14 EAP 300162803 result FNBAM_SUCCESS
ike V=root:0:v4-PSK-IKEv2: user '[email protected]' authenticated group
'ipsec-saml-group' 6
ike 0:v4-PSK-IKEv2:14: enc 00000008038E00040706050403020107
91D7E3BFD6EB8287032B6561653DE2672E202320000000040000004C300000309A60CF863B708309D8C1418
333CF21EC2A32E00615FDDF53EF5072DE9422A4D280605F88
257E11FED22FF0D5
>10.152.35.170:500, len=76, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000004, oif
=3
ike 0: in
91D7E3BFD6EB8287032B6561653DE2672E202308000000050000005C270000409F291281AD48EC4CD1DFEF5
961D33BE185A04F1810661E66FBC1F5846796CD0A535C063D19A0E930A51130F3D
9413512EF92EC71E582D10991B7FE42
91D7E3BFD6EB8287032B6561653DE2672E202308000000050000003C270000040000001C0200000063A2A16
4BD0FE9F4D29DDA752517ACD373B1567E
ike V=root:0:v4-PSK-IKEv2:14: responder received AUTH msg

Fortinet Inc.
Endpoint Profiles
ike V=root:0:v4-PSK-IKEv2:14: auth verify done

ike V=root:0:v4-PSK-IKEv2:14: responder AUTH continuation
ike V=root:0:v4-PSK-IKEv2:14: authentication succeeded
ike V=root:0:v4-PSK-IKEv2:14: responder creating new child
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 7 request
16:'46435438303031343438313130343930'
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg received APPLICATION_VERSION 'FCT8001448110490'
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 1 request 0:''
ike V=root:0:v4-PSK-IKEv2: mode-cfg allocate 192.168.1.100/0.0.0.0
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg using allocated IPv4 192.168.1.100
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg WINS ignored, no WINS servers configured
ike V=root:0:v4-PSK-IKEv2: IPv6 pool is not configured
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg could not allocate IPv6 address
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 11 not supported, ignoring
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg UNITY type 28673 requested
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21514 requested
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21515 requested
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg UNITY type 28672 requested
ike V=root:0:v4-PSK-IKEv2:14: mode-cfg no banner configured, ignoring
ike V=root:0:v4-PSK-IKEv2:14:10: peer proposal:
ike V=root:0:v4-PSK-IKEv2:14:10: TSi_0 0:0.0.0.0-255.255.255.255:0
ike V=root:0:v4-PSK-IKEv2:14:10: TSr_0 0:0.0.0.0-255.255.255.255:0
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: comparing selectors
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: matched by rfc-rule-2
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: phase2 matched by subset
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: using mode-cfg override 0:192.168.1.100-
192.168.1.100:0
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: accepted proposal:
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: TSi_0 0:192.168.1.100-192.168.1.100:0
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: TSr_0 0:0.0.0.0-255.255.255.255:0
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: dialup
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: incoming child SA proposal:
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: proposal id = 1:
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: protocol = ESP:
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: encapsulation = TUNNEL
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ENCR, val=AES_CBC (key_len = 128)

Fortinet Inc.
Endpoint Profiles
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=INTEGR, val=SHA

ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ESN, val=NO
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: PFS is disabled
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: matched proposal id 1
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: proposal id = 1:
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: protocol = ESP:
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: encapsulation = TUNNEL
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ENCR, val=AES_CBC (key_len = 128)
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=INTEGR, val=SHA
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ESN, val=NO
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: PFS is disabled
ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: lifetime=43200
ike V=root:0:v4-PSK-IKEv2:14: responder preparing AUTH msg
ike V=root:0:v4-PSK-IKEv2: IPv6 pool is not configured
ike V=root:0:v4-PSK-IKEv2: adding new dynamic tunnel for 10.152.35.170:500
ike V=root:0:v4-PSK-IKEv2_0: tunnel created tun_id 192.168.1.100/::10.0.0.11 remote_
location 0.0.0.0
ike V=root:0:v4-PSK-IKEv2_0: added new dynamic tunnel for 10.152.35.170:500
ike V=root:0:v4-PSK-IKEv2_0:14: established IKE SA 91d7e3bfd6eb8287/032b6561653de267
ike V=root:0:v4-PSK-IKEv2_0:14: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0,
mode_cfg=1
ike V=root:0:v4-PSK-IKEv2_0:14: processing INITIAL-CONTACT
ike V=root:0:v4-PSK-IKEv2_0: flushing
ike V=root:0:v4-PSK-IKEv2_0: flushed
ike V=root:0:v4-PSK-IKEv2_0:14: processed INITIAL-CONTACT
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg assigned (1) IPv4 address 192.168.1.100
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg assigned (2) IPv4 netmask 255.255.255.255
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (13) 0:192.168.235.0/255.255.255.0:0
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (3) IPv4 DNS(1) 172.17.60.6
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (3) IPv4 DNS(2) 8.8.8.8
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send INTERNAL_IP6_SUBNET
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg IPv6 DNS ignored, no IPv6 DNS servers found
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send APPLICATION_VERSION 'FortiGate-VM64-HV
v7.4.3,build2573,240201 (GA.F)'
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (28673) UNITY_SAVE_PASSWD
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (21514) FNT_AUTO_NEGOTIATE
ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (21515) FNT_KEEP_ALIVE
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: replay protection enabled
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: set sa life soft seconds=43189.
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: set sa life hard seconds=43200.
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: IPsec SA selectors #src=1 #dst=1
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: src 0 7 0:0.0.0.0-255.255.255.255:0
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: dst 0 7 0:192.168.1.100-192.168.1.100:0
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: add dynamic IPsec SA selectors 682
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: added dynamic IPsec SA proxyids new 1
682
ike V=root:0:v4-PSK-IKEv2:10: add route 192.168.1.100/255.255.255.255 gw 192.168.1.100
oif v4-PSK-IKEv2(14) metric 15 priority 1
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: tunnel 1 of VDOM limit 0/0

Fortinet Inc.
Endpoint Profiles
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: add IPsec SA: SPIs=758626b2/e03a386c

ike 0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: IPsec SA dec spi 758626b2 key
16:5F6D51E51801CDD3C5DDFFCD55CEBF18 auth 20:4284FFE8D12D3E617DDEEADE9E71ECBEBE07918E
ike 0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: IPsec SA enc spi e03a386c key
16:CF5000829B184D71E97B4839BB221801 auth 20:1C9497F99E0EEFD7091A20EECA7CC95E6672FDFB
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: added IPsec SA: SPIs=758626b2/e03a386c
ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: sending SNMP tunnel UP trap
ike V=root:0:v4-PSK-IKEv2_0: tunnel up event assigned address 192.168.1.100
ike V=root:0:v4-PSK-IKEv2_0: sent tunnel-up message to EMS: (fct-
uid=E69F7AE0D84444F4A1AF8DF09BDE8593, intf=v4-PSK-IKEv2_0, addr=192.168.1.100,
vdom=root)
ike V=root:0:v4-PSK-IKEv2_0: user '[email protected]' 192.168.1.100 groups 1
ike 0:v4-PSK-IKEv2_0:14: enc
2700000C010000000A9823A12F00001C02000000DE195F007E8D93462142A62E9452006F4D98B2682100008
F0200000000010004C0A8016400020004FFFFFFFF000D00
08C0A8EB00FFFFFF0000030004AC113C060003000408080808000F001100000000000000000000000000000
0000000070030466F727469476174652D564D36342D48562076372E342E332C6275696C64323
537332C323430323031202847412E4629700100020001540A00020001540B000200012C00002C0000002801
030403758626B20300000C0100000C800E0080030000080300000200000008050000002D0000
1801000000070000100000FFFFC0A80164C0A801640000001801000000070000100000FFFF00000000FFFFF
FFF0C0B0A0908070605040302010C
ike 0:v4-PSK-IKEv2_0:14: out
91D7E3BFD6EB8287032B6561653DE2672E202320000000050000015C24000140F73C9BCD7A9F971B02F6A48
AE9B37644762FCA3FB4E3D0E2136A72A1BBC4113F7A87F3
9A611CBE1B0E5036D73020A46B6455BEE66FFC5F95E237337C4CFF0A4CCA52BB18DC3A17F497E12FDDE5D8A
6953B4295109F0BEDBA72459E3750D6924159BE555D8011EF5B9C0EA1EA91BFA6F0E850A7296
B813DE95FF47F40545584CCC00264377258E6C3769A64834AE9161B286DD9067B689E53EC59C6C3E28BE798
401730A6E01CC23756A75142244140C1EA6FE3D771F24E768D2E092888F08E3BFC3CE5486819
1B5BFB6CE6E97764CF75B6AE068B5C7398EF72C0E963FC15EDAD00A166AFECCFE35EB6314C7FD27C2C5F718
777FE73ADBB8472255BB4FDDD9CE39E397432585200246F891A68A86CEE05748502CC58770BB
128F31D2FFAF62526C987A9CEFBFD15644DEB317102BB51DDD54D7C206DF42F010FC7ACCE
ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500-
>10.152.35.170:500, len=348, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000005,
oif=3
ike V=root:0:v4-PSK-IKEv2_0: link is idle 3 10.152.35.161->10.152.35.170:0 dpd=1
seqno=1 rr=0
ike V=root:0: IKEv2 exchange=INFORMATIONAL
id=91d7e3bfd6eb8287/032b6561653de267:00000006 len=76
ike 0: in
91D7E3BFD6EB8287032B6561653DE2672E202508000000060000004C000000308313D182BDFE6429ACF9CD7
54A0CAA19E6997AD0F915E69445D9C1256C6CBF7694582330F8AED0C6F892FD1D
ike 0:v4-PSK-IKEv2_0:14: dec

Fortinet Inc.
Endpoint Profiles
91D7E3BFD6EB8287032B6561653DE2672E202508000000060000002000000004
ike V=root:0:v4-PSK-IKEv2_0:14: received informational request
ike 0:v4-PSK-IKEv2_0:14: enc 0F0E0D0C0B0A0908070605040302010F
91D7E3BFD6EB8287032B6561653DE2672E202520000000060000004C00000030E74A78C1B6607A4209955C9
34EBD0486354D124282E51DAEF58CBFB26AAABE8E4E905A
2ED459F3DD076CFD23
ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (INFORMATIONAL_RESPONSE):
10.152.35.161:500->10.152.35.170:500, len=76, vrf=0,
id=91d7e3bfd6eb8287/032b6561653de267:00
000006, oif=3
ike :shrank heap by 331776 bytes
ike 0: in
91D7E3BFD6EB8287032B6561653DE2672E202508000000070000004C00000030B7731C94B7CD08C9325F550
EC0EABE733FC5DA5E50A1440AE3FE358726D1DE7EFE61CC3D02674FE0155CE28F
91D7E3BFD6EB8287032B6561653DE2672E202508000000070000002000000004
91D7E3BFD6EB8287032B6561653DE2672E202520000000070000004C0000003042E9544F9024C5ED6F72E90
A613C99A7EA7AFE3534D71E8FEC8CA3B65DB1708473F80D
5395ABBD30500A38DA
10.152.35.161:500->10.152.35.170:500, len=76, vrf=0,
id=91d7e3bfd6eb8287/032b6561653de267:00
000007, oif=3
ike 0: in
91D7E3BFD6EB8287032B6561653DE2672E202508000000080000004C00000030D72FA651DD9192B8390213F
8D30CF93C1F47EAC9934E09391EBB7F7E55C8DF0574AAFA1CCCBFD5C34F93AFD8
91D7E3BFD6EB8287032B6561653DE2672E202508000000080000002000000004
91D7E3BFD6EB8287032B6561653DE2672E202520000000080000004C00000030494190DE9E0047C7B17F642
218C27C46615E9AA717E1BDEFA2B56938BD8990C9B54783
49D4AD0420063AE9B4
10.152.35.161:500->10.152.35.170:500, len=76, vrf=0,
id=91d7e3bfd6eb8287/032b6561653de267:00
000008, oif=3

Fortinet Inc.
Endpoint Profiles
IPsec VPN support for traffic going through FortiADC
IPsec VPN can support traffic that first goes through FortiADC. Only IKEv2 tunnels support this feature.
The example uses the following product versions:
Product Version
FortiClient
7.2.4
FortiClient EMS
FortiGate 7.4.3
FortiADC 6.1.3
In this example use case, an organization has implemented a comprehensive security strategy that includes the use of
IPsec (Internet Protocol Security) for securing communications between its network resources. By combining the secure
communication that IPsec provides with the traffic optimization capabilities of FortiADC, the company can achieve a
robust, secure, and high-performance network infrastructure for interconnecting branch offices with the central data
center. Also, this setup enables efficient data exchange while maintaining the confidentiality and integrity of the
transmitted information.
The following illustrates the flow in the diagram:

1. FortiClient sends a request to IKE port 4500 with the SNI information from EMS.
2. FortiADC sends the SNI to the API server and receives the real server (RS) IP address.
3. FortiADC sends a packet to the RS IP address:port and response.
4. VPN is setup and an IKE UDP 4500 packet is sent automatically.
The following assumes that you already have an SNI API server configured with Go service running on port 3001.
To configure FortiADC:
1. Configure a load balance profile for IKE traffic:

config load-balance profile
edit "IKERESOURCE"
set type udp
set inner-protocol ike

Fortinet Inc.
Endpoint Profiles
next
end
2. Configure the SNI API server. In this example, 10.152.35.156 is the SNI API server IP address, and 3001 is the port
used:
config load-balance sniproxy-domain
set url http://10.152.35.156:3001/api/v1/system/sni-resolvers?region=region1
set url-udp http://10.152.35.156:3001/api/v1/system/sni-resolvers?region=region1
end
3. Configure the RS pool and add members (the FortiOS firewall IP address) to the pool:
config load-balance pool
edit "FGT-POOL"
set health-check-list LB_HLTHCK_ICMP LB_HLTHCK_HTTPS LB_HLTHCK_TCP_ECHO LB_HLTHCK_
HTTP
set real-server-ssl-profile NONE
config pool_member
edit 1
set pool_member_service_port 0
set pool_member_cookie rs1
set real-server FGT2
next
end
next
end
4. Configure a virtual server. FortiClient will initiate an IPsec connection to 192.168.1.7, the remote gateway and
FortiADC interface IP address, on port 4500:
config load-balance virtual-server
edit "INTERNALIPSEC"
set interface port1
set ip 192.168.1.7
set port 4500
set load-balance-profile IKERESOURCE
set load-balance-method LB_METHOD_SNIPROXY
set load-balance-pool FGT-POOL
set traffic-log enable
set traffic-group default
set fortiview enable
next
end
To create an IPsec VPN IKEv2 tunnel in FortiOS:

edit "ADC Tunnel"
set type dynamic
set ike-version 2
set peertype any
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set comments "VPN: ADC Tunnel (Created by VPN wizard)"

Fortinet Inc.
Endpoint Profiles
set eap enable

set eap-identity send-request
set authusrgrp "IPSEC"
set ipv4-start-ip 20.21.21.1
set ipv4-end-ip 20.21.21.250
set dns-mode auto
set psksecret ENC
FzFV1gODmlxtAzxGdBQgxyAs7EvbfThS6hbrqFrBWgAQ3LAaxZ8i7V2XsjFSOJ0D5xp/cWODWxPyUBxL/j5ItiT/DG9H
l6l28uA7gMeAzagGs+avmaauE4vu3/TX+wTQ2cAD19zpiBu7I33l0EMM8hnmKTgwG3stznB/A4oKfEG72nQvrxk4TyXM
RmjKdoQIvOz2SA==
next
end
To configure EMS:

2. Create a new profile or edit an existing one.
3. Under VPN Tunnels, click Add Tunnel.
4. Select Manual.
5. Configure Basic Settings:
a. In the Name field, configure the desired tunnel name.
b. For Type, select IPsec VPN.
c. In the Remote Gateway field, enter the remote gateway, which is the same as the FortiADC IP address. In this
example it is 192.168.1.7
d. From the Authentication Method dropdown list, select Pre Shared Key.
e. In the Pre-Shared Key field, enter the same key that you configured in FortiOS.

Fortinet Inc.
Endpoint Profiles
6. Configure other fields as desired, and save.

7. Click XML, then Edit.
8. Under <ike_settings>, set <sase_mode> to 1. This sets the IPsec port to 4500. The following shows the
XML configuration:
<vpn>
<sslvpn>
<connections/>
<options>
certificate>
<use_gui_saml_auth>0</use_gui_saml_auth>

Fortinet Inc.
Endpoint Profiles
</options>
</sslvpn>
<ipsecvpn>
<connections>
<connection>
<name>IPSECV2-ADC - internal</name>
<uid>650F4D40-6942-4E25-B927-7EE6C5D99878</uid>
<disclaimer_msg/>
<type>manual</type>
<ui>
</ui>
<tags>
<allowed/>
<prohibited/>
</tags>
<ike_settings>
<server>192.168.1.7</server>
<fgt>1</fgt>
<xauth>
</xauth>
<localid/>
<sase_mode>1</sase_mode>
<dpd>1</dpd>

Fortinet Inc.
Endpoint Profiles
<auth_data>
<preshared_key>Enc
7de9d08db7716deba8e66e5526eac5d952c1afb46e2edd5d51646228a1a2</preshared_key>
</auth_data>
<proposals>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<pfs>1</pfs>
<virtualip>
<ip>0.0.0.0</ip>
</virtualip>
<proposals>
</proposals>
</ipsec_settings>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>

Fortinet Inc.
Endpoint Profiles
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
certificate>
</options>
</ipsecvpn>
<lockdown>
<exceptions>
<apps/>
<ips/>
</exceptions>
</lockdown>
<options>

Fortinet Inc.
Endpoint Profiles
</options>
</vpn>
<endpoint_control>
<ui>
</ui>
</endpoint_control>
9. Save. After FortiClient receives the profile changes from EMS, it can connect to an IPsec VPN tunnel pushed from
FortiADC.
To verify this configuration:
1. In FortiOS, go to Dashboard > Network.

2. Expand the IPsec widget.
3. Verify that the IPsec VPN tunnel is up.
4. If desired, you can enable and view FortiOS:
FGVMULTM12345 # diagnose debug enable
FGVMULTM212345 # diagnose debug application ike -1

FGVMULTM12345 # ike V=root:0: comes 192.168.1.11:4500-

>192.168.1.1:4500,ifindex=5,vrf=0,len=508....
ike V=root:0: IKEv2 exchange=SA_INIT id=fd23616068ea787b/0000000000000000 len=504
ike 0: in
FD23616068EA787B00000000000000002120220800000000000001F82200005C0200002C010100040300000C
0100000C800E00800300000802000002030000080300000200000008040000050000002C020100040300000C
0100000C800E00800300000802000005030000080300000C0000000804000005280000C80005000002985CB0
E49090C90FF1B01C95C5CBE283C13C57C98C796D1AB5301AB30E5D5BD3C3B438A41F95CFDD8C2FC1086DCD18
F6B3A6EAAF8AF9E54022F8FA0B4FC16BAAF42AA3F4DDB5CC2846F09CD0CDA74B513851EAB6F9A8EAB128B0DB
8D5B4F819EA4C775B037A77BD35813230C0708077C34EB02BD3F8A71613B84365F5FCE93528C2C54FF72ADA2
76E7C4B37DF6C6A9AAAE2CA0370957B4385345ED403118D6A0D68A49834069CC7543F0597AD83FA75FE90967
A40A31F3F8CE28ABFBDE25822B000014BDDC4BD20AF71BA16FFE6AA24508B0162B0000144C53427B6D465D1B
337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781
914CA43E290000180100F103464354454D5338383234303930333135290000180100F103464354454D533838
32343039303331352900001C0000400408C1FCB91852BE008BC80B00D5AD2667C42A04940000001C00004005
3DDAE5A62679ABFBD748AFCB830BBB25F2195192
Ike V=root:0:fd23616068ea787b/0000000000000000:897: responder received SA_INIT msg
ike V=root:0:fd23616068ea787b/0000000000000000:897: VID forticlient connect license
4C53427B6D465D1B337BB755A37A7FEF
ike V=root:0:fd23616068ea787b/0000000000000000:897: VID Fortinet Endpoint Control
B4F01CA951E9DA8D0BAFBBD34AD3044E
ike V=root:0:fd23616068ea787b/0000000000000000:897: VID unknown (16):
C1DC4350476B98A429B91781914CA43E
ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type 61699
ike V=root:0:fd23616068ea787b/0000000000000000:897: ignoring unauthenticated notify

Fortinet Inc.
Endpoint Profiles
payload (61699)
ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type 61699
ike V=root:0:fd23616068ea787b/0000000000000000:897: ignoring unauthenticated notify
payload (61699)
ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type NAT_DETECTION_
SOURCE_IP
ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type NAT_DETECTION_
DESTINATION_IP
ike V=root:0:fd23616068ea787b/0000000000000000:897: incoming proposal:
ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 1:
ike V=root:0:fd23616068ea787b/0000000000000000:897: protocol = IKEv2:
ike V=root:0:fd23616068ea787b/0000000000000000:897: encapsulation = IKEv2/none
ike V=root:0:fd23616068ea787b/0000000000000000:897: type=ENCR, val=AES_CBC (key_
len = 128)
ike V=root:0:fd23616068ea787b/0000000000000000:897: type=INTEGR, val=AUTH_HMAC_
SHA_96
ike V=root:0:fd23616068ea787b/0000000000000000:897: type=PRF, val=PRF_HMAC_SHA
ike V=root:0:fd23616068ea787b/0000000000000000:897: type=DH_GROUP, val=MODP1536.
len = 128)
SHA2_256_128
ike V=root:0:fd23616068ea787b/0000000000000000:897: type=PRF, val=PRF_HMAC_SHA2_
256
ike V=root:0:fd23616068ea787b/0000000000000000:897: matched proposal id 2
len = 128)
SHA2_256_128
ike V=root:0:fd23616068ea787b/0000000000000000:897: type=PRF, val=PRF_HMAC_SHA2_
256
ike V=root:0:fd23616068ea787b/0000000000000000:897: lifetime=86400
ike V=root:0:fd23616068ea787b/0000000000000000:897: SA proposal chosen, matched gateway
ADC Tunnel
ike V=root:0:ADC Tunnel: created connection: 0xf9e2ff0 5 192.168.1.1->192.168.1.11:4500.
ike V=root:0:ADC Tunnel:897: processing notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:ADC Tunnel:897: processing NAT-D payload
ike V=root:0:ADC Tunnel:897: NAT detected: PEER
ike V=root:0:ADC Tunnel:897: process NAT-D
ike V=root:0:ADC Tunnel:897: processing notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:ADC Tunnel:897: processing NAT-D payload
ike V=root:0:ADC Tunnel:897: NAT detected: ME PEER
ike V=root:0:ADC Tunnel:897: process NAT-D
ike V=root:0:ADC Tunnel:897: enable FortiClient endpoint compliance check, use
169.254.7.1
ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg
ike V=root:0:ADC Tunnel:897: generate DH public value request queued

Fortinet Inc.
Endpoint Profiles
ike V=root:0:ADC Tunnel:897: compute DH shared secret request queued

ike V=root:0:ADC Tunnel:897: create NAT-D hash local 192.168.1.1/4500 remote
192.168.1.11/4500
ike 0:ADC Tunnel:897: out
FD23616068EA787B8A56F0004EEC7C3D212022200000000000000160220000300000002C020100040300000C
0100000C800E00800300000802000005030000080300000C0000000804000005280000C80005000000AE7B89
3BC5E3A52AA663A0334F31B4E900C9F5635E5CE2817A0FD7734EA390EEDF0898E22540B9AE00E8C4E1DECB51
DA24B0A7C326FF6286ADF943020E4027FF73A6E4752FEA8B133EBAB7553723BDC61E43FBC99C2D95FA88BC5B
F8E322B7598FAB4F5C55A13B2226D71DF952B088256A57D88E16C671881DDD028AC24D9E4ACA40DC26017C87
C0553EDDE75D031FCFC0DBB74B4F26E9EE0AC662A66FAD4E48A3D2232E0BDB7552E3855535D340BF34B28873
D28C8FABB2FCAC5194A5373E29000014DE6499159A9592FF9CF6A338697810782900001C0000400412CB23AF
2CCA5494532E14CE0775D4D1CFA05EA40000001C0000400514E0C02BB1C1041736812AF33F10C047BDEB6A36
ike V=root:0:ADC Tunnel:897: sent IKE msg (SA_INIT_RESPONSE): 192.168.1.1:4500-
>192.168.1.11:4500, len=352, vrf=0, id=fd23616068ea787b/8a56f0004eec7c3d, oif=5
ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ei
16:5204278EAA78717A3D501DB8ED8FD673
ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_er
16:7B38711FE8D81E238370F4D9D75B4954
ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ai
32:68CF5D7F413B68413D0E6411181CD5F0EE4AA630D72274B56E6790A7EE7568F8
ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ar
32:6033D1AFE65E3A3B65B1D6B58B0B7CC7083D077684039D03897CF68F23C96DAE
ike V=root:0: IKEv2 exchange=AUTH id=fd23616068ea787b/8a56f0004eec7c3d:00000001 len=608
ike 0: in
FD23616068EA787B8A56F0004EEC7C3D2E202308000000010000026023000244B257D3A5A3F8787BF85F7EAA
6C68421A1613119EB8BB13C7FF639E41A46A81372B058C22714F93996558DCAEC8062BD8B1D1E9521B52D41E
32A0CAF350D9865ECEB0E65118D7E6E4B6531A0F459D852390B9A560FEFFF4191C52FFB9A123C58A18EA5F9D
7DF7B39823A92FBB5FEDFA291A7936B14D3EC484252C3D199A4260FC7AC9AFD89377376397B7A043B9969ED1
89E6590A9F68A5832A56E8D114E75C8736806DF7B85DA894EA7B7582894051CBE24AD640DC00BADF578DFC5B
CA6F2895F71FDB1F3D4BE11DFD6C2D63F3735C3931BCE9109BDD47110112FEC282A94EB7C855F401F2BD5340
3E6F302506914CA81888C8AE0AD9E1E90F252F8C1AD288BC1C5295FE046A176F107F79E6397E4428C30160FF
EEACEA0B2BCCA9BC34DA2E35EE233745B0A05665E8A95747D760282784B987DAB28DDCF50348B2550B414BE2
0297647BD15500EC8D4E6E5113BC403772153A671DA8587920F7C7E1C9E3A9341F3C5094DC01DC4E3539B19E
178DB92A6D282D891FDAC63CB9F95F1821DBE530FD9C42106E0AE2DB13C8722039335FAE1A840E1BA2BC125A
A48279530799BB48D91DF3DC5F000917B21DAD85BB55E2A14EC068DA364FA8941F0DFA25C267349C21F7125E
7836B19ACC6E42FB581061D7D4F81D2D581B42C96BFE4E710B14148D4E1EEA2D8C6C361566F8BABFDB5A66A1
A59E07F25BAC6CA8AD8698C8E0B2D0F73D7E06697504110A83ACC586E4C3227AEF2CE616041F18C464A0CC31
374E1A18993FD8B92ABF2C4A1C900A7EF444684BD683E8013A237D8E7E6780831EF13D24
ike 0:ADC Tunnel:897: dec
FD23616068EA787B8A56F0004EEC7C3D2E202308000000010000023A230000042900000C01000000C0A8010B
29000008000040002F00012E0000F1005645523D310A4643545645523D372E322E342E303937320A5549443D
39354630373530334342373234424530383332303846393745454239434638320A49503D3139322E3136382E
312E31310A4D41433D30302D31352D35642D32332D61382D34613B30302D31352D35642D32332D61382D3561
3B0A484F53543D4445534B544F502D493134495656430A555345523D69707365630A4F535645523D4D696372
6F736F66742057696E646F777320313020456E74657270726973652045646974696F6E2C2036342D62697420
286275696C64203139303435290A5245475F5354415455533D300A454D53534E3D464354454D533838323430
39303331350A454D5349443D3030303030303030303030303030303030303030303030303030303030303030
0A00210000540100000000070010464354383030313634373839323939340001000000020000000300000004
0000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B0000700000002C00
005402000028010304038DE23FFD0300000C0100000C800E0080030000080300000200000008050000000000
0028020304038DE23FFD0300000C0100000C800E0080030000080300000C00000008050000002D0000180100
0000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
ike V=root:0:ADC Tunnel:897: responder received AUTH msg
ike V=root:0:ADC Tunnel:897: processing notify type INITIAL_CONTACT

Fortinet Inc.
Endpoint Profiles
ike V=root:0:ADC Tunnel:897: processing notify type FORTICLIENT_CONNECT

ike V=root:0:ADC Tunnel:897: received FCT data len = 294, data = 'VER=1
FCTVER=7.2.4.0972
UID=95F07503CB724BE083208F97EEB9CF82
IP=192.168.1.11
MAC=00-15-5d-23-a8-4a;00-15-5d-23-a8-5a;
HOST=DESKTOP-I14IVVC
USER=ipsec
REG_STATUS=0
EMSSN=FCTEMS12345
EMSID=00000000000000000000000000000000
'
ike V=root:0:ADC Tunnel:897: received FCT-UID : 123456
ike V=root:0:ADC Tunnel:897: peer identifier IPV4_ADDR 192.168.1.11
ike V=root:0:ADC Tunnel:897: re-validate gw ID
ike V=root:0:ADC Tunnel:897: gw validation OK
ike V=root:0:ADC Tunnel:897: responder preparing EAP identity request
ike 0:ADC Tunnel:897: enc
2700000C01000000C0A8010130000028020000002CC85F24CD85A4D9BBD5130FD954CDE9631E41538971618A
C5CA89FFDA271E450000000901B8000501020102
ike 0:ADC Tunnel:897: out
FD23616068EA787B8A56F0004EEC7C3D2E2023200000000100000080240000642D7B15B7617F0AAB77FB620A
310E31571D63B20BDE4BF92244B54828CCEA823498115B71F5CF9E3A6CE97DDB9C2256805BA9204032A89FF3
D43D7772BFF51C427158D5E20A7CCE25EEF29F6B9AFEFCB4ED31E7DFDB6171994083D5F59A0DDF25
ike V=root:0:ADC Tunnel:897: sent IKE msg (AUTH_RESPONSE): 192.168.1.1:4500-
>192.168.1.11:4500, len=128, vrf=0, id=fd23616068ea787b/8a56f0004eec7c3d:00000001, oif=5
ike V=root:0: IKEv2 exchange=AUTH id=fd23616068ea787b/8a56f0004eec7c3d:00000002 len=80
5. After the VPN connection succeeds, ping internal servers located behind the FortiGate from the endpoint to verify
that it can access them. Ping should succeed:
ping 192.168.2.4
Pinging 192.168.2.4 with 32 bytes of data:
Reply from 192.168.2.4: bytes=32 time=1ms TTL=127
Reply from 192.168.2.4: bytes=32 time<1ms TTL=127
Reply from 192.168.2.4: bytes=32 time=1ms TTL=127
Reply from 192.168.2.4: bytes=32 time<1ms TTL=127
Ping statistics for 192.168.2.4:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
ZTNA Destinations
You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as
a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via
HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to
identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other
identity and posture information. The FortiGate allows or denies the access as applicable. See the FortiOS

Fortinet Inc.
Endpoint Profiles
Administration Guide for FortiOS configuration requirements. For TCP forwarding to non-web-based applications, you
must define ZTNA destinations as follows.
You an configure these destinations in a ZTNA Destinations profile in EMS to deploy to endpoints as part of an endpoint
policy.
To configure a ZTNA destination:
1. Go to Endpoint Profiles > ZTNA Destinations.

2. Select a profile or create a new one.
3. Click Advanced.
5. If desired, enable Allow Personal Destinations. This feature allows end users to configure personal ZTNA
destinations. For FortiPAM ZTNA users, you must enable Allow Personal Destinations for FortiPAM to proxy RDP
and SSH connections.
6. If desired, enable Do Not Accept Invalid Server Certificate. This feature blocks end users from accessing
ZTNA destinations if they have an invalid server certificate.
7. If desired, enable Notify user on error. If enabled, FortiClient displays an error message to users when a
TCP forwarding error occurs.
8. Enable Destinations.
9. Add a destination:
a. Click Add.
b. Add a proxy gateway:
i. In the Enter gateway proxy address field, enter the FortiGate access IP address and port in the format <IP
address or FQDN>:<port>.
ii. Under Select browser user-agent for SAML login, select Use external browser or Use FortiClient
embedded browser. FortiClient presents a SAML authentication request to the end user in a web browser
or FortiClient embedded browser for traffic that is eligible for this rule.
iii. In the Alias field, enter an alias for this destination.
iv. Click Next.
c. Configure private applications. You can add a private application by searching for it, importing it from your
device, or by manually adding it. Click Next.

Fortinet Inc.
Endpoint Profiles
d. Configure SaaS applications by searching for the desired application in the SaaS Applications/Groups field.
Selected applications appear as Will be Added under Changes to Apps/Groups.
e. Click Finish.
Wildcard support for ZTNA FQDN rules
This feature requires FortiOS 7.2.2 or a later version.

This example uses external browser-based SAML authentication for the zero trust network access (ZTNA) policy. This
configuration requires the following:
l A Security Fabric connector is established between FortiOS and EMS.
l FortiOS ZTNA settings are configured.
l FortiClient is registered to EMS

Fortinet Inc.
Endpoint Profiles
In the example topology, the EMS IP address is 172.17.60.8. The FortiGate acts as an access proxy, with virtual
IP address 172.17.60.19 and port 8445. You can use one of the following methods to configure a ZTNA rule that
supports wildcard FQDNs:
l Configuring a ZTNA rule in EMS
l Configuring FortiClient to pull SaaS application information from FortiOS
To configure a ZTNA rule for an FQDN in wildcard format using method 1:
1. In EMS, go to Endpoint Profiles > ZTNA Destinations.

2. Click Add Destination. Configure the following:
a. In the Destination Host field, enter *.dropbox.com:443.
b. In the Proxy Gateway field, enter the FortiGate IP address and port. In this example, the value is
172.17.60.19:8445.
c. Configure other fields as desired.
d. Click Save.
3. Click XML.

Fortinet Inc.
Endpoint Profiles
4. Confirm that the <ztna><portals> element is empty.
5. On an endpoint with the profile applied, attempt to access Dropbox in a browser. The browser displays a SAML
authentication prompt. Provide the appropriate credentials to proceed to access Dropbox.

Fortinet Inc.
Endpoint Profiles
6. To troubleshoot this configuration, you can view the ZTNA debug log file (fortitcs_1.log) to confirm that all traffic
requests to *.dropbox.com, such as to aem.dropbox.com or consent.dropbox.com, go through the ZTNA tunnel.
You can also use the log to verify that FortiClient handles the request to *.dropbox.com.

Fortinet Inc.
Endpoint Profiles
Consider that it may be difficult to configure all URLs embedded in a website, such as *.dropbox.com.
To configure a ZTNA rule for an FQDN in wildcard format using method 2:
For this method, you do not need to configure a ZTNA rule as in the previous method. This method assumes that
SSH and RDP TCP forwarding are configured on the FortiGate and continue to work. FortiClient pulls SSH and RDP
rules from the FortiGate based on the EMS portal settings mapped to the FortiGate virtual access proxy server.
FortiClient actively queries FortiGate for ZTNA setting changes every 30 seconds, and pulls changes as needed.
Configure the following in the FortiOS CLI:
config firewall access-proxy
edit "ZTNA-tcp-server"
set vip "ZTNA-tcp-server"
set auth-portal enable
config api-gateway
edit 5
set url-map "/saas"
set service saas
set application "dropbox"
next
end
next
end
On the endpoint, clear the browser cache and FortiClient SAML cookies, then attempt to access Dropbox. The browser
displays a SAML authentication prompt. Provide the appropriate credentials to proceed to access Dropbox.
To troubleshoot this configuration, you can view the ZTNA debug log file (fortitcs_1_111.log). FortiClient prints all related
FQDNs for a defined application, in this case dropbox.com, and all related URLs contained in the website based on the
ICDB signature to the ZTNA debug log. The ICDB signature file is in the FortiClient installation directory vir_sig\icdb in
JSON format. FortiClient reads the related parts from the ICDB signature file-based SaaS/application settings in FortiOS
and updates them if there are updates on the FortiOS side.

Fortinet Inc.
Endpoint Profiles

Fortinet Inc.
Endpoint Profiles
In this configuration, FortiClient depends on ICDB signatures being updated properly. In the case, FortiClient
automatically and dynamically updates and refreshes the FQDNs if there are any changes in the SaaS applications as
defined in FortiOS. FortiClient also pulls SSH/RDP/SMBA settings and specific FQDNs including rules using wildcard
formats from FortiOS, if available.
FQDN-based ZTNA TCP forwarding services
FortiClient supports using fully qualified domain names (FQDN) as destination hosts in zero trust network access
(ZTNA) TCP forwarding destinations. This allows you to avoid exposing private/internal IP addresses to end users by
using FQDNs instead.
The following shows the topology for this example. This example uses two FQDNs, rdp.win.test and ssh.win.test, in
place of the Windows server IP address, 10.8.24.100. This hides the internal IP address, 10.8.24.100, from end users.
1. In FortiOS, go to Policy & Objects > ZTNA > ZTNA Servers.

2. Click Create New.
3. For Type, select IPv4.
4. For Service, select TCP Forwarding.

Fortinet Inc.
Endpoint Profiles
5. Under Servers, configure RDP and SSH services.
6. Click OK.
7. In the CLI, add the rdp.win.test FQDN to RDP and SSH services as the domain:
edit "ZTNA-test"
set vip "ZTNA-test"
set client-cert enable
config api-gateway
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "internal_server"
set domain "rdp.win.test"
set mappedport 3389
next
edit 2
set address "ssh_test"
set domain "ssh.win.test"
set mappedport 22
next
end
next
end
next
end
8. Ensure that you have configured the ZTNA policy rule and firewall policy as desired.
To configure ZTNA destinations:
You can configure ZTNA destinations from EMS or FortiClient. Using EMS is the recommended method. If using
FortiClient, connect to the EMS that is connected to the FortiGate acting as the TCP forwarding server.
1. Go to Endpoint Profiles > ZTNA Destinations.
2. Create the RDP server rule:
a. Click Add Destination.
b. In the Destination Name field, enter the desired name.
c. In the Destination Host field, enter rdp.win.test:<port number>. This field does not support entering a
hostname.

Fortinet Inc.
Endpoint Profiles
d. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is
172.17.81.250:8443.
e. Click Create.
3. Create the SSH server rule:
a. Click Add Destination.
b. In the Destination Name field, enter the desired name.
c. In the Destination Host field, enter ssh.win.test:<port number>. This field does not support entering a
hostname.
d. In the Proxy Gateway field, enter the FortiGate IP address and port number. In this example, it is
172.17.81.250:8443.
e. Click Create.
Web Filter
For Windows, macOS, and Linux profiles, you must enable FortiProxy (Disable Only When Troubleshooting) on the
System Settings tab to use the Web Filter options.
Web Filter Enable web filtering.

Scheduling Enable to have Web Filter settings only take effect during the
configured schedule. This feature functions based on the system time
in EMS. Time changes on the endpoint do not affect this feature.
Days of Week From the dropdown list, select the days of the week for the schedule.
All Day If desired, enable All Day to schedule Web Filter settings to take
effect all day long on the selected days of the week.
Start At Select the desired time for the Web Filter settings to start on the
selected days of the week. This option is not available if you select All
Day.
End At Select the desired time for the Web Filter settings to end on the
selected days of the week. This option is not available if you select All
Day.
Fallback Action Select the desired action for Web Filter to take for web traffic outside
of the scheduled times.
l When you configure Fallback Action as Allow, FortiClient allows
all web access on the endpoint, including categories that Web

Filter is set to block during the schedule timeframe.
l When you configure Fallback Action as Block, FortiClient blocks
all web access on the endpoint, excluding URLs that you have
configured to be allowed in the blocklist.

Fortinet Inc.
Endpoint Profiles
General
Enable WebFiltering on FortiClient Select Always On to enable client web filtering when on-fabric.
Select Only When Endpoint is Off-Fabric to enable Web Filter on
endpoints only when the endpoint is considered off-Fabric. See On-
fabric Detection Rules on page 183.
Log All URLs Log all URLs. When this setting is disabled, FortiClient only logs
URLs as specified by per-category or per-URL settings. FortiClient
only logs these logs locally or sends them to FortiAnalyzer if
configured.
Log User Initiated Traffic Log only user-initiated traffic.
Action On HTTPS Site Blocking l Display In-Browser Message

l Fail Connection & Show Bubble Notification
l Fail Connection
Enable Web Browser Plugin for HTTPS Web Enable a web browser plugin for HTTPS web filtering. This improves
Filtering detection and enforcement of Web Filter rules on HTTPS sites. After
this option is enabled, the user must open the browser to approve
installing the new plugin. EMS only installs the web browser plugin for
the Google Chrome, Mozilla Firefox, and Microsoft Edge browsers on
Windows platforms.
Sync Mode When this option is enabled, the web browser waits for a response
from an HTTPS request before sending another HTTPS request.
Check User Initiated Use the web browser plugin for only user-initiated traffic. This allows
Traffic Only for faster processing. When this option is disabled, the plugin checks
all URL requests.
Enable Safe Search For Windows endpoints and Chromebooks, when enabling Safe
Search, you can configure the Restriction Level to Strict or Moderate.
This setting affects the content that endpoint users can access via
YouTube and search engine, including Google and Bing. For
Chromebooks, to set YouTube access to Unrestricted, you can
disable Safe Search and configure Google Search and YouTube
access with the Google Admin Console instead of FortiClient EMS.
For macOS endpoints, enabling Safe Search sets the endpoint's
Google search to Restricted mode and YouTube access to Strict
Restricted access.
Enabling Safe Search adds records, including Yandex.ru, to the client
device's hosts file in order to redirect search engine requests.
You can enable Safe Search on the Video Filter and Web Filter
profiles. When Safe Search is enabled on both profiles, the more
restrictive settings are applied to YouTube.

Fortinet Inc.
Endpoint Profiles
Enable HTTPS Deep Inspection Toggle to enable or disable HTTPS deep inspection on FortiClient
(macOS) and (Linux) endpoints. When HTTPS deep inspection is
enabled, FortiClient can proxy HTTPS requests and rate whole
HTTPS URL requests. Otherwise, FCT can only rate domain URLs
for HTTPS requests.
Site Categories Enable site categories from FortiGuard. When you disable site
categories, the exclusion list protects FortiClient.
See the FortiGuard website for descriptions of the available
categories and subcategories.
For all categories, you can configure an action for the entire site
category by selecting one of the following:
l Block
l Warn
l Allow
l Monitor
You can also click the + button beside the site category to view all
subcategories and configure individual actions (Block, Warn, Allow,
Monitor) for each subcategory. The following lists each site category's
subcategories.
Adult/Mature Content l Abortion

l Advocacy Organizations
l Alcohol
l Alternative Beliefs
l Dating
l Gambling
l Lingerie and Swimsuit
l Marijuana
l Nudity and Risque
l Other Adult Materials
l Pornography
l Sex Education
l Sports Hunting and War Games
l Tobacco
l Weapons (Sales)
Bandwidth Consuming l File Sharing and Storage

l Freeware and Software Downloads
l Internet Radio and TV
l Internet Telephony
l Peer-to-peer File Sharing
l Streaming Media and Download
General Interest-Business l Armed Forces

l Business
l Charitable Organizations

Fortinet Inc.
Endpoint Profiles
l Finance and Banking
l General Organizations
l Government and Legal Organizations
l Information Technology
l Information and Computer Security
l Online Meeting
l Remote Access
l Search Engines and Portals
l Secure Websites
l Web Analytics
l Web Hosting
l Web-based Applications

Fortinet Inc.
Endpoint Profiles
General Interest-Personal l Advertising

l Arts and Culture
l Auction
l Brokerage and Trading
l Child Education
l Content Servers
l Digital Postcards
l Domain Parking
l Dynamic Content
l Education
l Entertainment
l Folklore
l Games
l Global Religion
l Health and Wellness
l Instant Messaging
l Job Search
l Meaningless Content
l Medicine
l News and Media
l Newsgroups and Message Boards
l Personal Privacy
l Personal Vehicles
l Personal Websites and Blogs
l Political Organizations
l Real Estate
l Reference
l Restaurant and Dining
l Shopping
l Social Networking
l Society and Lifestyles
l Sports
l Travel
l Web Chat
l Web-based Email

Fortinet Inc.
Endpoint Profiles
Potentially Liable l Child Sexual Abuse

l Crypto Mining
l Discrimination
l Drug Abuse
l Explicit Violence
l Extremist Groups
l Hacking
l Illegal or Unethical
l Plagiarism
l Potentially Unwanted Program
l Proxy Avoidance
l Terrorism
Security Risk l Dynamic DNS

l Malicious Websites
l Newly Observed Domain
l Newly Registered Domain
l Phishing
l Spam URLs
Unrated Sites that FortiGuard categorizes as unrated.

If FortiClient receives an unrated IP address for specific cloud
applications that FortiGuard categorizes as unrated, it may use the
Internet Service Database (ISDB) as a backup. You can expand the
Unrated category for cloud applications, and click Add to configure an
action for selected cloud applications using ISDB. In the Add Cloud
Application dialog, select the desired cloud application, configure the
desired action, then click Add.
Rate IP Addresses Have FortiClient request the rating of the site by URL and IP address
separately, providing additional security against attempts to bypass
the FortiGuard Web Filter.
If the rating determined by the domain name and the rating
determined by the IP address differ, a weighting assigned to the
different categories determines the action that FortiClient enforces.
The higher weighted category takes precedence in determining the
action. This has the side effect that sometimes the action is
determined by the classification based on the domain name and other
times it is determined by the classification that is based on the IP
address.
FortiGuard Web Filter ratings for IP addresses are not updated as
quickly as ratings for URLs. This can sometimes cause FortiClient to
allow access to sites that should be blocked, or to block sites that
should be allowed.

Fortinet Inc.
Endpoint Profiles
An example of how this works is if a URL's rating based on the

domain name indicates that it belongs in the category Lingerie and
Swimsuit, which is allowed but the category assigned to the IP
address was Pornography which has an action of Block, because the
Pornography category has a higher weight, the effective action is
Block.
Use HTTPS Rating Server By default, Web Filter sends URL rating requests to the FortiGuard
rating server via UDP protocol. You can instead enable Web Filter to
send the requests via TCP protocol.
Allow websites when rating error occurs Configure the action to take with all websites when FortiGuard is
temporarily unavailable. This may occur when an endpoint is forced
to access a network via a captive portal. FortiClient takes the
configured action until contact is reestablished with FortiGuard.
Available options are:
l Block: Deny access to any websites. This may prevent endpoints
from accessing captive portals.

l Warn: Display in-browser warning to user, with an option to
proceed to the website

l Allow: Allow full, unfiltered access to all websites
l Monitor: Log the site access
FortiGuard Server Location Configure the FortiGuard server location. If FortiGuard Anycast is
selected for the Server field, you can select from global, U.S., or
Europe. If FortiGuard is selected for the Server field, you can select
from global or U.S. When Global is selected, FortiClient uses the
closest FortiGuard server.
FortiClient connects to FortiGuard to query for URL ratings.
The URLs connected to for each server location are as follows:
l FortiGuard:
l Global: fgd1.fortigate.com
l U.S.: usfgd1.fortigate.com
l FortiGuard Anycast:
l Global: fctguard.fortinet.net
l U.S.: fctusguard.fortinet.net
l Europe: fcteuguard.fortinet.net
Server Configure the FortiGuard server to FortiGuard or FortiGuard Anycast.
Keyword Scanning on Search Engine Use rating categories from FortiGuard to allow, block, or monitor
searches for certain terms. This feature is only available for
Chromebooks.
Banned Word Search Enable to configure actions (block or monitor) to take when the user
searches for terms that belong to the following categories:
l Violence/Terrorism
l Extremist

Fortinet Inc.
Endpoint Profiles
l Pornography
l Cyber Bullying
l Self Harm
Custom Banned Words Configure actions for individual terms. Enable Custom Banned
Words, type the desired term in the Add Word field, then click Add
Word. Configure the action for the term (Block, Monitor, or Allow),
then toggle the Status to On.
You can remove a term from the Custom Banned Word list by
selecting the checkbox beside the term, then clicking the Remove
Word button.
The custom term may belong to a category under Banned Word
Search. If the action configured for the category under Banned Word
Search and the action configured for the term under Custom Banned
Words differ, EMS applies the action configured under Custom
Banned Words.
Exclusion List Adding more than 1000 exclusions is not recommended and can
cause EMS instability.
Action Select one of the following actions:

l Allow
l Block
l Monitor
l Warn
URL Enter specific URLs to allow, block, or monitor. You can provide the
full URL or only the domain name.
Referrer/Host Enter a specific referrer or host to allow, block, or monitor. You can
provide the full URL or only the domain name.
If the end user visits the URL through the referrer provided,
EMS considers the rule a match and applies the specified action.
If the end user visits the URL directly or through a different referrer,
EMS does not consider the rule a match and does not apply the
specified action.
Type Select one of the following types:

l Simple
l Wildcard
l Regular Expression
You can use wildcard characters and Perl Compatible Regular
Expressions (PCRE).
This field only applies to the value in the URL field and does not apply
to the value in the Referrer/Host field.
Move this rule up/Move this rule down Move the exclusion rule up/down in the list. If multiple exclusion rules
are applicable, EMS applies the first applicable exclusion rule.

Fortinet Inc.
Endpoint Profiles
Importing a Web profile from FortiOS or FortiManager
You can import a Web Filter profile from FortiOS or FortiManager into FortiClient EMS, then synchronize the Web Filter
profile settings to an endpoint profile in FortiClient EMS.
This feature is only available if Web Filter is enabled in Feature Select. See Feature Select on page 494.
To import a Web Filter profile:
1. Configure FortiOS or FortiManager to allow EMS profile importation:

a. If using FortiOS, go to Network > Interfaces, select the desired port, and under Administrative Access, enable
the HTTPS checkbox.
b. If using FortiManager, do the following:
i. Go to System Settings > Network and enable the HTTPS checkbox under Administrative Access.
ii. You must set Remote Procedure Call to read. Run the get system admin user admin command.
Ensure that rpc-permit is set to read.
iii. If rpc-permit is not set to read, run the following commands:
config system admin user
edit "admin"
set rpc-permit read
end
2. Go to Endpoint Profiles > Import from FortiGate / FortiManager. Click Import from FortiGate / FortiManager.
3. Under Type, select FortiGate or FortiManager.

4. Complete the following options, and click Next.
IP address/Hostname Enter the IP address and port of the FortiGate or FortiManager from which you
are importing the profile, in the format: <ip address>:<port>.
VDOM Enter a VDOM name from the FortiGate or FortiManager if applicable.
Username Enter a username for the FortiGate or FortiManager.
Password Enter the password for the user account entered above.
The list of Web Filter profiles configured on the FortiGate or FortiManager displays.

Fortinet Inc.
Endpoint Profiles
You can click the </> icon beside each profile to preview the settings in XML format.
5. Select the profiles to import into FortiClient EMS and click Next.
6. Under Synchronization Mode, select one of the following options.
a. One Time Pull: FortiClient EMS does not automatically sync profile changes from the FortiGate or
FortiManager. You can manually sync profile changes after importing the profile. See Syncing profile changes
on page 191.
b. Group Schedule: Configure a group synchronization schedule for all selected profiles. Select the next date and
time to automatically update the profiles, and the profile update interval in days, hours, or minutes.
c. Individual Schedule: Configure an individual synchronization schedule for each selected profile. Select the next
date and time to automatically update each profile, and the profile update interval in days, hours, or minutes.
7. Click Import. EMS imports the selected profiles and displays them in Endpoint Profiles > Import from
FortiGate/FortiManager in a group named after the FortiGate or FortiManager that you imported them from. You can
now configure an EMS endpoint profile to synchronize Web Filter settings from the imported FortiGate or
FortiManager Web Filter profile. See Web Filter on page 303.
8. After importing the profile, you can synchronize the profile from the FortiGate or FortiManager on-demand by
selecting the profile, then clicking Sync Now.
Enabling and disabling Safe Search
The search engine provides a Safe Search feature that blocks inappropriate or explicit images from search results. The
Safe Search feature helps avoid most adult content. FortiClient EMS supports Safe Search for most common search
engines, such as Google, Yahoo, and Bing.
The profile in FortiClient EMS controls the Safe Search feature.

Fortinet Inc.
Endpoint Profiles
Following are examples of search results with the Safe Search feature disabled and enabled. Notice the difference
between the number of results. Here are the search results when the Safe Search feature is disabled, which has about
285000000 results:
Here are the search results when the Safe Search feature is enabled, which has about 256000000 results.
To enable or disable Safe Search:
1. In FortiClient EMS, in the Endpoint Profiles > Manage Profiles area, click the Default - Chromebooks profile or
another profile.
2. On the Web Filter tab, enable or disable Enable Safe Search.
You can enable Safe Search on the Video Filter and Web Filter profiles. When Safe Search is enabled on both profiles,
the more restrictive settings are applied to YouTube
Support banned word check in URL
You can configure keyword scanning on search engines for Chromebook endpoints. EMS has a content safeguard
service-provided file with a list of words in various languages for different categories. The Keyword Scanning on Search

Fortinet Inc.
Endpoint Profiles
Engine feature supports monitoring and blocking searches for banned words that users perform in popular search
engines. You can use this feature to protect students from inappropriate and malicious content.
To enable keyword scanning on search engines:
1. In EMS, go to Endpoint Profiles. Select the desired Chromebook profile, or create a new one.
2. Enable Keyword Scanning on Search Engine.
3. Configure the following features:
Banned Word Search Enable to configure actions (block or monitor) to take when the
user searches for terms that belong to the following categories:
l Violence/Terrorism
l Extremist
l Pornography
l Cyber Bullying
l Self Harm
Custom Banned Words Configure actions for individual terms. Enable Custom Banned
Words, type the desired term in the Add Word field, then click Add
Word. Configure the action for the term (Block, Monitor, or Allow),
then toggle the Status to On.
You can remove a term from the Custom Banned Word list by
selecting the checkbox beside the term, then clicking the Remove
Word button.
The custom term may belong to a category under Banned Word
Search. If the action configured for the category under Banned
Word Search and the action configured for the term under Custom
Banned Words differ, EMS applies the action configured under
Custom Banned Words.

Fortinet Inc.
Endpoint Profiles
You can view user statistics on the Blocked Search Words and Monitored Search Words widgets in Dashboard >
Chromebook Status.
When the user searches for a banned word, they see the following. In the example, the user searched for "bomb",
which belongs to the Extremist category.

Fortinet Inc.
Endpoint Profiles
Video Filter
This feature requires the Web Filter profile and Enable Web Browser Plugin for Web Filtering to be enabled. This feature
is only available for FortiClient (Windows) endpoints.
Video Filter Profile Enable video filtering.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.
Name Enter a name for the profile.
Categories Enable categories. When you disable categories, the channel and video override lists protect
FortiClient.
For all categories, you can configure an action for the entire category by selecting one of the
following:
l Block
l Warn
l Allow
l Monitor
The following lists the available categories:

l Not Rated
l Knowledge
l People
l Business
l Lifestyle
l Society

Fortinet Inc.
Endpoint Profiles
l Entertainment
l Music
l Sports
l Games
l News
Youtube Advanced Enable advanced settings for YouTube filtering.

Settings
Hide Video Hide YouTube comments from end users.

Comments
Enable Safe Search When enabling Safe Search, you can configure the Restriction Level to Strict or Moderate.
This setting affects the content that endpoint users can access via YouTube.
You can enable Safe Search on the Video Filter and Web Filter profiles. When Safe Search is
enabled on both profiles, the more restrictive settings are applied to YouTube.
Channel Override List Configure access for a specific YouTube channel. In the Channel ID field, enter the YouTube
channel ID. You can also import a list of channels using a CSV file.
If you block access to a channel and allow access to a specific video that belongs to the
blocked channel, FortiClient blocks access to the video. The action configured for the
channel overrides the action configured for the specific video.
Video Override List Configure access for a specific YouTube video. In the Video URL field, enter the video URL in
the format: youtube.com/watch?v=<video ID>. You can also import a list of videos using a
CSV file.
Other FortiGuard Settings
Traffic Action When Select an action for FortiClient to take for YouTube videos when it cannot reach the
FortiGuard Server is FortiGuard server. Select one of the following:
Unreachable for l Block
Rating l Warn
l Allow
l Monitor
FortiGuard Server Configure the FortiGuard server location. FortiClient connects to FortiGuard to query for
Location URL ratings.
l Global: fctguard.fortinet.net
l U.S.: fctusguard.fortinet.net
FortiGuard Server Only FortiGuard Anycast is available.

Type

Fortinet Inc.
Endpoint Profiles
Vulnerability Scan
If you enable both Automatic Maintenance and Scheduled Scan, FortiClient EMS only uses
the Automatic Maintenance settings.
Vulnerability Scan Enable or disable Vulnerability Scan.

Scanning
Scan on Registration Scan endpoints upon connecting to a FortiGate.
Scan on Vulnerability Signature Update Scan endpoints upon updating a vulnerability signature.
Scan on OS Updates Run system updates for the underlying operating system (OS):
l For an endpoint with Microsoft Windows installed, this option
scans for and applies Windows OS patches for security updates.

l For an endpoint with macOS installed, this option runs the OS
software updates.
FortiClient notifies the OS to do these updates.
Force Enable If you disable this option, FortiClient sends a message to EMS to
Windows Update specify the endpoint paused Windows Update.
If you enable this option and Windows Update is in a paused state,
FortiClient deletes the Computer\HKEY_LOCAL_
MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
registry key and Windows Update resumes so that FortiClient VCM
can detect OS vulnerabilities again.
Enable Proxy Enable using proxy settings configured in when downloading updates
for vulnerability patches.
Automatic Maintenance Configure settings for automatic maintenance. This configures

Vulnerability Scan to run as part of Windows automatic maintenance.
Adding FortiClient Vulnerability Scans to the Windows automatic
maintenance queue allows the system to choose an appropriate time
for the scan that minimally impacts the user, PC performance, and
energy efficiency. See Automatic maintenance.
Period Specify how often Vulnerability Scan needs to be started during

automatic maintenance. Enter the desired number of days.
Deadline Specify when Windows must start Vulnerability Scan during

emergency automatic maintenance, if Vulnerability Scan did not
complete during regular automatic maintenance. Enter the desired
number of days.
This value must be greater than the Period value.

Fortinet Inc.
Endpoint Profiles
Scheduled Scan Configure settings for scheduled scanning.
Schedule Type Select Daily, Weekly, Monthly.
Scan On Configure the day the scan will run. This only applies if the schedule
type is configured to Weekly or Monthly. Select a day of the week
(Sunday through Monday) or a day of the month (1st through the
31st).
Start At Configure the time the scan starts.
Automatic Patching
Patch Level Patches are installed automatically when vulnerabilities are detected.
Select one of the following:
l Critical: Patch critical vulnerabilities only
l High: Patch high severity and above vulnerabilities
l Medium: Patch medium severity and above vulnerabilities
l Low: Patch low severity and above vulnerabilities
l All: Patch all vulnerabilities.
Automatic patching may require the endpoint to reboot.
Exclusions
Exempt Application Vulnerabilities Requiring All applications that require the endpoint user to manually patch
Manual Update from Vulnerability vulnerabilities are excluded from vulnerability compliance check.
Compliance Check This option does not exclude applications from vulnerability scanning.
Exclude Selected Applications from In the <number> Applications list, click the applications to exclude
Vulnerability Compliance Check from vulnerability compliance check, and they are automatically
moved to the <number> Excluded Applications list.
In the <number> Excluded Applications list, click the applications to
remove from the exclusion list.
Applications on the exclusion list are exempt from needing to install
software patches within the time frame specified in FortiGate
compliance rules to maintain compliant status and network access.
Applications on the list are not excluded from vulnerability scanning.
Disable Automatic Disable automatic patching for the applications excluded from
Patching for These vulnerability compliance check.
Applications

Fortinet Inc.
Endpoint Profiles
Malware Protection
The Malware Protection profile contains options for configuring antivirus (AV), anti-ransomware, anti-exploit, cloud-
based malware detection, removable media access, exclusions list, and other options. Some options only display if you
enable Advanced view.
Only features that FortiClient EMS is licensed for are available for configuration. See Windows, macOS, and Linux
licenses on page 23 for details on which features each license type includes.
AntiVirus Protection
Enable AV protection. FortiClient's AV component supports twelve levels of nested compressed files for scanning.
Options Description
General These settings apply to all AV protection.
Delete Malware Files After Enter the number of days after which to delete malware files from the
client.
Identify Malware and Exploits Using Enable to allow FortiClient to use signatures from FortiSandbox to
Signatures Received From FortiSandbox identify malware and exploits for real-time protection (RTP) and on-
demand scanning. This option is available only if the Sandbox
Detection tab is enabled.
Update Sandbox Enter the number of minutes after which to update signatures.
Signatures Every
Real-Time Protection Enable real-time protection (RTP).
Action On Virus Discovery l Quarantine Infected Files. You can use FortiClient to view the
quarantined file, virus name, and logs, as well as submit the file
to FortiGuard.
l Deny Access to Infected Files
l Ignore Infected Files
Alert When Viruses Are Detected Displays the Virus Alert dialog when RTP detects a virus while
attempting to download a file via a web browser. The dialog allows
you to view recently detected viruses, their locations, and statuses.
Scan Compressed Files Scan archive files, including zip, rar, and tar files, for threats. RTP
exclusions list default file extensions.

Fortinet Inc.
Endpoint Profiles
Options Description
Max Size Only scan files under the specified size. To allow scanning
compressed files of any size, enter 0. For compressed files,
FortiClient supports a maximum file size of 1 GB for AV scanning. For
a compressed file with a size larger than 1 GB, FortiClient scans it
after decompression.
Scan Files Accessed by User Process Configure when RTP should scan files that a user-initiated process
accesses. Select one of the following:
l Scan Files When Processes Read or Write Them
l Scan Files When Processes Read Them
l Scan Files When Processes Write Them
Scan Network Files Scan network files for threats when a user-initiated process accesses
them.
System Process Scanning Enable system process scanning. Select one of the following:
l Scan Files When System Processes Read or Write Them
l Scan Files When System Processes Read Them
l Scan Files When System Processes Write Them
l Do Not Scan Files When System Processes Read or Write Them
Enable Windows Antimalware Scan Interface Enable Microsoft Anti-Malware Interface Scan (AMSI). This feature is
only available for Windows 10 endpoints. AMSI scans memory for the
following malicious behavior:
l User Account Control (elevation of EXE, COM, MSI, or ActiveX
installation)
l PowerShell (scripts, interactive use, and dynamic code
evaluation)
l Windows Script Host (wscript.exe and script.exe)
l JavaScript and VBScript
l Office VBA macros
Enable Machine Learning Analysis Enable or disable machine learning (ML). This feature uses the new
FortiClient AV engine, which incorporates smarter signature-less ML-
based advanced threat detection. The antimalware solution includes
ML models static and dynamic analysis of threats.
From the Action On Virus Discovery With Machine Learning Analysis
dropdown list, select one of the following:
l Log detection and warn the User: detect the sample, display a
warning message, and log the activity.

l Quarantine Infected Files: quarantine infected files. You can
view, restore, or delete the quarantined file, as well as view the

virus name, submit the file to FortiGuard, and view logs.
On Demand Scanning

Fortinet Inc.
Endpoint Profiles
Options Description
Action On Virus Discovery Select one of the following from the dropdown list:
l Warn the User If a Process Attempts to Access Infected Files
l Quarantine Infected Files. You can use FortiClient to view the
quarantined file, virus name, and logs, as well as submit the file
to FortiGuard.
l Ignore Infected Files
Integrate FortiClient into Windows Explorer's Adds a Scan with FortiClient AntiVirus option to the Windows
Context Menu Explorer right-click menu.
Hide AV Scan from Hide AV scan option from Windows Explorer's context menu.
Windows Explorer's
Context Menu
Hide AV Analyse Hide option to submit file for AV analysis from Windows Explorer's
from Windows context menu.
Explorer's Context
Menu
Pause Scanning When Running on Battery Pause scanning when the computer is running on battery power.
Power
Allow Admin Users to Terminate Scheduled Control whether the local administrator can stop a scheduled or on-
and On-Demand Scans from FortiClient demand AV scan initiated by the EMS administrator. A user who is
Console not a local administrator cannot stop a scheduled or on-demand AV
scan regardless of this setting.
Automatically Submit Suspicious Files to Automatically submit suspicious files to FortiGuard for analysis. You
FortiGuard for Analysis. do not receive feedback for files submitted for analysis. The
FortiGuard team can create signatures for any files that are submitted
for analysis and determined to be malicious.
Scan Compressed Files Scan archive files, including zip, rar, and tar files, for threats.
Max Size Only scan files under the specified size (in MB). To allow scanning
compressed files of any size, enter 0. For compressed files,
FortiClient supports a maximum file size of 1 GB for AV scanning. For
a compressed file with a size larger than 1 GB, FortiClient scans it
after decompression.
Max Scan Speed on Computers With Select the minimum amount of memory that must be installed on a
computer to maximize scan speed. AV maximizes scan speed by
loading signatures on computers with a minimum amount of memory:
l 4 GB
l 6 GB
l 8 GB
l 12 GB
l 16 GB

Fortinet Inc.
Endpoint Profiles
Options Description
Enable Machine Learning Analysis Enable or disable machine learning (ML). This feature uses the new
FortiClient AV engine, which incorporates smarter signature-less ML-
based advanced threat detection. The antimalware solution includes
ML models static and dynamic analysis of threats.
From the Action On Virus Discovery With Machine Learning Analysis
dropdown list, select one of the following:
l Log detection and warn the User: detect the sample, display a
warning message, and log the activity.

l Quarantine Infected Files: quarantine infected files. You can
view, restore, or delete the quarantined file, as well as view the

virus name, submit the file to FortiGuard, and view logs.
Scheduled Scan Enable scheduled scans.
Schedule Type Select Daily, Weekly, or Monthly.
Scan On If Weekly is selected, select the day of the week to perform the scan.
If Monthly is selected, select the day of the month to perform the scan.
If you configure monthly scans to occur on the 31st of each month,
the scan occurs on the first day of the month for months with fewer
than 31 days.
Start At Configure the start time for the scheduled scan.
Scan Type Select one of the following:

l Quick: Runs the rootkit detection engine to detect and remove
rootkits. The quick scan only scans executable files, DLLs, and
drivers that are currently running for threats.
l Full: Runs the rootkit detection engine to detect and remove
rootkits, then performs a full system scan of all files, executable

files, DLLs, and drivers.
l Custom: Runs the rootkit detection engine to detect and remove
rootkits. In the Scan Folder field, enter the full path of the folder
on your local hard disk drive to scan.
Scan Priority Set to Low, Normal, or High. This refers to the amount of processing
power that the scan uses and its impact on other processes.
Scan Removable Media Scan connected removable media, such as USB drives, for threats, if
present.
Scan Network Drives Scan attached or mounted network drives for threats.
Enable Scheduled Scans Even When a Enable scheduled scans even when a third party AV product is
Third-Party AV Product Is Present present.
Anti-Ransomware
Enable anti-ransomware to protect specific files, folders, or file types on your endpoints from unauthorized changes.
After detecting ransomware behavior on the endpoint, FortiClient restores files that were encrypted by the detected

Fortinet Inc.
Endpoint Profiles
ransomware. FortiClient automatically updates antiransomware signatures and engines as available from FortiGuard
Distribution Servers.
Options Description
Protected Folders Select the desired folders from the list, or click Add Folder to add a custom directory.
FortiClient antiransomware protects all content in the selected folders against unauthorized
changes. To remove a folder, select it, then click Remove Folder. This field supports path
variables.
Protected File Types Enter the desired file types to protect from suspicious activity, separating each file type with a
comma. Do not include the leading dot when entering a file type. For example, to include text
files, enter txt, as opposed to .txt.
Action Select the desired action for when antiransomware detects suspicious activity:
l Terminate ransomware behavior with Anti-Ransomware detection: FortiClient
terminates the suspicious processes, which can include child processes, depending on
the ransomware, and quarantines the files that the detected ransomware modified. If
you enable Enable File Backup, FortiClient backs up files from the protected locations
and recovers the files from the backup folder to the protected locations. If you disable
Enable File Backup, FortiClient cannot recover the files. You can allowlist the
quarantined files if you must access them. See Allowlisting quarantined files on page
413.
l Wait for user response with Anti-Ransomware detection: suspend the processes and
display a popup asking the user if they want to terminate the process:
l If the user selects Yes, FortiClient terminates the process as described for
Terminate ransomware behavior with Anti-Ransomware detection.
l If the user selects No, FortiClient resumes the processes unless the process is
already exited by the time of detection.
l If the user does not select an option, FortiClient waits for the configured Action
Timeout, then terminates the process as described for Terminate ransomware
behavior with Anti-Ransomware detection.
l Monitor only with Anti-Ransomware detection: log when anti-ransomware detects
suspicious activity.
Action Timeout Enter the desired timeout value.
Bypass Valid Signer Enable FortiClient to exclude a process from the selected antiransomware action if it has a
valid signer. FortiClient considers the file as having a valid signer if it is digitally signed with a
valid certificate issued by a trusted certificate authority (CA). Enabling this feature may
reduce false positives and speed up file analyses.
Enable File Backup Enable FortiClient to restore files that the detected ransomware encrypted after detecting
ransomware behavior on the endpoint.
Backup Interval Enter the desired backup interval value in hours. FortiClient backs up files in protected
folders that were last modified at a time that is longer ago than the backup interval value. The
backup only occurs when the files are modified.
Backup File Size Limit Enter the desired size limit in MB for ransomware-encrypted files for FortiClient to back up.
The size limit refers to the original file size, not the size limit after encryption.
Free Disk Quota Enter the desired backup disk quota value as a percentage of free disk space.

Fortinet Inc.
Endpoint Profiles
Anti-Exploit
Enable anti-exploit engine to detect suspicious processes (payload) running from legitimate applications. You must
enable Real-Time Protection for the Anti-Exploit feature to function.
Cloud-Based Malware Detection
Enable cloud-based malware outbreak detection. The cloud-based malware protection feature helps protect endpoints
from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine
whether files are malicious. The following describes the process for cloud-based malware protection:
1. A high risk file is downloaded or executed on the endpoint.
2. FortiClient generates a SHA1 checksum for the file.
3. FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
4. If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By
default, FortiClient quarantines the file.
This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types
is the same as the list of file types submitted to Sandbox by default.
Options Description
Server
Wait for Cloudscan Results before Allowing Have the endpoint user wait for cloud scanning results before being
File Access allowed access to files. Set the timeout in seconds.
Deny Access to File When There is No Deny access to downloaded files if there is no cloud scan result. This
Cloudscan Result may happen if FortiClient EMS cannot reach FortiGuard.
File Submission Options
All Files Executed from Removable Media Submit all files executed on removable media, such as USB drives, to
FortiSandbox for analysis.
All Files Executed from Mapped Network Submit all files executed from mapped network drives.
Drives
All Web Downloads Submit all web downloads.
All Email Downloads Submit all email downloads.
Exclude Files from Trusted Sources Exclude files signed by trusted sources from cloud-based malware
protection submission. FortiClient considers the file as from a trusted
source if it is digitally signed with a valid certificate issued by a trusted
CA. Enabling this feature may reduce false positives and speed up
file analyses.
Remediation Actions

Fortinet Inc.
Endpoint Profiles
Options Description
Action Choose Quarantine or Alert & Notify for malicious files. The user can
access the file depending on Wait for Cloudscan Results before
Allowing File Access and Deny Access to File When There Is No
Cloudscan Result configuration. Whether FortiClient quarantines the
file depends on if FortiGuard reports the file as malicious.
Removable Media Access
Control access to removable media devices, such as USB drives. You can configure rules to allow or block specific
removable devices.
FortiClient (macOS) and (Linux) only support the action configured for Default removable media access. FortiClient
(macOS) and (Linux) do not support other removable media access rules received from EMS.
For the class, manufacturer, vendor ID, product ID, and revision, you can find the desired values for the device in one of
the following ways:
l Microsoft Windows Device Manager: select the device and view its properties.
l USBDeview
Options Description
Show bubble Display a bubble notification when FortiClient takes action with a removable media device.
notifications
Action Configure the action to take with removable media devices connected to the endpoint that
match this rule. Available options are:
l Allow: Allow access to removable media devices connected to the endpoint that
match this rule.

l Block: Block access to removable media devices connected to the endpoint that
match this rule.

l Monitor: Log removable media device connections to the endpoint that match this
rule.
Description Enter the desired rule description.
Type Select Simple or Regular Expression for the rule type.

When Simple is selected, FortiClient performs case-insensitive matching against classes,
manufacturers, vendor IDs, product IDs, and revisions.
When Regular Expression is selected, FortiClient uses Perl Compatible Regular
Expressions (PCRE) to perform matching against classes, manufacturers, vendor IDs,
product IDs, and revisions.
Class Enter the device class.
Manufacturer Enter the device manufacturer.
Vendor ID Enter the device vendor ID.
Product ID Enter the device product ID.

Fortinet Inc.
Endpoint Profiles
Options Description
Revision Enter the device revision number.
Remove this rule Remove this rule from the profile.
Add a new rule Add a new removable media access rule.
Move this rule up/down Move this rule up or down. If a connected device is eligible for multiple rules, FortiClient
applies the highest rule to the device.
Default removable media Configure the action to take with removable media devices that do not match any
access configured rules. Available options are:
l Allow: Allow access to removable media devices connected to the endpoint that do
not match any configured rules.

l Block: Block access to removable media devices connected to the endpoint that do
not match any configured rules.

l Monitor: Log removable media device connections to the endpoint that do not match
any configured rules.
Exclusions
Enable exclusions from AV scanning. FortiClient EMS supports using wildcards and path variables to specify files and
folders to exclude from scanning. EMS supports the following wildcards and variables:
l Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
l Using wildcards to exclude all files with a specified extension, such as *.jrs
l Path variable %allusersprofile%
l Path variable %appdata%
l Path variable %localappdata%
l Path variable %systemroot%
l Path variable %systemdrive%
l Path variable %userprofile%
l Path variable %windir%
Combinations of wildcards and variables are supported.
Having a longer exclusion list affects AV performance. It is advised to keep the exclusion list as short as possible.
Exclusion lists are case-sensitive.
When excluding a network share, you may enter the path using drive letters (Z:\folder\) or the
UNC path (\\172.17.60.193\fileserver\folder).

Fortinet Inc.
Endpoint Profiles
Options Description
Paths to Excluded Enter fully qualified excluded folder paths in the provided text box to exclude these folders
Folders from RTP and on-demand scanning.
Paths to Excluded Files Enter fully qualified excluded files in the provided text box to exclude these files from RTP
and on-demand scanning.
File Extensions Excluded RTP skips scanning files with the specified extensions.
from Real-Time
Protection
File Extensions Excluded On-demand AV protection skips scanning files with the specified extensions.
from On Demand
Scanning
Other
Options Description
Scan for Rootkits Scan for files implementing advanced OS hooks used by malware to protect themselves
from being shutdown, killed, or deleted. A rootkit is a collection of programs that enable
administrator-level access to a computer or computer network. Typically a rootkit is
installed on a computer after first obtaining user-level access by exploiting a known
vulnerability or cracking a password.
Scan for Adware Scan for adware. Adware is a form of software that downloads or displays unwanted ads
when a user is online.
Scan for Riskware Scan for riskware. Riskware refers to legitimate programs which, when installed and
executed, presents a possible but not definite risk to the computer.
Enable Advanced Enable AV scan with heuristics signature. Advanced heuristics is a sequence of heuristics
Heuristics to detect complex malware.
Scan Removable Media Scan removable media on insertion. FortiClient scans the following media types on
on Insertion insertion:
l Floppy drives
l Thumb drives
l Flash card reader
l USB devices (BusTypeUsb)
l External hard drives (BusType1394)
This feature does not scan the following on insertion:

l Remote (network) drive
l CD-ROM drive
l RAM disk
Scan Email Scan emails for threats with SMTP and POP3 protocols.
Scan MIME Files (Inbox Scan inbox email content with Multipurpose Internet Mail Extensions (MIME) file types.
Files)

Fortinet Inc.
Endpoint Profiles
Options Description
MIME is an Internet standard that extends the format of the email to support the following:
l Text in character sets other than ASCII
l Non text attachments (audio, video, images, applications)
l Message bodies with multiple parts
Enable FortiGuard Automatically sends suspicious files to FortiGuard for analysis.

Analytics
Notify Logged in Users if Notify logged in users if their AV signatures expired.

Their AV Signatures
Expired

Fortinet Inc.
Endpoint Profiles
Sandbox
Enable Sandbox Detection. Some options only display if you enable Advanced view.
Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud
feature. For example, if you have only applied the zero trust network access license, the FortiClient Cloud Sandbox
(SaaS) options are unavailable. See Windows, macOS, and Linux licenses on page 23 for details on which features
each license type includes.
For each endpoint, FortiClient can send a maximum of 300 files daily to FortiClient Cloud Sandbox (SaaS). If multiple
files are submitted around the same time, FortiClient sends one file to FortiClient Cloud Sandbox (SaaS), waits until it
receives the verdict for that file, then sends the next file to FortiClient Cloud Sandbox (SaaS).
This feature does not rely on FortiClient real-time protection and can be used alongside other
real-time antimalware applications such as Windows Defender. Files that these applications
have quarantined cannot be sent to FortiSandbox.
Configure the following options:
Options Description
Sandbox Detection Enable Sandbox Detection.

Server
FortiSandbox To configure connection to an on-premise FortiSandbox appliance or FortiSandbox Cloud,

select Appliance. Select Cloud to configure connection to FortiClient Cloud Sandbox (SaaS).
FortiClient Cloud Sandbox (SaaS) offers a more affordable alternative to a FortiSandbox
appliance, since it is a cloud service that you do not need to host on-site. However, FortiClient
Cloud Sandbox (SaaS) does not offer the full range of features that a FortiSandbox appliance
offers. FortiClient Cloud Sandbox (SaaS) is a service that uploads and analyzes files that
FortiClient antivirus (AV) marks as suspicious.
If FortiClient Cloud Sandbox (SaaS) is enabled and configured on the assigned profile,
FortiClient uploads suspicious files to FortiGuard for analysis. Once uploaded, the file is
executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is
found to contain a virus, a new virus signature is created and added to the FortiGuard AV
signature database. The next time the FortiClient updates its AV database it has the new
signature. The turnaround time on Cloud Sandboxing and AV submission ranges from ten
minutes for automated FortiClient Cloud Sandbox (SaaS) detection to ten hours if FortiGuard
Labs is involved.
FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not
contain a known virus. The behaviors that it considers suspicious change depending on the
current threat climate and other factors.
FortiClient Cloud Sandbox (SaaS) is only available with the Endpoint Protection Platform
license.

Fortinet Inc.
Endpoint Profiles
Options Description
IP For a FortiSandbox appliance, enter the FortiSandbox's IP address, FQDN, or hostname.

address/Hostname Although the IP address/Hostname field is only available when Appliance is selected, you can
also configure this option for FortiSandbox Cloud. Enter the FortiSandbox Cloud FQDN and
account ID in the Account ID field.
Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is
only available when Appliance is selected.
Account ID Optional. Enter the FortiSandbox Cloud account ID. You should only use this option when
configuring a FortiSandbox Cloud using the FQDN.
Username Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox
appliance. When using a FortiSandbox appliance, the username is necessary to view detailed
FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details on
page 143.
Password Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox
appliance. When using a FortiSandbox appliance, the password is necessary to view detailed
FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details on
page 143.
Region FortiClient Cloud Sandbox (SaaS) region. See Configuring FortiGuard Services settings on
page 484.
Time Offset FortiClient Cloud Sandbox (SaaS) time offset. See Configuring FortiGuard Services settings
on page 484.
License Status Displays the Sandbox Cloud license status. Using FortiClient Cloud Sandbox (SaaS) requires
an additional license. See FortiClient EMS on page 22.
Inspection Mode Select one of the following:

l None: FortiClient does not send any files to FortiSandbox for inspection.
l High-Risk Files: FortiClient inspects all supported high-risk files and sends to
FortiSandbox as appropriate. The following are considered high-risk file types: exe, bat,
vbs, js, htm, htm, gz, rar, tar, lzh, upx, zip, cab, bz2, 7z, pdf, xz, swf, rtf, dll, doc, xls, ppt,
docx, xlsx, pptx, thmx, apk, exe, lnk, kgb, z, ace, jar, msi, mime, mac, dmg, mac, iso, elf,
arj
l All Supported Extensions: FortiClient inspects all supported file extensions and sends to
FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.
Excluded File Select a file extension to exclude from FortiSandbox scanning. You can select multiple file
Extensions extensions.
Wait for Have the endpoint user wait for FortiSandbox scanning results before being allowed access
FortiSandbox Results to files. Set the timeout in seconds.
before Allowing File
Access
Deny Access to File Deny access to downloaded files if there is no FortiSandbox result. This may happen if
When There Is No FortiSandbox is offline.
Sandbox Result

Fortinet Inc.
Endpoint Profiles
Options Description
File Submission Options
File Size Limit The default value is 200 MB.

For a FortiSandbox appliance, you can configure a file size limit up to 500 MB.
For FortiClient Cloud Sandbox (SaaS), you can configure a file size limit up to 100 MB.
All Files Executed Submit all files executed on removable media, such as USB drives, to FortiSandbox for
from Removable analysis.
Media
All Files Executed Submit all files executed from mapped network drives.
from Mapped
Network Drives
All Web Downloads Submit all web downloads.
All Email Downloads Submit all email downloads.
Remediation Actions
Action Choose Quarantine or Alert & Notify for infected files. The user can access the file depending
on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When
There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends
on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level
setting.
FortiSandbox Select the desired detection verdict level. For FortiClient to apply the action selected in the
Detection Verdict Action field to an infected file, FortiSandbox must detect the file as this level or higher. For
Level example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is
configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as
Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which
FortiSandbox returns a verdict below this level (Low Risk or Clean).
Exceptions
Exclude Files from Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of
Trusted Sources sources trusted by FortiSandbox:
l Microsoft
l Fortinet
l Mozilla
l Windows
l Google
l Skype
l Apple
l Yahoo!
l Intel
Exclude Specified Exclude specified folders/files from FortiSandbox submission. You must also create the
Folders/Files exclusion list.

Fortinet Inc.
Endpoint Profiles
Options Description
FortiClient EMS supports using wildcards and path variables to specify files and folders to
exclude from scanning. EMS supports the following wildcards and variables:
l Using wildcards to exclude a range of file names with a specified extension, such as
Edb*.jrs
l Using wildcards to exclude all files with a specified extension, such as *.jrs
l Path variable %allusersprofile%
l Path variable %appdata%
l Path variable %localappdata%
l Path variable %systemroot%
l Path variable %systemdrive%
l Path variable %userprofile%
l Path variable %windir%
Combinations of wildcards and variables are supported.
Inclusions
Include Specified Include specified folders/files in FortiSandbox submission. You must also create the inclusion
Folders/Files list.
Other
Hide Sandbox Scan Hide Sandbox scan option from Windows Explorer's right-click context menu.
from Windows
Explorer's Context
Menu
Notification Type Select the desired notification type to display to end users when FortiClient Cloud Sandbox
(SaaS) detects an infected file:
l Lite: Displays notification balloon when FortiSandbox detects malware in a submission.
l Full: Displays a popup for all FortiSandbox file submissions.
l None: Does not display any notification for FortiSandbox file submissions, malware
detection, or quarantine.
In addition to the configuration above, you must also configure the connection to EMS on the
FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize
EMS using its serial number. You can find the EMS serial number on the System Information
widget on the Dashboard.
Firewall
FortiClient does not include SSL deep inspection. As FortiClient cannot apply signatures marked as "Deep Inspection",
do not use these signatures in a profile.

Fortinet Inc.
Endpoint Profiles
Application Firewall Enable application control.

General
Notification Bubbles on User's Desktop When Enable notification bubbles when applications are blocked.
Applications Are Blocked
Detect & Block Exploits Inspect network traffic for intrusions attempting to exploit known
vulnerabilities.
Block Known Communication Channels Used Enable Command and Control (C&C) detection using IP reputation
by Attackers database signatures. Check network traffic against known C&C IP
address plus port number combinations.
Categories Enable FortiClient firewall to allow, block, or monitor applications

based on their signature.
Block, allow or monitor the following categories:
l Botnet
l Business
l Cloud.IT
l Collaboration
l Email
l Game
l General.Interest
l Industrial
l Mobile
l Network.Service
l P2P
l Proxy
l Remote.Access
l Social.Media
l Storage.Backup
l Update
l Video/Audio
l VoIP
l Web.Client
l All Other Unknown Applications
Application Overrides Enable FortiClient firewall to allow, block, or monitor applications

based on their signature.
Adding more than 1000 application overrides is not recommended
and can cause EMS instability.
Delete Delete an application.
Add Signatures Add a signature to an application.

Fortinet Inc.
Endpoint Profiles
Define exceptions for Firewall Detect & Block Exploits feature
When you enable Detect & Block Exploits in an Application Firewall profile in EMS, FortiClient inspects network traffic for
intrusions attempting to exploit known vulnerabilities and blocks application traffic based on the intrusion prevention
system (IPS) signature IDs. You can define exceptions to allow any application traffic based on the IPS signature ID. You
can obtain the signature IDs from FortiGuard Labs. Application Firewall allows access to application traffic that matches
signature IDs configured in the pass action list. You can configure multiple signature IDs on the same rule.
This feature is helpful for when you want to allow network access for an application that Detect & Block Exploits blocks.
In the example, Veeam Data Platform, a data backup and restore application, backs up data to a remote server through
Remote.CMD.Shell. The example configures an exception for Remote.CMD.Shell IPS signature ID to allow network
access to the Veeam application. If you do not configure an exception, Application Firewall detects Remote.CMD.Shell
as an exploit and blocks Veeam application traffic.
To define exceptions for Application Firewall Detect & Block Exploits:
1. In EMS, go to Endpoint Profiles > Firewall.

2. Under General, enable Detect & Block Exploits.
3. Click XML, then Edit.

4. Add the following pass rule for IPS detection, using the <ips> element, entering the IPS signature ID of the desired
application. The example enters 12449, the IPS signature ID for Remote.CMD.Shell:
<firewall>
<enable_exploit_signatures>1</enable_exploit_signatures>
<show_bubble_notifications>1</show_bubble_notifications>
<candc_enabled>1</candc_enabled>
<current_profile>1000</current_profile>
<app_enabled>1</app_enabled>
<profiles>
<profile>
<id>1000</id>
<rules>
<rule>
<action>block</action>
<category>
<id>23</id>
</category>

Fortinet Inc.
Endpoint Profiles
</rule>
<rule>
<action>monitor</action>
<category>
<id>8</id>
</category>
</rule>
<rule>
<action>pass</action>
<ips>
<id>12449</id>
</ips>
</rule>
</rules>
</profile>
</profiles>
</firewall>
<endpoint_control>
<ui>
<display_firewall>1</display_firewall>
</ui>
</endpoint_control>

Fortinet Inc.
Endpoint Profiles
After an endpoint (Endpoint A) receives the configuration update, you can access Endpoint A's Command Prompt from
another endpoint (Endpoint B) if Endpoint B has an application installed for launching a remote command shell. You can
pass Windows commands to execute on Endpoint A from Endpoint B. FortiClient on Endpoint A does not block the
execution of these commands because of the configuration of Remote.CMD.Shell IPS signature ID (12449) as an
exception.

Fortinet Inc.
Endpoint Profiles
System Settings
The majority of these configuration options are only available for Windows, macOS, and Linux profiles. The table
indicates which options are available for Chromebook profiles, such as Upload Logs to FortiAnalyzer/FortiManager.
Some options are only available when Advanced view is enabled.
UI Specify how the FortiClient user interface appears when installed on

endpoints.
Require Password to Disconnect from EMS Turn on password lock for FortiClient.
Password Enter a password. The endpoint user must enter this password to
disconnect FortiClient from FortiClient EMS.
Allow endpoint admin This setting is only available if you enable System Setting > UI >
to disconnect without Require Password to Disconnect from EMS and provides a
a password password. This allows the FortiClient endpoint administrator to
uninstall FortiClient using the msiexec command line without
needing to use the configured EMS disconnection password. This
feature is especially useful if you are using a mobile device
management solution to deploy FortiClient. Because FortiClient
endpoint users have no administrative privileges, so there is no risk
that an endpoint user could intentionally or accidentally uninstall
FortiClient.
Do Not Allow User to Back Up Configuration Disallow users from backing up the FortiClient configuration.
Allow User to Shutdown When Registered to Allows user to shut down FortiClient while registered to EMS. This
EMS feature is only available for FortiClient (Windows).
Hide User Information Hide the User Details panel where the user can provide user details
(avatar, name, phone number, email address), and link to a social
media (LinkedIn, Google, Salesforce) account.
Hide System Tray Icon Hide the FortiClient system tray icon.
Show Host Tag on FortiClient GUI Show the applied host tag on the FortiClient GUI. See Security
Posture Tags on page 367.

Fortinet Inc.
Endpoint Profiles
Language Configure the language that FortiClient uses. By default, FortiClient

uses the system operating language. Select one of the following:
l os-default (System operating language, selected by default)
l zh-tw (Taiwanese Mandarin)
l cs-cz (Czech)
l de-de (German)
l en-us (United States English)
l fr-fr (French)
l hu-hu (Hungarian)
l ru-ru (Russian)
l ja-jp (Japanese)
l ko-kr (Korean)
l pt-br (Brazilian Portuguese)
l sk-sk (Slovak)
l es-es (Spanish)
l zh-cn (Chinese (Simplified))
l et-ee (Estonian)
l lv-lv (Latvian)
l lt-lt (Lithuanian)
l fi-fi (Finnish)
l sv-se (Swedish)
l da-dk (Danish)
l pl-pl (Portuguese (Portugal))
l nb-no (Norwegian)
l fr-ca (Canadian French)
Default Tab From the dropdown list, select the tab for FortiClient to display by
default when the user opens the console.
Log Specify FortiClient log settings.

Fortinet Inc.
Endpoint Profiles
Level This option is available for Chromebook profiles. Generates logs

equal to and more critical than the selected level. Select one of the
following:
l Emergency: The system becomes unstable.
l Alert: Immediate action is required.
l Critical: Functionality is affected.
l Error: An error condition exists and may affect functionality.
l Warning: Functionality could be affected.
l Notice: Information about normal events.
l Info: General information about system operations.
l Debug: Debug FortiClient. Detailed debug logs for the selected
features are generated on the endpoint. You can request the
creation and download of the diagnostic tool output, which
includes these logs.
Features Select features to generate logs for:

l AntiVirus
l Application Firewall
l Telemetry
l FSSOMA
l Proxy
l IPsec VPN
l AntiExploit
l SSL VPN
l Update
l Vulnerability
l Web Filter
l Sandbox
Client-Based Logging When On-Fabric Include local log messages when FortiClient is on-fabric. FortiClient
hides the Export log and Clear log options from the GUI when the
endpoint is off-fabric. FortiClient still sends logs to FortiAnalyzer, if
one is configured. If the FortiAnalyzer is unreachable because
endpoint is off-fabric, FortiClient retains the logs until it can reach
FortiAnalyzer and forward the logs. See On-fabric Detection Rules
on page 183.
Upload Logs to FortiAnalyzer/FortiManager This option and all nested options are available for Chromebook
profiles. Configure endpoints to sends logs to the FortiAnalyzer or
FortiManager at the specified address or hostname.
The Upload UTM Logs, Upload System Event, and Upload Security
Event fields only apply to FortiClient 6.4.3 and later versions.
The Upload Vulnerability Logs and Upload Event Log fields only
apply to FortiClient 6.4.2 and earlier versions.

Fortinet Inc.
Endpoint Profiles
Upload UTM Logs Upload unified threat management (traffic) logs to FortiAnalyzer or
FortiManager.
Upload System Event Upload system events to FortiAnalyzer or FortiManager. This

includes logs for endpoint control, update, and FortiClient events.
Upload Security Upload security events to FortiAnalyzer or FortiManager. This

Event includes logs for Malware Protection, Web Filter, Vulnerability Scan,
and Application Firewall events.
Upload Vulnerability Upload vulnerability logs to FortiAnalyzer or FortiManager.

Logs
Upload Event Logs Upload event logs to FortiAnalyzer or FortiManager.
Send Software EMS sends FortiClient software inventory to FortiAnalyzer or

Inventory FortiManager.
This feature requires the EPP license. See FortiClient EMS on page
22.
Send OS Events EMS sends endpoint host events to FortiAnalyzer or FortiManager.

EMS supports this feature for Windows and macOS endpoints. For
Windows endpoints, FortiClient sends all events found in the
Windows Events Viewer under the System, Security, and
Applications categories, including user login and logout. For
macOS endpoints, OS event logs are stored at
/var/log/system.log. For details on what events are sent to
FortiAnalyzer or FortiManager, see FortiAnalyzer documentation,
such as Windows Events logs or Threat Hunting.
Event telemetry Enter the interval in seconds for FortiClient to upload OS events to
interval FortiAnalyzer or FortiManager.
IP Enter the FortiAnalyzer IP address or hostname/FQDN. With

Address/Hostname Chromebook profiles, use the format https://FAZ-IP:port/logging.
If using a port other than the default, use <address>:<port>.
For FortiAnalyzer Cloud, you must enter an FQDN. You cannot enter
an IP address. For FortiAnalyzer Cloud, the FQDN is the URL that
you use to access the FortiAnalyzer Cloud instance. For example,
the FQDN may be 1208151.ca-west-1.fortianalyzer.forticloud.com.
You may also need to configure the server name indication. See Log
settings.
SSL Enabled Enable SSL.
Upload Schedule Configure the interval in minutes for FortiClient to upload logs to
FortiAnalyzer or FortiManager. If there are no logs, no upload takes
place.
Log Generation Configure the maximum time in seconds for FortiClient to gather logs
Timeout before sending them to FortiAnalyzer or FortiManager.

Fortinet Inc.
Endpoint Profiles
Log Retention Configure the amount of time in days that logs are kept locally on the
endpoint before starting to rewrite them.
Proxy
Use Proxy for Updates Access FortiGuard using the configured proxy. FortiClient (macOS)
does not support signature update via proxy.
Connect to FDN Connect to FDN directly if proxy is offline.

Directly If Proxy Is
Offline
Use Proxy for Virus Submission Use the configured proxy to submit viruses to FortiGuard.
Type Configure the type. Options include:

l http
l socks4
l socks5
IP Enter the proxy server's IP address/hostname.

Address/Hostname
Port Enter the proxy server's port number. The port range is from 1 to
65535.
Username If the proxy requires authentication, enter the username. Enter the
encrypted or non-encrypted username.
Password If the proxy requires authentication, enter the password. Enter the
encrypted or non-encrypted username. Enable Show Password to
show the password in plain text.
Update Specify whether to use FortiManager to update FortiClient on

endpoints.
Use FortiManager for Client Signature Update Enable FortiClient EMS to obtain antivirus (AV) signatures from the
FortiManager at the specified IP address or hostname.
IP Enter the FortiManager IP address/hostname.

Address/Hostname
Port Enter the port number.
Failover Port Enter the failover port.
Timeout Enter the timeout interval.
Failover to FDN Fail over to FDN when FortiManager is not available.

When FortiManager
Is Not Available

Fortinet Inc.
Endpoint Profiles
FortiGuard Server Location Configure the FortiGuard server location. If FortiGuard Anycast is
selected for the Server field, you can select from global, U.S., or
Europe. If FortiGuard is selected for the Server field, you can select
from global or U.S. When Global is selected, FortiClient uses the
closest FortiGuard server.
FortiClient connects to FortiGuard to query for AV and vulnerability
scan engine and signature updates.
l FortiGuard:
l Global: forticlient.fortinet.net
l U.S.: usforticlient.fortinet.net
l FortiGuard Anycast:
l Global: fctupdate.fortinet.net
l U.S.: fctusupdate.fortinet.net
l Europe: fcteuupdate.fortinet.net
Server Configure the FortiGuard server to FortiGuard or FortiGuard

Anycast.
Endpoint Control
Show Bubble Notifications Show bubble notifications when FortiClient installs new policies on
endpoints.
Log off When User Logs Out of Windows Log off FortiClient when the endpoint user logs out of Windows. Turn
off to remain logged in.
Disable Disconnect Forbid users from disconnecting FortiClient from FortiClient EMS.
On-Fabric Subnets Turn on to enable on-fabric subnets.

This option only applies for endpoints running FortiClient 6.2.1 and
earlier versions. For endpoints running FortiClient 6.2.2 and later
versions, see On-fabric Detection Rules on page 183.
IP Addresses/Subnet Enter IP addresses/subnet mask to connect to on-fabric subnets.

Masks
Gateway MAC Enable gateway MAC address.

Address
MAC Addresses Enter MAC addresses.
Send Software Inventory Send installed application information to FortiClient EMS. If the
Upload Logs to FortiAnalyzer/FortiManager option is enabled, the
endpoint also sends the software inventory information to
FortiAnalyzer. See Software Inventory on page 385.
This feature requires the EPP license. See FortiClient EMS on page
22.

Fortinet Inc.
Endpoint Profiles
Invalid Certificate Action Select the action to take when FortiClient attempts to connect to
EMS with an invalid certificate:
l Allow: allows FortiClient to connect to EMS with an invalid
certificate.
l Warn: warn the user about the invalid server certificate. Ask the
user whether to proceed with connecting to EMS, or terminate

the connection attempt. FortiClient remembers the user's
decision for this EMS, but displays the warning prompt if
FortiClient attempts to connect to another EMS (using a different
EMS FQDN/IP address and certificate) with an invalid
certificate.
l Deny: block FortiClient from connecting to EMS with an invalid
certificate.
Enable Forensics Feature Enable the forensic analysis feature. You can request forensic
analysis on a suspected device from on-premise EMS. The Fortinet
forensics team investigates the logs and provides a detailed report
with their verdict. You can download the report from EMS. See
Requesting forensic analysis on an endpoint on page 361.
Enable DNS Cache When enabled, FortiClient uses the previously resolved EMS IP
address only when the DNS server fails to respond to the endpoint
DNS query. FortiClient keeps the cached EMS IP address in
memory.
User Identity Settings
Allow Users to Specify Identity Using Enable users to specify their identity in FortiClient using the following
methods:
l Manually entering their details in FortiClient
l Logging in to their account for the following social media
services:
l LinkedIn
l Google
l Salesforce
By default, EMS obtains user details from the endpoint OS. If the
user provides their details using one of the methods above, EMS
obtains the user-specified details instead.
If this option is disabled, EMS obtains and displays user details from
the endpoint OS.
Notify Users to Submit User Identity Displays a notification on the endpoint for the user to specify their
Information identity. If the user closes the notification without specifying their
identity, the notification displays every ten minutes until the user
submits their identity information.
Other

Fortinet Inc.
Endpoint Profiles
Install CA Certificate on Client Turn on to select and install a CA certificate on the FortiClient
endpoint.
You can add certificates by going to Endpoint Policy & Components
> CA Certificates. See CA Certificates on page 181.
FortiClient Single Sign-On Mobility Agent Enable Single Sign-On Mobility Agent (SSOMA) for
FortiAuthenticator. To use this feature you need to apply a FortiClient
SSO mobility agent license to your FortiAuthenticator.
When SSOMA is enabled and a Windows user locks their screen,
disconnects from RDP, or the device sleeps from inactivity,
FortiClient SSOMA is not logged out and stays in the
FortiAuthenticator logging session.
If a different user signs in, FortiClient sends a logout message to
FortiAuthenticator for the original user, then a logon message with
the new user.
If the original user logs in, the user session is not interrupted.
The <prefer_azure> element affects this feature. See SSOMA.
IP Enter the FortiAuthenticator IP address or hostname.

Address/Hostname
Pre-Shared Key Enter the preshared key. The preshared key should match the key
configured on your FortiAuthenticator.
iOS
Distribute Configuration Profile EMS no longer supports this option. See one of the following for
instructions on pushing configuration to FortiClient (iOS):
l Creating a Mobileconfig profile
l Intune Deployment Guide
l Workspace ONE Deployment Guide
l Jamf Deployment Guide
Privacy
Send Usage Statistics to Fortinet Submit virus information to FDS. Fortinet uses this information to
improve product quality and user experience.
Privileged Access Agent Enable privilege access management (PAM). This enables
FortiClient to communicate with FortiPAM.
Port Enter the port for FortiClient to use to communicate with FortiPAM.
The default port for this communication is 9191. If you change this
value, ensure that you also change it in FortiPAM.
The System Setting profile has several settings available to configure for client signature updates. The following
summarizes which setting takes effect in various scenarios:

Fortinet Inc.
Endpoint Profiles
Use FortiManager for Client Failover to FDN When Result

Signature Update FortiManager Is Not
Available
Disabled Disabled FortiClient uses FortiGuard Server Location

and FortiGuard Server Type settings for client
signature updates.
Enabled Enabled or disabled FortiClient prioritizes updating signatures

using the configured FortiManager settings.
This configuration supports port failover.
FortiClient uses the same protocol as
configured for FortiGuard (dependent on
whether legacy or Anycast FortiGuard is
selected) to connect to FortiManager.
Enabled without FortiManager Enabled FortiClient fails over to FortiGuard based on

settings configured the FortiGuard server settings.
Configuring identity compliance for endpoints
You can assign different user identification options to different endpoints. These options, visible in FortiClient, include:
l User input
l OS
l LinkedIn
l Google
l Salesforce
EMS sends a notification to the endpoint where the user must enter their login information. If the user closes the
notification without entering any information, the notification appears again within ten minutes.
To configure identity compliance:
1. In EMS, go to Endpoint Profiles. Select the desired System Settings profile or create a new one.
2. Under User Identity Settings, enable the desired user identification method.
3. If desired, enable Notify Users to Submit User Identity Information.
4. Click Save.
When Notify Users to Submit User Identity Information is enabled, the user sees the following notification on the
endpoint. If Manually Enter User Details is enabled, the user can enter their information manually.

Fortinet Inc.
Endpoint Profiles
FortiClient displays the entered login information.
If Google is enabled, the user can log in to their Google account.
FortiClient displays the Google login information.
FortiPAM integration
To configure the FortiPAM integration for FortiClient, you must configure the following:
l FortiPAM. The following instructions assume that you have a licensed FortiPAM ready for configuration. See To
configure FortiPAM: on page 348.

Fortinet Inc.
Endpoint Profiles
l Enable the FortiPAM feature in EMS. If using a standalone FortiPAM agent, there is no EMS involved. See To
enable the FortiPAM feature in EMS: on page 350.
l Install FortiClient with the FortiPAM feature enabled, then register FortiClient to EMS. Ensure that the FortiPAM
password filler extension is installed in the browser. See To install FortiClient with the FortiPAM feature enabled and
verify the configuration: on page 351.
This document also describes the following use cases:
l To configure a secret for SSH to a FortiGate: on page 351
l To use a secret to log in to a website: on page 352
To configure FortiPAM:
1. Log in to FortiPAM via the console.

2. Configure the management IP address, default gateway, and DNS settings:
config system dns
set primary 208.91.112.53
set secondary 96.45.46.46
end
config router static
edit 1
set gateway 172.17.162.3
set device "port1"
next
end
edit "port1"
set ip 172.17.162.167 255.255.254.0
set allowaccess ping ssh telnet
set type physical
set monitor-bandwidth enable
set snmp-index 1
next
end
3. Clear the browser cache.

4. Upload a license to FortiPAM as To upload the license via the FortiPAM-VM GUI: describes.
5. Configure zero trust network access (ZTNA) rules and server in FortiPAM. This example sets the ZTNA server
external IP address to 172.17.162.166. Users log in to FortiPAM with this IP address to launch a secret.
config firewall vip
edit "fortipam_vip"
set uuid 188232bc-3534-51ed-897e-7d522767d173
set type access-proxy
set extip 172.17.162.166
set extintf "any"
set server-type https
set extport 443
set ssl-certificate "Fortinet_SSL"
next
end
edit "fortipam_access_proxy"
set vip "fortipam_vip"
config api-gateway

Fortinet Inc.
Endpoint Profiles
edit 1
set url-map "/pam"
set service pam-service
next
edit 2
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "all"
next
end
next
edit 3
set service gui
config realservers
edit 1
set ip 127.0.0.1
set port 80
next
end
next
end
next
end
config firewall policy
edit 1
set type access-proxy
set uuid 075cff8c-4e1e-51ed-4d83-41cb5da1944e
set srcintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set access-proxy "fortipam_access_proxy"
set groups "SSO_Guest_Users"
set ssl-ssh-profile "deep-inspection"
next
end
6. Log in to FortiPAM as the admin user account. Add a "demo" user that will be used to log in to FortiPAM to launch
predefined secrets for the user, or allow the user to create their own secret:
config system admin
edit "demo"
set accprofile "Power User"
set password "1"
next
end
7. Create a secret folder. This example folder is called "f-demo". In FortiPAM, each secret must belong to a secret
folder. The FortiPAM administrator can assign appropriate permissions for a user to the folder, such as owner or
view-only permissions. Give owner permissions to the demo and admin users for the f-demo folder:
config secret folder
edit 5
set name "f-demo"

Fortinet Inc.
Endpoint Profiles
set inherit-policy disable

set inherit-permission disable
config user-permission
edit 1
set user-name "demo" "admin"
set folder-permission owner
set secret-permission owner
next
end
next
end
8. Add the "RDP Secret Launcher" secret and make it display in the f-demo folder. This example folder ID is 5:
config secret database
edit 22
set name "RDP Secret Launcher"
set folder 5
set template "Windows Machine"
set recording enable
set proxy enable
set block-rdp-clipboard disable
set rdp-service-status up
set samba-service-status up
config credentials-history
end
config field
edit 1
set name "Host"
set value "172.17.60.8"
next
edit 2
set name "Username"
set value "qa"
next
edit 3
set name "Password"
set value "ENC lLUCAA722LevoHAohj7+Jnsyp0A="
next
end
next
end
To enable the FortiPAM feature in EMS:
1. The default port for communication between FortiPAM and EMS is 9191. This must match the port configured in
FortiPAM in System > Settings > Client Port. To use a custom port, modify the port in both EMS and FortiPAM. In
EMS, go to Endpoint Profiles > System Settings.
2. Edit the desired profile or create a new one.
3. Enable Privileged Access Agent.
4. In the Port field, enter 9191.
5. Click Save.
6. Go to System Settings > ZTNA Destinations.
7. Enable Allow Personal Destinations. You must enable Allow Personal Destinations for FortiPAM to proxy RDP and

Fortinet Inc.
Endpoint Profiles
SSH connections.
8. Click Save.
To install FortiClient with the FortiPAM feature enabled and verify the configuration:
1. On an endpoint with the FortiPAM feature enabled, open Task Manager. Confirm that the Fortvrs.exe and
Fortitcs.exe daemons are running.
2. On the desired browser, ensure that the FortiPAM password filler extension is installed.
3. In FortiPAM, go to Secrets > Secret List.
4. Select RDP Secret Launcher, then click Launch Secret.
5. Select Remote Desktop-Windows, then click Launch.
6. In the prompt, select Yes. You should successfully log in to the remote Windows machine without needing to enter
credentials.
To configure a secret for SSH to a FortiGate:
1. Install PuTTY on the client machine.

2. Install FortiClient on the endpoint. The FortiPAM feature must be enabled.
3. Register FortiClient to EMS. Ensure that the profile assigned to the endpoint has the FortiPAM feature enabled.
4. Log in to FortiPAM as the administrator. Add the SSH secret:
a. Obtain the ID for the secret folder that you will use for this secret by running show secret folder. The
example desired directory is f-demo, which has an ID of 5.
b. Obtain the list of secret IDs being used by running show secret database. In this example, the ID 22 is
already being used. The example uses 23 as the ID for the new SSH secret:
show secret database
id Secret ID.
22 RDP Secret Launcher
c. Add a secret for SSH to FortiGate, using secret ID 23. The following commands enable proxy and session
recording. Replace the demo, host, username, password, and URL values for your own configuration before
running the commands:

Fortinet Inc.
Endpoint Profiles

edit 23
set name "ID23 SSHtoFGT"
set folder 5
set template "FortiGate (SSH Password)"
set proxy enable
set ssh-filter enable
set ssh-filter-profile "DEMO"
set ssh-service-status up
end
config field
edit 1
set name "Host"
set value "172.17.61.28"
next
edit 2
set name "Username"
set value "admin"
next
edit 3
set name "Password"
set value "ENC kseKVIslSftEmwBy8OqUPyYryoA="
next
edit 4
set name "URL"
set value "https://172.17.61.28"
next
end
next
end
5. In Microsoft Edge, log in to FortiPAM as the demo user to launch the secret and ensure that it works properly by
going to Secrets > Secret List, selecting the newly created, secret, and clicking Launch Secret. Edge is preferred
over Chrome and Firefox for testing this configuration. You should be able to log in to FortiOS successfully without
needing to provide for credentials. A PuTTY dialog opens. After the end of the session, go to Log & Reports >
Secrets > Secret Video to ensure that a video was recorded as configured.
To use a secret to log in to a website:
The following provides instructions on how to use a secret to log in to a website. The example website is AWS.
1. Log in to FortiPAM and create a secret to log in to AWS:
edit 25
set name "Login AWS"
set folder 5
set template "AWS Web Account"

Fortinet Inc.
Endpoint Profiles

set proxy enable
end
config field
edit 1
set name "URL"
set value "https://aws.amazon.com/"
next
edit 2
set name "Username"
set value "[email protected]"
next
edit 3
set name "Password"
set value "ENC yNhlyigiX2TX0nJNuetRYI3EJI4="
next
edit 4
set name "AccountID"
next
end
next
end
2. Click Launch Secret.

3. Click Sign in.
4. Click the root user email address.
5. Select Use FortiPAM session credentials to autofill the user account, then click Next.
6. Select Use FortiPAM session credentials to autofill in the password, then click Sign in. FortiClient starts the session
recording and sending the video to FortiPAM until the session finishes.
To debug the integration:
By default, FortiClient-side FortiPAM daemon (fortivrs.exe) debug logs are enabled. File names are as follows. You can
find the files in the trace folder:
l fortivrs_session_0_1.log
l fortivrs_session_1_1.log

Fortinet Inc.
Endpoint Profiles
The C:\Users\Public\FortiClient\ztna\config.json directory contains zero trust network access (ZTNA) rules. In the
example from To use a secret to log in to a website: on page 352, the file contains one ZTNA rule entry as follows:
{"rules":
[{"name":"InternalPamRuleItem1","mode":"transparent","destination":"aws.amazon.com:443"
,"gateway":"172.17.162.166:443","encryption":0}]}.
To debug on the FortiPAM side, you can do the following:
l Go to Network > Packet Capture.
l Use the following commands to troubleshoot:
diagnose debug enable
diagnose wad debug enable level verbose
diagnose wad debug enable category secret
diagnose wad debug enable category ssh
diagnose debug console timestamp enable
Add FortiPAM agent to SSOMA
You must separately purchase FortiClient single sign on mobility agent (SSOMA) licenses for use of SSO features with
FortiAuthenticator. Most key private access management (PAM) features require the FortiClient PAM agent. FortiClient
supports installing SSOMA and FortiPAM agent on the same device.
You can use the following methods to install FortiPAM and SSOMA on the same device. You can also use these same
methods to upgrade an existing SSOMA-only or FortiPAM-only endpoint to include both features:
l Method 1: Install FortiPAM, export and edit the configuration file to include the SSOMA configuration, and reimport
the configuration file.
l Method 2: Install and run the SSO configuration tool file to create new installer files, and run the installers to install
or upgrade the FortiClient PAM agent.
To use Method 1:
1. Install FortiPAM using an installer.

2. In Command Prompt, go to the FortiClient directory.
3. Export the configuration file using the following command: FCConfig.exe -o export -f C:\config.conf
-p 11111111
4. Edit the configuration file and add the SSOMA configuration. Confirm that the FortiPAM default port is configured as
9191. The following provides an example:
<fssoma>
<serveraddress>fac0824.test.local:8001</serveraddress>
<presharedkey>
<![CDATA[Fortinet123!]]>
</presharedkey>
<address_category>0</address_category>
</fssoma>
<pam>
<default_port>9191</default_port>
</pam>

Fortinet Inc.
Endpoint Profiles
5. Save the configuration file.

6. In Command Prompt, go to the FortiClient directory.
7. Import the configuration file using the following command: FCConfig.exe -o import -f C:\config.conf
-p 11111111
8. Verify the configuration:
a. Log in to the endpoint as a domain user.
b. In FortiAuthenticator, go to Monitor > SSO > SSO Sessions to confirm whether the SSOMA session is
functioning.
c. In FortiPAM, confirm that you can access a secret created in FortiPAM.
To use Method 2:
1. Acquire and unzip the FortiClientSSOConfigurationTool_7.2.1.XXXX.zip file.

2. Run the FortiClientSSOConfigurator.
3. In the Single Sign-On Mobility Agent Settings dialog, configure SSOMA as per your deployment.
4. Enable Include PAM.
5. In the PAM Port field, enter 9191. Click Next. This creates a new folder, which includes x64 and x86 bit installer files.
6. Open Command Prompt as an administrator, and run the following command to run the installer: msiexec /i
FortiClientSSO.msi TRANSFORMS=FortiClientSSO.mst\
7. Verify the configuration:
a. Log in to the endpoint as a domain user.
b. In FortiAuthenticator, go to Monitor > SSO > SSO Sessions to confirm whether the SSOMA session is
functioning.

Fortinet Inc.
Endpoint Profiles
c. In FortiPAM, confirm that you can access a secret created in FortiPAM.
Configuring SSOMA with AD
The FortiClient single sign on mobility agent (SSOMA) supports the following features:
l Support for pure Microsoft Entra ID (formerly known as Azure Active Directory (AD)) mode. SSOMA sends the Entra
ID domain and tenant ID to FortiAuthenticator in pure/native Entra ID mode.
l Sends FortiClient UUID and EMS serial number/tenant ID to FortiAuthenticator.
l Sets the SNI field when communicating with FortiAuthenticator.
The following document uses two use cases to illustrate these features. Use case A illustrates a scenario using a local
AD. Use Case B illustrates a scenario using a pure/native Entra ID or a hybrid Entra ID.
Use case A: local AD
1. Configure FortiAuthenticator:
a. In FortiAuthenticator, go to Fortinet SSO Methods > SSO > General.
b. Toggle on Enable FortiClient SSO Mobility Agent Service.
c. In the FortiClient listening port field, enter 8001.
d. Toggle on Enable authentication.

Fortinet Inc.
Endpoint Profiles
e. In the Secret key field, enter the desired preshared key. In this example, it is Fortinet123!
f. Go to Authentication > Remote Auth. Servers > LDAP.

g. Add the remote authentication server. In this case, it is the local AD server.
2. In EMS, edit the desired endpoint profile's XML configuration to match the IP address, port, and PSK configured on
the FortiAuthenticator:
<fssoma>
<serveraddress>fac0824.local:8001</serveraddress>
<presharedkey>Fortinet123!</presharedkey>
</fssoma>
3. After FortiClient connects to EMS and receives the profile changes, go to Settings. Under Advanced, confirm that
SSOMA is enabled and the configuration is updated.
4. Under Logging, click Export logs. Confirm that SSOMA sends the FortiClient UUID and EMS serial number/tenant
ID to FortiAuthenticator:
6/13/2023 11:38:04 AM debug fsso UUID:2ECE708...
6/13/2023 11:38:04 AM debug fsso strUsername:administrator,

strAZDomain:MYFOREST.LOCAL
6/13/2023 11:38:26 AM debug fsso GetAZureSessionUserInfo(), Calling of

RunExternalProgram is successful

Fortinet Inc.
Endpoint Profiles

ParseConsoleOutput is failed, error:-1
6/13/2023 11:38:26 AM debug fsso session ID:2 has added to session table
6/13/2023 11:38:26 AM debug fsso Succeede to add session 2
6/13/2023 11:38:26 AM debug fsso Found current user, session ID: 2
6/13/2023 11:38:26 AM debug fsso CSessionManager::AddSession has been
called, dwSession:65536
6/13/2023 11:38:26 AM debug fsso Failed to call WTSQueryUserToken for
session ID:65536,error:2
6/13/2023 11:38:26 AM debug fsso Failed to get token for session
ID:65536,error:2
6/13/2023 11:38:26 AM debug fsso failed to add session 65536
6/13/2023 11:38:26 AM debug fsso current active session 2
6/13/2023 11:38:26 AM debug fsso Found current logon session 2 in session
list
6/13/2023 11:38:26 AM debug fsso CSessionManager::GetAllIPAddress is
called
6/13/2023 11:38:26 AM debug fsso CSessionManager::GetAllIPAddress:1293
IPv4 address:192.168.90.2
6/13/2023 11:38:26 AM debug fsso EMS SN:FCTEMS8821090628
6/13/2023 11:38:26 AM debug fsso Start to resolve address for
FortiAuthenticator:fac0824.local, TICC:5894281, TID:9072
6/13/2023 11:38:26 AM debug fsso Succeeded to resolve address for
FortiAuthenticator:fac0824.local, FAC IP:172.19.200.110, TICC:5894281, TID:9072
6/13/2023 11:38:26 AM debug fsso SendAndReceive(), Local IP:192.168.90.2,
FAC IP:172.19.200.110, FAC Port:8001, TICC:5894281, TID:9072
6/13/2023 11:38:26 AM debug fsso SendAndReceive(), succeeded to send event
to authenticator, TID:9072
6/13/2023 11:38:26 AM debug fsso FortiAuthenticator
config:fac0824.local:8001
6/13/2023 11:38:26 AM debug fsso Address Category:0
6/13/2023 11:38:26 AM info fsso date=2023-06-13 time=11:38:25 logver=1
id=96980 type=securityevent subtype=fsso eventtype=status level=info uid=2ECE708...
devid=FCT8000... hostname=DESKTOP-JSOHIL9 pcdomain=myforest.local
deviceip=192.168.90.2 devicemac=00-15-5d-23-03-0e site=default fctver=7.2.0.0690
fgtserial=N/A emsserial=FCTEMS88... usingpolicy=Default os="Microsoft Windows 10
Professional Edition, 64-bit (build 19045)" user=administrator msg="Single Sign-On
event" action=logon domain="MYFOREST.LOCAL,Workstation Name:DESKTOP-
JSOHIL9,IP:192.168.90.2,FAC:172.19.200.110,succeeded to send session info,
TICC:5894375, TID:9072"
Use case B: pure/native or hybrid Entra ID
1. Configure Entra ID and add an enterprise application for FSSO:

a. Sign in to the Entra ID portal as an administrator. Some configurations require a global administrator privilege.
b. Create a user and ensure that users may join devices:
i. Go to Home > Manage Azure Active Directory > View button > Manage > Users > New User. Configure a
new user as desired.

Fortinet Inc.
Endpoint Profiles
ii. Go to Home > Manage Azure Active Directory > View button > Manage > Devices > Device Settings.
Enable Users may join devices to Entra ID.
c. Create an enterprise application:
i. Go to Home > Manage Azure Active Directory > View button > Manage > Enterprise Applications > New
Application > Create Your Own Application.
ii. Select Integrate any other application you don't find in the gallery (Non-gallery). Configure other settings
as desired.
d. Set the newly created enterprise application as a directory reader:
i. Go to Home > Manage Azure Active Directory > View button > Manage > Roles and Administrators.
ii. In the Administrative Roles list, search for and select Directory Readers.
iii. Add Assignments > Search for the name of the newly created enterprise application > Add button.
e. Register the enterprise application with the Microsoft Identity Platform and generate an authentication key:
i. Go to Home > Manage Azure Active Directory > View button > Manage > App Registrations > All
Applications.
ii. Search for and select the newly created enterprise application.
iii. Click Manage > Certificates & Secrets > New Client Secret.
iv. In the Add a Client dialog, set a description and expiry date, then click Add.
v. Note down the string in the Value column. This value is only visible immediately after creation and will be
hidden after you leave this page. You will use this value later.
2. In EMS, edit the desired endpoint profile's XML configuration to match the IP address, port, and PSK configured on
the FortiAuthenticator, and to have FortiClient detect Azure user information and send it to FortiAuthenticator:
<fssoma>
<serveraddress>fac0824.local:8001</serveraddress>
<presharedkey>Fortinet123!</presharedkey>
<prefer_azure>1</prefer_azure>
</fssoma>
3. In FortiAuthenticator, configure OAuth:

a. Go to Authentication > Remote Auth. Servers > OAUTH > Create New.
b. From the OAuth source dropdown list, select Azure Directory.
c. In the Client ID field, enter the application ID of the enterprise application that you created. You can find the
client ID in Azure by going to Home > Manage Azure Active Directory > View button > (in sidebar) Manage >
Enterprise Applications > Search for Application Name.
d. In the Client Key field, enter the value from the Value column in step 1.e.v.
e. Enable Include for SSO.
f. In the Azure AD tenant ID field, enter the tenant ID. You can find this value in Azure by going to Home >
Manage Azure Active Directory > View button > Overview > Tenant ID. Click OK.

Fortinet Inc.
Endpoint Profiles
4. Connect the endpoint with Entra ID. On the endpoint, go to Settings > Accounts. Beside Add a work or school
account, click Connect.
5. Install FortiClient on the endpoint. Go to Settings and verify that FortiClient has received the SSOMA configuration
from EMS.
6. In FortiAuthenticator, go to Monitor > SSO > SSO Sessions. Confirm that there is an entry for the endpoint.
7. In FortiClient, go to Settings > Logging and click Export logs. Confirm that SSOMA sends the FortiClient UUID and
EMS serial number/tenant ID to FortiAuthenticator:
RunExternalProgram is successful
6/13/2023 11:29:30 AM debug fsso GetAZureSessionUserInfo(), username:jkim,
domain:fortinetvan.onmicrosoft.com, tenantID:f1a72219-...
6/13/2023 11:29:30 AM debug fsso strAZUsername:jkim,
strAZDomain:fortinet.onmicrosoft.com, strAZTenantID:f1a72219-...
6/13/2023 11:29:30 AM debug fsso session ID:2 has added to session table
6/13/2023 11:29:30 AM debug fsso Succeede to add session 2
6/13/2023 11:29:30 AM debug fsso Found current user, session ID: 2
ID:65536,error:2
ID:65537,error:2
6/13/2023 11:29:30 AM debug fsso current active session 2
6/13/2023 11:29:30 AM debug fsso Found current logon session 2 in session
list
6/13/2023 11:29:30 AM debug fsso CSessionManager::GetAllIPAddress is
called
6/13/2023 11:29:30 AM debug fsso CSessionManager::GetAllIPAddress:1325
IPv4 address:192.168.90.5
6/13/2023 11:29:30 AM debug fsso EMS SN:FCTEMS882...
6/13/2023 11:29:30 AM debug fsso Start to resolve address for
FortiAuthenticator:fac0824.local, TICC:-1981885328, TID:9452
6/13/2023 11:29:30 AM debug fsso Succeeded to resolve address for
FortiAuthenticator:fac0824.local, FAC IP:172.19.200.110, TICC:-1981885328, TID:9452
6/13/2023 11:29:30 AM debug fsso SendAndReceive(), Local IP:192.168.90.5,
FAC IP:172.19.200.110, FAC Port:8001, TICC:-1981885312, TID:9452
6/13/2023 11:29:30 AM info fsso date=2023-06-13 time=11:29:29 logver=1
id=96980 type=securityevent subtype=fsso eventtype=status level=info
uid=FDE6A554A2... devid=FCT800... hostname=Arjuna pcdomain=N/A
deviceip=192.168.90.5 devicemac=00-15-5d-23-03-3f site=default fctver=7.2.1.0759

Fortinet Inc.
Endpoint Profiles
fgtserial=N/A emsserial=FCTEMS882... usingpolicy=Default os="Microsoft Windows 11

Professional Edition, 64-bit (build 22621)" user=jkim msg="Single Sign-On event"
action=logon domain="fortinet.onmicrosoft.com,Workstation
Name:Arjuna,IP:192.168.90.5,FAC:172.19.200.110,succeeded to send session info,
TICC:-1981885234, TID:9452"
6/13/2023 11:29:30 AM debug fsso SendAndReceive(), succeeded to send event
to authenticator, TID:9452
6/13/2023 11:29:30 AM debug fsso FortiAuthenticator
config:fac0824.local:8001
6/13/2023 11:29:30 AM debug fsso Address Category:0
Requesting forensic analysis on an endpoint
You can request forensic analysis on a suspected device from on-premise EMS. The Fortinet forensics team
investigates the logs and provides a detailed report with their verdict. You can download the report from EMS.
You can only request forensic analysis for Windows endpoints.
You must apply the Forensics license to EMS to access this feature. The following assumes that you have acquired and
applied the license as necessary.
To request forensic analysis for an endpoint:
1. Enable the forensic analysis feature:

a. In EMS, go to System Settings > Feature Select.
b. Enable FortiGuard Forensics Analysis.
c. Click Save.
2. Configure forensic analysis in a profile:
a. Go to Endpoint Profiles > System Settings.
c. Under Endpoint Control, toggle Enable Forensics Feature on.

Fortinet Inc.
Endpoint Profiles
d. Click Save.
e. Include this profile in a policy, and apply the policy to the desired endpoint.
3. Request analysis:
a. Go to Endpoints > All Endpoints.
b. Select the desired endpoint.
c. Under Forensics Analysis, click Request Analysis.
4. Complete the questionnaire:
a. In the Summary of the Issue field, enter a description of the issue that you are observing on the endpoint.
b. In the Reason of Escalation field, select the desired option, or enter another reason in the Other field.
c. In the First Identified Activity field, enter the date that you first observed the issue.
d. In the Actions Taken to Date field, select any actions you took to resolve this issue.
e. In the Supplementary Logs field, enter the path to logs that you would like the analyst to review.
f. If desired, provide details in the Comment field.
5. Click Finish. Once you submit the request, EMS notifies FortiClient and the forensics agent on the endpoint starts
collecting forensics logs. FortiClient uploads the logs to the cloud and shares a link with the analyst. In EMS, you
can see status of the analysis request in the endpoint summary:
Status Description
Ticket Status Status of the ticket. Possible statuses are:

l Request Submitted: EMS is creating the forensics analysis request and
sending the information to the team.

l Pending: Forensic analysis request has been initiated. The Forensics
team has not yet assigned it to an analyst.

l In Progress: Forensics team has assigned the request to an analyst, who
has begun working on it.


Fortinet Inc.
Endpoint Profiles
Status Description
l The analyst needed more information about the endpoint to perform
the analysis.
l Completed: analyst has completed analysis on the endpoint and shared
the result in a PDF document. You can download the report from the
endpoint summary's Forensic Analysis section.
Agent Status Status of the forensic agent collecting logs on the endpoint. Possible statuses
are:
l Pending: EMS has notified FortiClient that a forensic analysis request is
submitted, but the forensic agent is not running yet.

forensics logs.
l Upload Started: FortiClient has started to upload the logs to the cloud.
l Upload Completed: FortiClient has completed uploading the logs to the
cloud.
Task ID Request ID in the FortiGuard forensics system.
6. Once the analysis is complete, you can click Download Report in the endpoint summary to view the details. You can
also view the verdict that the analyst arrived at. You can also filter the endpoint list based on whether the forensics
service is enabled, the status, and verdict.

Fortinet Inc.
Endpoint Profiles
XML Configuration
XML editor Configure the endpoint profile using the XML editor. See the
FortiClient XML Reference Guide.
Creating a profile with XML
You can configure FortiClient profile settings in FortiClient EMS by using XML or a custom XML configuration file. The
custom XML file must include all settings required by the endpoint at the time of deployment. For information about how
to configure a profile with XML, see the FortiClient XML Reference.
To create a profile with XML:
1. Go to Endpoint Profiles > Manage Profiles, and click the Add button.
2. In the Profile Name field, enter a name for the profile.
3. Click the Advanced button. The XML Configuration tab displays, and the profile configuration displays in XML.
4. Click the XML Configuration tab, and click the Edit button.
5. Edit the XML.
6. Click Test XML.
Importing a profile from an XML file
To import a profile from an XML file:

2. Click Import From File.
4. Under XML, browse to and select the desired XML profile configuration file.
5. Click Upload.
If the profile has a feature enabled that is disabled in Feature Select, EMS displays a warning that the feature is disabled
on endpoints that the profile is deployed to. To enable this feature on the endpoint, you must enable the feature in
Configuring encrypted ZTNA rules
FortiClient supports encryption and non-encryption modes for Zero Trust Network Access (ZTNA) via a toggle switch.
You can manually add ZTNA rules in the FortiClient GUI or receive rules from EMS. This feature requires the
prerequisites:
l A Security Fabric connector between FortiOS and EMS must be configured.
l FortiOS ZTNA-related settings must be configured properly. See ZTNA TCP forwarding access proxy example.

Fortinet Inc.
Endpoint Profiles
l FortiClient must be registered to EMS.

l You must add ZTNA rules in EMS or FortiClient.
The following shows the topology for the example configuration. In this topology, RDP access is configured to one
server, and SSH access to another.
To configure ZTNA rules in EMS:
1. In EMS, go to Endpoint Profiles > Manage Profiles.

2. Edit the desired profile.
3. On the XML Configuration tab, add the following configuration:
<ztna>
<rules>
<rule>
<name>RDP Forwarding</name>
<destination>172.17.60.19:3389</destination>
<gateway>192.168.139.102:8445</gateway>
<encryption>1</encryption>
<mode>transparent</mode>
</rule>
<rule>
<name>SSH Forwarding</name>
<destination>172.17.81.177:22</destination>
<gateway>192.168.139.102:8445</gateway>
<encryption>1</encryption>
<mode>transparent</mode>
</rule>
</rules>
</ztna>
4. Save the configuration.

Fortinet Inc.
Endpoint Profiles
To configure ZTNA rules in FortiClient:
1. In FortiClient, go to the ZTNA Connection Rules tab.

2. Create the RDP forwarding rule:
a. Click Add Rule.
b. In the Rule Name field, enter RDP Encryption Enabled.
c. In the Destination Host field, enter 172.17.60.19:3389.
d. In the Proxy Gateway field, enter 192.168.139.102:8445.
e. For Mode, select Transparent.
f. Select the Encryption checkbox.
3. Create the SSH forwarding rule:
a. Click Create.
b. Click Add Rule.
c. In the Rule Name field, enter SSH Encryption Enabled.
d. In the Destination Host field, enter 172.17.81.177:22.
e. In the Proxy Gateway field, enter 192.168.139.102:8445.
f. For Mode, select Transparent.
g. Select the Encryption Checkbox.
h. Click Create.
1. Start an SSH connection to 172.17.81.177 via ZTNA.

2. Run debug commands in FortiOS:
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose debug enable
3. Check the debug logs to verify whether encryption is enabled. When encryption is enabled, the debug logs contain
the line GET tcpaddress=172.17.81.177&port=22&tls=1 HTTP1.1. When encryption is disabled, the
debug logs contain the line GET tcpaddress=172.17.81.177&port=22&tls=0 HTTP1.1.

Fortinet Inc.
Zero trust network access (ZTNA) is an access control method that uses client device identification, authentication, and
security posture tags to provide role-based application access. It gives administrators the flexibility to manage network
access for on-net local users and off-net remote users. Access to applications is granted only after verifying the device,
authenticating the user’s identity, authorizing the user, and then performing context-based posture checks using security
posture tags.
Traditionally, a user and a device have different sets of rules for on-net access and off-net VPN access to company
resources. With a distributed workforce and access that spans company networks, data centers, and cloud, managing
the rules can become complex. User experience is also affected when multiple VPNs are needed to get to various
resources. ZTNA can improve this experience.
You can create security posture tagging rules for endpoints based on their operating system versions, logged in
domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints. FortiOS can use the
dynamic endpoint groups to build dynamic policy rules.
When using ZTNA, configuring dynamic DNS (DDNS) updates as Secure only is not supported.
See the Zero Trust Application Gateway Admin Guide for more information about ZTNA.
Security Posture Tagging Rules
You can create, edit, and delete security posture tagging rules for endpoints. You can also view and manage the tags
used to dynamically group endpoints.
The following occurs when using security posture tagging rules with EMS and FortiClient:
1. EMS sends security posture tagging rules to endpoints via Telemetry communication.
2. FortiClient checks endpoints using the provided rules and sends the results to EMS. When endpoint network
changes or user log-on/log-off events occur, FortiClient triggers an X-FFCK-TAG message to EMS, even if there
are no tag changes. Once EMS receives the tags, it processes them immediately, and FortiOS tags are updated
within five seconds from the REST API response. For other tag changes, FortiClient sends the information to EMS
regularly as per the configured keepalive intervals. See Configuring EMS settings on page 472.
3. EMS receives the results from FortiClient.
4. EMS dynamically groups endpoints together using the tag configured for each rule. You can view the dynamic
endpoint groups in Security Posture Tags > Security Posture Tag Monitor. See Security Posture Tag Monitor on
page 377.
Adding a security posture tagging rule set
To add a security posture tagging rule set:
1. Go to Security Posture Tags > Security Posture Tagging Rules, and click Add.
2. In the Name field, enter the desired rule name.

Fortinet Inc.
3. In the Tag Endpoint As dropdown list, select an existing tag or enter a new tag. EMS uses this tag to dynamically
group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.
4. Toggle Enabled on or off to enable or disable the rule.
5. (Optional) In the Comments field, enter any desired comments.
6. Click Add Rule.
7. Configure the rules:
a. For OS, select the desired OS. This affects what rule types are available.
b. From the Rule Type dropdown list, select the rule type and configure the related options. Ensure that you click
the + button after entering each criterion. See Security posture tagging rule types on page 370 for descriptions
of the rule types.
c. Click Save.
d. Configure additional rules as desired.
8. By default, an endpoint must satisfy all configured rules to be eligible for the rule set. You may want to apply the tag
to endpoints that satisfy some, but not all, of the configured rules. In this case, you can modify the rule set logic. For
example, consider that you want to apply the same tag to endpoints that fulfill one of the following criteria:
l Running Windows 10
l Running Windows 7 and antivirus (AV) software is installed and running
With the default rule set logic, an endpoint would be eligible for the rule set if it is running Windows 7 or 10 and has
AV software installed and running. To modify the rule set logic, do the following:
a. Click Edit Logic.
b. Clicking Edit Logic assigns numerical values to each configured rule. In the Rule Logic field, enter the desired
logic for the rule set using the numerical values. You can use and and or to define the rule logic. You cannot
use not when defining the rule logic. You can also use parentheses to group rules. For this example, you
would enter (1 and 3) or 2, to indicate that endpoints that satisfy both the AV and Windows 7 rules (rules 1
and 3) or only the Windows 10 rule (rule 2) satisfy the rule set. To restore the default logic, you can click Default
Logic.
9. Click Save.

Fortinet Inc.
Editing a security posture tagging rule set
To edit a security posture tagging rule:
1. Go to Security Posture Tags > Security Posture Tagging Rules.

2. Select the security posture tagging rule.
3. Click Edit.
4. Edit as desired.
5. Click Save.
Deleting a security posture tagging rule
To delete a security posture tagging rule:

2. Click the desired security posture tagging rule.
3. Click Delete.
Importing and exporting a security posture tagging rule set
You can import and export security posture tagging rule set as a JSON file.
To import a security posture tagging rule set:

2. Click Import.
3. In the Import Rule Sets dialog, browse to and select the desired rule set JSON file.
4. Click Import.
To export a security posture tagging rule set:

2. Select the desired rule set.
3. Click Export.
4. Save the JSON file to the desired directory.
Uploading signatures for FortiGuard Outbreak Alerts service
You can use a security posture tagging rule as a predefined rule for FortiGuard outbreak alerts by uploading rule
signatures.

Fortinet Inc.
To configure a security posture tagging rule as a predefined rule for outbreak alerts by uploading rule
signatures:
1. In EMS, go to Security Posture Tags > Security Posture Tagging Rules.

2. Click Import Signatures.
3. In the Import FortiGuard Outbreak Alert Signatures dialog, upload a JSON file. The JSON file should contain an
array of alert objects, each with a tag name and array of signatures. Each signature should have the following
properties: os (windows, mac, linux, ios, android), type (file, registry, process), and
content. If the import succeeds, EMS displays a FortiGuard outbreak alert signatures imported successfully
message. If the file is formatted incorrectly, EMS shows an Invalid JSON error.
4. View tagged endpoints in Security Posture Tags > Security Posture Tag Monitor.
Managing tags
The Manage Tags window displays all configured tags.
To manage tags:

2. Click Manage Tags. You can see the list of tags and the associated rules.
3. You can configure a user notification message. The user notification message displays to the user when zero trust
network access control rules on the FortiGate block FortiClient because of the applied tag. Click Edit Description,
then enter the desired message in the text box. You can also delete an existing description using the Delete
Description button.
4. Click Save.
Security posture tagging rule types
The following table describes security posture tagging rule types and the operating systems (OS) that they are available
for. For all rule types, you can configure multiple conditions using +.

Fortinet Inc.
Rule type OS Description
AntiVirus Software l Windows From the AV Software dropdown list, select the desired conditions. You
l macOS can require that an endpoint have antivirus (AV) software installed and
l Linux running and that the AV signature is up-to-date. You can also use the
NOT option for the rule to require that the endpoint does not have AV
software installed or running or that the AV signature is not up-to-date.
This rule applies for FortiClient AV and third-party AV software that
registers to the Windows Security Center. The third-party software
notifies the Windows Security Center of the status of its signatures.
FortiClient queries the Windows Security Center to determine what
third party AV software is installed and if the software reports
signatures as up-to-date.
l For Windows, this feature supports third party AV applications.
l For Windows Server, macOS, and Linux, this feature can only
check if FortiClient AV protection is enabled and does not

recognize third party AV applications.
The following options are available. The following options are limited to
FortiClient AV and cannot be used for third-party AV applications:
l Enable latest update check: FortiClient checks if FortiClient AV
software or signatures were recently updated.

l Latest update within: Configure the amount of time after the last
FortiClient AV software or signatures update was received that

FortiClient considers the AV protection outdated. For example, if
you configure this option to be 60 days, FortiClient considers the
AV protection outdated 61 days after the most recent update.
The endpoint must satisfy all configured conditions to satisfy this rule.
Certificate l Windows In the Subject CN and Issuer CN fields, enter the certificate subject and
l macOS issuer. You can also use the NOT option to indicate that the rule
l Linux requires that a certain certificate is not present for the endpoint.
For Windows and macOS, FortiClient checks certificates in the current
user personal store and local computer personal store. It does not
check in trusted root or other stores.
For Linux, FortiClient checks root CA certificates installed on the
system. For Ubuntu, FortiClient checks /etc/ssl/certs/ca-
certificates.crt. For CentOS and Red Hat, FortiClient checks
/etc/pki/tls/certs/ca-bundle.crt. For Linux, FortiClient
does not check user certificates.
The Subject CN field supports wildcards, regular expressions, and
case-insensitivity. You can also leave the Subject CN field blank.
The Issuer CN field does not support wildcards or regular expressions.
The endpoint must satisfy all conditions to satisfy this rule. For
example, if the rule is configured to require certificate A, certificate B,
and NOT certificate C, then the endpoint must have both certificates A
and B and not certificate C.

Fortinet Inc.
Common l Windows In the CVEs field, enter the common vulnerabilities and exposures
Vulnerabilities and l macOS (CVE) ID in the format CVE-xxxx-xxxxx. For example, you could enter
Exposures l Linux CVE-2020-26950. You can also use the NOT option to indicate that the
rule requires that a CVE is not present on the endpoint.
EMS considers the endpoint as satisfying the rule if it satisfies one of
the conditions.
EMS Management l Windows EMS considers the endpoint as satisfying the rule if the endpoint has
l macOS FortiClient installed and Telemetry connected to EMS.
l Linux
l iOS
l Android
File l Windows In the File field, enter the file path. You can also use the NOT option to
l macOS indicate that the rule requires that a certain file is not present on the
l Linux endpoint.
For example, if the rule is configured to require file A, file B, and NOT
file C, then the endpoint must have both files A and B and not file C.
Firewall Threat l Windows In the Firewall Threat ID field, enter the firewall threat ID. You can find
l macOS this ID in FortiGuard or on the Firewall Events tab of the endpoint
details page. You can also use the NOT option to indicate that the rule
requires that a firewall threat is not present on the endpoint.
the conditions.
FortiClient Version l Windows In the FortiClient Version field, enter the desired FortiClient version.
l macOS You can use comparators to configure the rule to apply to endpoints
l Linux with a range of FortiClient versions.
l iOS You can also use the NOT option for the rule to require that the
l Android endpoint not have a certain version of FortiClient installed.
FortiEDR l Windows From the FortiEDR dropdown list, select FortiEDR is installed and
l macOS running. EMS considers the endpoint as satisfying the rule if the
l Linux endpoint has FortiEDR installed and running.
IP Range l Windows In the IP Range field, enter the IP address range. If the rule is
l macOS configured for multiple ranges, EMS considers the endpoint as
l Linux satisfying the rule if it belongs to one of the configured ranges.
l iOS
l Android
Logged in Domain l Windows In the Domain field, enter the domain name. If the rule is configured for
l macOS multiple domains, EMS considers the endpoint as satisfying the rule if it
l Linux belongs to one of the configured domains.

Fortinet Inc.
On-Fabric Status l Windows By default, the rule requires that the endpoint is on-Fabric. You can
l macOS also use the NOT option to indicate that the rule requires that the
l Linux endpoint is off-Fabric.
l iOS
l Android
OS Version l Windows From the OS Version dropdown list, select the OS version. You can
l macOS use comparators to configure the rule to apply to endpoints with a
l Linux range of OS versions. Only FortiClient 7.2.2 and later versions support
l iOS comparators. FortiClient 7.2.1 and earlier versions do not support
l Android comparators and will apply rules with comparators as if they are using
=.
If the rule set is configured for multiple OS versions, EMS considers the
endpoint as satisfying the rule if it has one of the configured OS
versions installed.
The following options are available for Windows:
l Enable latest update check: FortiClient checks if Windows OS
updates were recently installed.

l Latest update within: Configure the amount of time after the last
system update was received that FortiClient considers the OS

outdated. For example, if you configure this option to be 60 days,
FortiClient considers the OS outdated 61 days after the most
recent system update.
EMS does not support creating rules to tag macOS Sequoia (version
15).
Registry Key l Windows In the Key field, enter the registry path or value name enclosed in
square brackets [ ]. End the path with \ to indicate a registry path, or
without \ to indicate a registry value name. In the Key Name field, enter
the registry key name, enclosed in double quotation marks "". From the
dropdown list, select the desired comparator. In the Value field, enter
the desired key value. For a dword key value, enter the value as
dword:<value>. For example, if the dword key value is 1, enter dword:1
in the Value field. For a non-dword key value, enter the value enclosed
in double quotation marks "".
You can also use the NOT option to indicate that the rule requires that a
certain registry path or value name is not as configured in the rule.

Fortinet Inc.
For example, the following shows a system where Firefox is installed.

In this example, the registry path is HKEY_LOCAL_
MACHINE\SOFTWARE\Mozilla\Mozilla Firefox. The value
name is CurrentVersion, and the value data is 96.0.3 (x64 en-
CA). You can configure a registry key rule to match HKEY_LOCAL_
MACHINE\SOFTWARE\Mozilla\Mozilla Firefox as the path,
CurrentVersion as the registry value name, or the value data as
96.0.3 (x64 en-CA). The example shown configures a rule to
match the value data as 96.0.3 (x64 en-CA). Note the configured
rule includes square brackets around the registry path, and double
quotation marks around the key name and value.
For example, if the rule is configured to require certain values for
registry key A, registry key B, and NOT the configured value for registry
key C, then the endpoint must have both the required values registry
keys A and B and not the configured value for registry key C.

Fortinet Inc.
Running Process l Windows In the Running Process field, enter the process name. You can also
l macOS use the NOT option to indicate that the rule requires that a certain
l Linux process is not running on the endpoint.
For example, if the rule is configured to require process A, process B,
and NOT process C, then the endpoint must have both processes A
and B running and process C not running.
Sandbox Detection l Windows From the Sandbox Detection dropdown list, select the desired
l macOS condition. You can require that Sandbox detected malware on the
endpoint in the last seven days. You can also use the NOT option for
the rule to require that Sandbox did not detect malware on the endpoint
in the last seven days.
Security l macOS Select the checkbox to require that File Vault is enabled on the
endpoint. You can also use the NOT option to indicate that the rule
requires that File Vault is disabled on the endpoint.
Security Status l iOS Select one of the following:

l Android l Jail-broken: device where software restrictions that the
manufacturer or operating system provider imposes on devices

have been removed.
l Passcode-Enabled: device with screen lock enabled.
l Biometrics Protected: device with touch or face ID enabled.
You can also use the NOT option for the rule to require that the
endpoint not have a certain security status.
User Identity l Windows Under User Identity, select the following:

l macOS l User Specified: endpoint user manually entered their personal
l Linux information in FortiClient.

l iOS l Social Network Login: endpoint user provided their personal
l Android information by logging in to their Google, LinkedIn, or Salesforce

account in FortiClient. You can further select one of the following:
l All Accounts: all endpoints where the user logged in to the
specified social network account type.
l Specified: enter a specific Google, LinkedIn, or Salesforce
account. For example, you can enter
[email protected] to configure the rule to apply
specifically to only that Google account. You can specify
multiple social network accounts.
l Verified User: endpoint user must be a verified user that has
authenticated their connection to EMS as a member of an

authorized user group. See User Management on page 449.
the conditions.
endpoint user has not manually entered user details or logged in to a
social network account to allow FortiClient to obtain user details.

Fortinet Inc.
FortiClient iOS does not support social network login with LinkedIn or
Salesforce. FortiClient Android does not support social network login
with Salesforce.
User in AD Group l Windows From the AD Group dropdown list, select the desired Active Directory
l macOS (AD) group. EMS considers the endpoint as satisfying the rule if the
l Linux logged in user belongs to the selected AD group. The rule considers
the logged-in user's group membership, not the computer's attributes.
By default, EMS performs AD group lookup, which is considered more
efficient and prevents the issue where an endpoint loses all AD-related
tags when it goes offline. You can also configure FortiClient to perform
AD group lookup instead by enabling Evaluate on FortiClient.
In cases where the user/endpoint is a member only of a subgroup or of
top and sublevel groups, EMS can apply tags for both levels.
You can use the NOT option to indicate that the rule requires that the
logged in user does not belong to certain AD groups. You cannot use
the NOT option to indicate that the rule requires that the logged in user
does not belong to any AD group. EMS does not support a rule to
dynamically group all endpoints that do not belong to a domain.
To use this option, you must configure your domain under Endpoints.
See Adding endpoints using an AD domain server on page 129.
When using a User in AD Group rule, disabling the Windows switch
users option is recommended to ensure EMS applies the AD tag
correctly.
Vulnerable Devices l Windows From the Severity Level dropdown list, select the desired range of
l macOS vulnerability severity levels. If the rule set is configured for multiple
l Linux severity levels, EMS considers the endpoint as satisfying the rule if it
has a vulnerability of one of the configured severity levels or higher.
You can also use the NOT option to indicate that the rule requires that
the endpoint does not have vulnerabilities of a certain severity level
present.
Windows Security l Windows From the Windows Security dropdown list, select the desired
conditions. You can require that an endpoint have one or more of the
following applications or configurations enabled:
l Windows Defender: antimalware component of Windows. Scans
files to detect and remediate threats.

l Bitlocker Disk Encryption: data protection feature that
integrates with the operating system (OS) and addresses the

threats of data theft or exposure from lost, stolen, or
inappropriately decommissioned computers. BitLocker enhances
file and system protections and helps render data inaccessible
when computers are decommissioned or recycled. See BitLocker
overview.
l Exploit Guard: automatically applies exploit mitigation techniques
to OS processes and applications. When Exploit Guard finds a

Fortinet Inc.
mitigation, Windows displays a notification from the Action Center.

See Protect devices from exploits.
l Application Guard: helps to prevent old and newly emerging
attacks by isolating enterprise-defined untrusted sites. For

example, Application Guard helps prevent untrusted Microsoft
Word, PowerPoint, and Excel files from accessing trusted
resources by opening untrusted files in an isolated Microsoft
Hyper-V-enabled container. See Microsoft Defender Application
Guard overview.
l Windows Firewall: firewall component of Windows. Helps
prevent hackers and malicious software from gaining access to

the device through the Internet or a network.
l Automatic Updates: downloads and installs security and other
important updates to your computer automatically.

endpoint have one or more of the listed applications disabled.
Security Posture Tag Monitor
You can view all dynamic endpoint groups in Security Posture Tags > Security Posture Tag Monitor. EMS creates
dynamic endpoint groups based on the tag configured for each rule. This page shows endpoints tagged using the
following tag types:
Tag Description
Security posture tags See Security Posture Tags on page 367.
FortiGuard outbreak alert tags See FortiGuard Outbreak Alerts on page 383.
Classification tags See Viewing the Endpoints pane on page 131.
Fabric tags Fabric tags require connection to FortiAnalyzer. See the following process:
1. EMS administrator configures FortiAnalyzer in a System Settings profile. See
System Settings on page 338.
2. FortiClient connects to EMS and receives FortiAnalyzer connection
information from the profile.
3. FortiClient sends logs to FortiAnalyzer.
4. FortiAnalyzer administrator configures rule to tag endpoints which have
indicators of compromise (IOC).
5. If a log entry received from FortiClient on the FortiAnalyzer matches an IOC,
FortiAnalyzer adds a tag to that endpoint.
6. EMS adds this tag to the endpoint. You can view the tag in the endpoint
details, as well as in Security Posture Tag Monitor. This tag displays as a
Fortinet Security Fabric tag in Security Posture Tag Monitor, but the tag
displays under Classification Tags in endpoint details. See Viewing the

Fortinet Inc.
Tag Description
Endpoints pane on page 131.

7. If FortiGate is configured to receive all tags for this specific endpoint, EMS
sends the tag to FortiGate.
See EMS API support for FortiAnalyzer to notify and tag suspicious endpoints.
The panes at the top show how many tags belong to each tag type. You can click each pane to display only tags that
belong to that tag type.
Refresh Click to refresh the list of tagged endpoints in the content pane.
Endpoint Endpoint's hostname.
User Name of the user logged into the endpoint.
OS OS currently installed on the endpoint.
IP Endpoint's IP address.
Category Type of tag that the endpoint was tagged with. This can be one of the following:
l Zero Trust
l FortiGuard outbreak alert
l Classification
l Fabric
Tagged on Date and time that EMS added the endpoint to the dynamic endpoint group.
FortiOS dynamic policies using EMS dynamic endpoint groups
After defining security posture tagging rules in EMS, you can configure FortiOS to receive the dynamic endpoint groups
from EMS using the FortiClient EMS Fabric connector which supports SSL and imports trusted certificates. When a
change to the dynamic endpoint groups occurs, such as an endpoint being added to or removed from a group, EMS
sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly, providing dynamic access control
based on endpoint status.
FortiOS only receives endpoint information and enforces compliance for directly connected
endpoints. Directly connected endpoints are the ones that have FortiGate as the default
gateway.
This feature works for endpoints that are connected to a VPN tunnel as long as they can
access EMS and the FortiOS version is compatible with EMS. See the FortiClient EMS
Compatibility Chart.

Fortinet Inc.
Configuring FortiOS dynamic policies using EMS security posture tags
FortiOS uses an EMS connector to retrieve security posture tags from EMS. Configuring this feature requires the
following steps:
1. Checking prerequisites on page 379
2. Configuring the EMS connector on page 379:
a. Uploading certificates to EMS and FortiOS on page 379
b. Creating the EMS connector in FortiOS on page 380
c. Authorizing the FortiOS EMS connector in EMS on page 381
d. Verifying the FortiOS-EMS connection in FortiOS on page 381
3. Creating an address group for the security posture tags on page 382
4. Creating a dynamic firewall policy using security posture tags from EMS on page 382
If you configure a connection between EMS and a FortiGate that is part of a Security Fabric
with multiple FortiGates, the root FortiGate can also obtain security posture tags from EMS.
However, the root FortiGate does not have any IP addresses to associate with the received
tags.
Checking prerequisites
You must ensure that the following prerequisites are met before configuring this feature:
l Create security posture tagging rules. See Adding a security posture tagging rule set on page 367.
l After FortiClient connects Telemetry to EMS, confirm that EMS dynamically tags endpoints based on the security
posture tagging rules. See Security Posture Tag Monitor on page 377.
l Export a certificate authority (CA)-signed certificate to upload to FortiOS and web server certificate to upload to
EMS. For details on configuring a server certificate using the Microsoft Certification Authority Management
Console, see Configure the Server Certificate Template. You can use another CA as desired.
Configuring the EMS connector
Uploading certificates to EMS and FortiOS
To upload certificates to EMS and FortiOS:
Setting up a secure connection between EMS and FortiOS requires a certificate. Uploading the CA-signed certificate to
FortiOS allows FortiOS to trust the certificate that you configure in EMS.
1. Configure the server certificate in EMS:
a. Go to System Settings > EMS Server Certificates.
b. Click Add.
c. Configure the certificate as desired.
d. Go to System Settings > EMS Settings.
e. Under Shared Settings, from the Webserver certificate dropdown list, select the configured certificate.
f. Click Save.

Fortinet Inc.
2. Upload the certificate to FortiOS:

a. Go to System > Certificates.
b. From the Create/Import dropdown list, select CA Certificate.
c. Upload the CA-signed certificate.
Creating the EMS connector in FortiOS
You can create the EMS connector in the FortiOS GUI or CLI.
To create the EMS connector in the FortiOS GUI:
1. Go to Security Fabric > Fabric Connectors.

2. Right-click FortiClient EMS, then select Edit.
3. For Status, select Enabled.
4. For Type, select FortiClient EMS.
6. In the IP/Domain name field, enter the EMS IP address or domain name. If EMS multitenancy is enabled, you must
enter the FQDN instead of the IP address. You must enter the FQDN in the format site.fqdn to integrate the
FortiGate to the specific EMS multitenancy site. For example, if the site name is sitea, enter
sitea.ems.example.com. See Multitenancy on page 500.
7. Ensure to enable Synchronize firewall addresses. This allows FortiOS to automatically create and synchronize
firewall addresses for security posture tags received from EMS.
8. Click OK.
To create the EMS connector in the FortiOS CLI:
config endpoint-control fctems

edit 1
set fortinetone-cloud-authentication disable
set server "172.16.200.137"
set https-port 443
set source-ip 0.0.0.0

Fortinet Inc.
set pull-sysinfo enable

set pull-vulnerabilities enable
set pull-avatars enable
set pull-tags enable
set call-timeout 180
next
end
Authorizing the FortiOS EMS connector in EMS
To authorize the FortiOS EMS connector in EMS:
EMS must authorize the Fabric connector created in FortiOS. Do one of the following:
l Log in to EMS. A prompt displays to authorize the FortiGate. Click Authorize.
l Go to Administration > Fabric Devices. Select the desired FortiGate, then click Authorize.
You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. See Fabric Devices on
page 436.
Verifying the FortiOS-EMS connection in FortiOS
To verify the FortiOS-EMS connection in FortiOS:
1. Authorize the connection by doing one of the following:

l In Security Fabric > Fabric Connectors, click the desired EMS connector. Click Authorize.
l After EMS authorizes the FortiGate, authorize the connection in the FortiOS CLI by running execute fctems
verify <EMS ID>.

2. FortiOS automatically pulls security posture tags from EMS. Go to Policy & Objects > ZTNA > Security Posture Tags
to view the tags.

Fortinet Inc.
Creating an address group for the security posture tags
To create an address group for the security posture tags in the FortiOS CLI:
config firewall addrgrp

edit SPgroup
set category ztna-ems-tag
next
end
Creating a dynamic firewall policy using security posture tags from EMS
To create a dynamic firewall policy using security posture tags from EMS:
1. In FortiOS, go to Policy & Objects > Firewall Policy. Click Create new.
2. In the Security posture tag field, click +. The Select Entries pane appears. Under Security Posture Tag, select the
desired tag from EMS.
3. Configure other options as desired. Click OK.
4. Go to Policy & Objects > Firewall Policy to ensure the policy was created. FortiOS updates this policy when it
receives updates from EMS.
Fabric Device Monitor
On the Fabric Device Monitor page, you can view all FortiGates that are connected to EMS. For information on
connecting a FortiGate to EMS, see FortiOS dynamic policies using EMS dynamic endpoint groups on page 378.
For each connected FortiGate, you can view the following information:
l Serial number
l IP address
l FortiOS version installed
l Last sync time between FortiClient EMS and the FortiGate
l Dynamic endpoint groups shared with the FortiGate and the number of endpoints in each group

Fortinet Inc.
FortiGuard Outbreak Alerts
FortiClient EMS receives predefined outbreak alert rules from FortiGuard to help protect your network from
vulnerabilities. For example, consider that FortiGuard Labs discovers a zero-day vulnerability in a popular application.
The Fortinet team then creates a new FortiGuard outbreak alert rule, which tags endpoints with that application installed
as vulnerable. After EMS receives this new rule from FortiGuard, you can easily see which endpoints are vulnerable to
the new outbreak.
FortiGuard outbreak alert rules are similar to security posture tagging rules in that you can use the tags to dynamically
group endpoints, and the FortiOS administrator can also use the dynamic endpoint groups to build dynamic policy rules.
See FortiOS dynamic policies using EMS dynamic endpoint groups on page 378.
Unlike security posture tagging rules, you cannot modify or delete FortiGuard outbreak alert rules. You can only enable
or disable them from the FortiGuard Outbreak Alert Rules pane.
You can also view a rule to see its details. In this example, the endpoint only needs to satisfy one of the three criteria to
be eligible for the rule. If EMS does not display the Rule Logic field, the default rule logic is an “or” relationship.
EMS also receives FortiGuard outbreak alert rules that detect common vulnerabilities and exposures on endpoints.
These rules include a description of the vulnerabilities:

Fortinet Inc.
FortiGuard Outbreak Alerts
You can enable a maximum of ten rule sets.

Fortinet Inc.
Software Inventory
You can centrally view a list of software installed on all endpoints. The list includes details for each application such as
vendor and version information. You can view this information by application or vendor on the Applications pane or by
host on the Hosts pane. FortiClient sends installed application information to FortiClient EMS.
EMS sends software inventory logs to FortiAnalyzer for real-time and historic logging and reporting. FortiClient sends the
software inventory information to EMS when it first registers to EMS. If software changes occur on the endpoint, such as
installing new software, updating existing software, or removing existing software, FortiClient sends an updated
inventory to EMS and EMS sends the changes to FortiAnalyzer. See System Settings on page 338.
This feature requires the EPP license. See FortiClient EMS on page 22.
Applications
The FortiClient EMS administrator can view installed application information for all managed endpoints on the
Applications pane.
To view the Applications content pane:
You can view information about installed applications on the Applications content pane.
1. Go to Software Inventory > Applications. The list of applications, a quick status bar, and a toolbar display in the
content pane.
Total Applications Number of applications that have been installed on all managed endpoints. Click to
display the list of installed applications.
Total Vendors Number of vendors whose applications have been installed on managed endpoints.
Click to display the list of installed applications sorted by vendor.
New Detections Number of applications that have been detected as newly installed since the last
Telemetry communication. Click to display newly detected applications sorted by date
detected.
PUAs Number of applications that EMS detects as potentially unwanted applications (PUA)
based on the PUA signatures that it receives from FortiGuard. Click to display PUAs.
Display by Select to toggle between the following options:

l Display applications alphabetically by application name.
l Sort applications by vendor name.
Refresh Click to refresh the list of applications in the content pane.
Clear Filters Click to clear all filters applied to the list of files.
Name Name of the installed application.

Fortinet Inc.
Software Inventory
Vendor Name of the installed application's vendor.
Version Version number of the installed application.
First Detected Date the application was first detected as installed on the endpoint.
Last Installed Date the application was last installed on an endpoint.
Install Count Number of endpoints the application is installed on.
PUA Category If EMS detects the application as a PUA, this column displays the PUA category that
the application belongs to. Otherwise, this column dislays N/A. PUA categories are as
follows:
l Illegal or unethical
l Cryptomining
l Hacking
l Unpopular
l Phishing
l Malicious
To filter applications:
You can filter the list of applications displayed on the Applications content pane.
1. Go to Software Inventory > Applications. The list of applications displays.
2. You can apply filters by application name, vendor name, and version number. Click the filter icon beside the desired
3. To remove a filter, click the X icon beside the filter. To remove all filters, click the Clear Filters icon on the toolbar.
You can export software inventory information from EMS as a CSV file. You can use this data for compliance, software
auditing, and so on.
To export software inventory information:
1. In EMS, go to Software Inventory > Applications.

2. In the top right corner, click Export CSV.
3. For Export mode, select one of the following:
Mode Description
Processed Exports a CSV file for each selected operating system. All CSV files are
compressed into a single ZIP file. The CSV files include name, vendor, pua_
category_name, and install_count information for applications.
Raw Exports one CSV file for all operating systems. The CSV file includes host,
os_type, username, name, vendor, version, install_date, and
install_dir application information for each host.

Fortinet Inc.
Software Inventory
4. If you selected Processed for Export mode, select the desired operating systems for which to export software
inventory information.
5. Click Export. This downloads a file to the device which contains endpoint information in .csv format. The following
shows an example of a processed file:
name,vendor,pua_category_name,install_count
"""Microsoft Edge""","""Microsoft Corporation""","""""","""4"""
"""ms-resource:AppxManifest_DisplayName""","""Microsoft
Corporation""","""""","""4"""
"""Windows Shell Experience""","""Microsoft Corporation""","""""","""4"""
"""Microsoft Visual C++ 2015 UWP Runtime Package""","""Microsoft Platform

Extensions""","""""","""4"""
"""WindowsAppRuntime.1.3""","""Microsoft Corporation""","""""","""3"""
"""Microsoft Edge Update""","""""","""""","""2"""
"""Work or school account""","""Assigned by your organization""","""""","""2"""
"""Your account""","""Email, phone, or Skype""","""""","""2"""
"""FortiClient""","""Fortinet Technologies Inc""","""""","""2"""
"""Google Chrome""","""Google LLC""","""""","""2"""
"""Narrator""","""Microsoft""","""""","""2"""
"""NcsiUwpApp""","""Microsoft""","""""","""2"""
"""Add Folder Suggestions dialog""","""Microsoft Corporation""","""""","""2"""
"""App Installer""","""Microsoft Corporation""","""""","""2"""
"""Assigned Access Lock app""","""Microsoft Corporation""","""""","""2"""
"""AsyncTextService""","""Microsoft Corporation""","""""","""2"""
"""Captive Portal Flow""","""Microsoft Corporation""","""""","""2"""
"""CapturePicker""","""Microsoft Corporation""","""""","""2"""
"""Cortana""","""Microsoft Corporation""","""""","""2"""
"""Credential Dialog""","""Microsoft Corporation""","""""","""2"""

Fortinet Inc.
Software Inventory
"""Email and accounts""","""Microsoft Corporation""","""""","""2"""
"""Eye Control""","""Microsoft Corporation""","""""","""2"""
"""Feedback Hub""","""Microsoft Corporation""","""""","""2"""
"""Get Help""","""Microsoft Corporation""","""""","""2"""
"""HEIF Image Extensions""","""Microsoft Corporation""","""""","""2"""
"""Microsoft .Net Native Framework Package 1.7""","""Microsoft

Corporation""","""""","""2"""
"""Microsoft .Net Native Framework Package 2.2""","""Microsoft

Corporation""","""""","""2"""
"""Microsoft .Net Native Runtime Package 1.7""","""Microsoft

Corporation""","""""","""2"""
"""Microsoft .Net Native Runtime Package 2.2""","""Microsoft

Corporation""","""""","""2"""
"""Microsoft 365 (Office)""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Content""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Edge DevTools Client""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Edge WebView2 Runtime""","""Microsoft Corporation""","""""","""2"""
"""Microsoft family features""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Pay""","""Microsoft Corporation""","""""","""2"""
"""Microsoft People""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Photos""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Sticky Notes""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Store""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Tips""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Update Health Tools""","""Microsoft Corporation""","""""","""2"""
"""Movies & TV""","""Microsoft Corporation""","""""","""2"""

Fortinet Inc.
Software Inventory
"""MSN Weather""","""Microsoft Corporation""","""""","""2"""
"""ms-resource://microsoft.windowscommunicationsapps/hxoutlookintl/AppManifest_
OutlookDesktop_DisplayName""","""Microsoft Corporation""","""""","""2"""
"""ms-resource:Common.View.UWP/Resources/StoreAppName""","""Microsoft
Corporation""","""""","""2"""
"""ms-resource:LensSDK/Resources/AppStoreName""","""Microsoft
Corporation""","""""","""2"""
"""ms-resource:XboxApp.Resource/Resources/App_Title""","""Microsoft
Corporation""","""""","""2"""
"""Network Connection Flow""","""Microsoft Corporation""","""""","""2"""
"""OneNote for Windows 10""","""Microsoft Corporation""","""""","""2"""
"""Paint 3D""","""Microsoft Corporation""","""""","""2"""
"""Phone Link""","""Microsoft Corporation""","""""","""2"""
"""PinningConfirmationDialog""","""Microsoft Corporation""","""""","""2"""
"""Snip & Sketch""","""Microsoft Corporation""","""""","""2"""
"""Store Experience Host""","""Microsoft Corporation""","""""","""2"""
"""Take a Test""","""Microsoft Corporation""","""""","""2"""
"""UDK Package""","""Microsoft Corporation""","""""","""2"""
"""VP9 Video Extensions""","""Microsoft Corporation""","""""","""2"""
"""Web Media Extensions""","""Microsoft Corporation""","""""","""2"""
"""Webp Image Extensions""","""Microsoft Corporation""","""""","""2"""
"""Windows Barcode Preview""","""Microsoft Corporation""","""""","""2"""
"""Windows Calculator""","""Microsoft Corporation""","""""","""2"""
"""Windows Clock""","""Microsoft Corporation""","""""","""2"""
"""Windows Default Lock Screen""","""Microsoft Corporation""","""""","""2"""
"""Windows Defender SmartScreen""","""Microsoft Corporation""","""""","""2"""

Fortinet Inc.
Software Inventory
"""Windows Hello Setup""","""Microsoft Corporation""","""""","""2"""
"""Windows Maps""","""Microsoft Corporation""","""""","""2"""
"""Windows Media Player""","""Microsoft Corporation""","""""","""2"""
"""Windows Print""","""Microsoft Corporation""","""""","""2"""
"""Windows Search""","""Microsoft Corporation""","""""","""2"""
"""Windows Security""","""Microsoft Corporation""","""""","""2"""
"""Windows Voice Recorder""","""Microsoft Corporation""","""""","""2"""
"""WindowsAppRuntime.1.2""","""Microsoft Corporation""","""""","""2"""
"""Xbox Game Bar""","""Microsoft Corporation""","""""","""2"""
"""Xbox Game Bar Plugin""","""Microsoft Corporation""","""""","""2"""
"""Xbox Game Speech Window""","""Microsoft Corporation""","""""","""2"""
"""Xbox Game UI""","""Microsoft Corporation""","""""","""2"""
"""Xbox Identity Provider""","""Microsoft Corporation""","""""","""2"""
"""Xbox TCUI""","""Microsoft Corporation""","""""","""2"""
"""Microsoft Visual C++ 2015 UWP Desktop Runtime Package""","""Microsoft Platform

Extensions""","""""","""2"""
"""Microsoft.UI.Xaml.2.0""","""Microsoft Platform Extensions""","""""","""2"""
"""Solitaire & Casual Games""","""Microsoft Studios""","""""","""2"""
"""Windows Feature Experience Pack""","""Microsoft Windows""","""""","""2"""
"""ms-resource:AppDisplayName""","""ms-

Fortinet Inc.
Software Inventory
resource:PublisherDisplayName""","""""","""2"""
"""ms-resource:DisplayName""","""ms-resource:PublisherDisplayName""","""""","""2"""
"""ms-resource:StartMenuExperienceHost/PkgDisplayName""","""ms-
resource:StartMenuExperienceHost/PublisherDisplayName""","""""","""2"""
"""Skype""","""Skype""","""""","""2"""
"""FortiClient EMS AD Connector""","""Fortinet Technologies Inc""","""""","""1"""
"""Kits Configuration Installer""","""Microsoft""","""""","""1"""
"""Mixed Reality Portal""","""Microsoft Corporation""","""""","""1"""
"""SDK Debuggers""","""Microsoft Corporation""","""""","""1"""
"""Update for Windows 10 (KB5001716)""","""Microsoft Corporation""","""""","""1"""
"""Update for Windows 10 for x64-based Systems (KB5001716)""","""Microsoft

Corporation""","""""","""1"""
"""Windows Software Development Kit - Windows 10.0.19041.685""","""Microsoft

Corporation""","""""","""1"""
"""Windows SDK EULA""","""Microsoft Corporations""","""""","""1"""
"""Spotify Music""","""Spotify AB""","""""","""1"""
The following shows an example of a raw file:

host,os_type,username,name,vendor,version,install_date,install_dir
"""Bilbo""","""WIN64""","""test""","""Add Folder Suggestions dialog""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialo
g_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""App Installer""","""Microsoft
Corporation""","""1.19.11071.0""","""2023-06-12""","""C:\Program
Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.11071.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Assigned Access Lock app""","""Microsoft

Corporation""","""1000.19041.1023.0""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_
cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""AsyncTextService""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-08-

Fortinet Inc.
Software Inventory
06""","""C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Captive Portal Flow""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_
cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""CapturePicker""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Cortana""","""Microsoft
Files\WindowsApps\Microsoft.549981C3F5F10_4.2204.13303.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Credential Dialog""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Email and accounts""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Eye Control""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Feedback Hub""","""Microsoft
Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2304.1243.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""FortiClient EMS AD Connector""","""Fortinet

Technologies Inc""","""7.33.793.0""","""2023-06-12""","""C:\Program
Files\Fortinet\FortiClientEMSADConnector\"""
"""Bilbo""","""WIN64""","""test""","""FortiClient""","""Fortinet Technologies
Inc""","""7.2.1.0779""","""2023-06-12""","""C:\Program
Files\Fortinet\FortiClient\"""
"""Bilbo""","""WIN64""","""test""","""Get Help""","""Microsoft
Files\WindowsApps\Microsoft.GetHelp_10.2303.10961.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Google Chrome""","""Google
LLC""","""114.0.5735.198""","""2023-06-26""","""C:\Program
Files\Google\Chrome\Application"""
"""Bilbo""","""WIN64""","""test""","""HEIF Image Extensions""","""Microsoft

Fortinet Inc.
Software Inventory
Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.61171.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Kits Configuration
Installer""","""Microsoft""","""10.1.19041.685""","""2021-08-06""",""""""
"""Bilbo""","""WIN64""","""test""","""MSN Weather""","""Microsoft
Files\WindowsApps\Microsoft.BingWeather_4.53.51461.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft .Net Native Framework Package

1.7""","""Microsoft Corporation""","""1.7.27413.0""","""2021-08-06""","""C:\Program
Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.27413.0_x64__
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft .Net Native Framework Package

8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft .Net Native Runtime Package

Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.27422.0_x64__
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft .Net Native Runtime Package

8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft 365 (Office)""","""Microsoft

Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2305.1222.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Content""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_
cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Edge DevTools

Client""","""Microsoft Corporation""","""1000.19041.1023.0""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Edge
Update""","""""","""1.3.175.29""",NULL,""""""
"""Bilbo""","""WIN64""","""test""","""Microsoft Edge WebView2

Fortinet Inc.
Software Inventory
Runtime""","""Microsoft Corporation""","""114.0.1823.58""","""2023-06-
26""","""C:\Program Files (x86)\Microsoft\EdgeWebView\Application"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Edge""","""Microsoft
Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_114.0.1823.58_neutral__
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Edge""","""Microsoft
Corporation""","""44.19041.1266.0""","""2022-03-
02""","""C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Pay""","""Microsoft
Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft People""","""Microsoft
Files\WindowsApps\Microsoft.People_10.2202.31.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Photos""","""Microsoft
Files\WindowsApps\Microsoft.Windows.Photos_2023.10030.27002.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Sticky Notes""","""Microsoft

Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.6.0.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Store""","""Microsoft
Files\WindowsApps\Microsoft.WindowsStore_22305.1401.1.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Tips""","""Microsoft
Files\WindowsApps\Microsoft.Getstarted_10.2303.3.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Update Health Tools""","""Microsoft

Corporation""","""3.72.0.0""","""2023-06-13""",""""""
"""Bilbo""","""WIN64""","""test""","""Microsoft Visual C++ 2015 UWP Desktop Runtime

Package""","""Microsoft Platform Extensions""","""14.0.32530.0""","""2023-06-
12""","""C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_
14.0.32530.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft Visual C++ 2015 UWP Runtime

06""","""C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.30035.0_x64__
8wekyb3d8bbwe"""

Fortinet Inc.
Software Inventory

8wekyb3d8bbwe"""

8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Microsoft family features""","""Microsoft

Corporation""","""1000.19041.1023.0""","""2021-08-
06""","""C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Microsoft.UI.Xaml.2.0""","""Microsoft
Platform Extensions""","""2.1810.18004.0""","""2019-12-07""","""C:\Program
Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Mixed Reality Portal""","""Microsoft

Files\WindowsApps\Microsoft.MixedReality.Portal_2000.21051.1282.0_x64__
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Movies & TV""","""Microsoft

Files\WindowsApps\Microsoft.ZuneVideo_10.22091.10041.0_x64__8wekyb3d8bbwe"""

Fortinet Inc.
Software Inventory
"""Bilbo""","""WIN64""","""test""","""Narrator""","""Microsoft""","""10.0.19041.102
3""","""2021-08-
06""","""C:\Windows\SystemApps\microsoft.windows.narratorquickstart_
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""NcsiUwpApp""","""Microsoft""","""1000.19041.1
023.0""","""2021-08-06""","""C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Network Connection Flow""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_
cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""OneNote for Windows 10""","""Microsoft

Files\WindowsApps\Microsoft.Office.OneNote_16001.14326.21452.0_x64__
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Paint 3D""","""Microsoft
Files\WindowsApps\Microsoft.MSPaint_6.2203.1037.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Phone Link""","""Microsoft
Files\WindowsApps\Microsoft.YourPhone_1.23052.121.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""PinningConfirmationDialog""","""Microsoft
Corporation""","""1000.19041.1023.0""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_
cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""SDK Debuggers""","""Microsoft
Corporation""","""10.1.19041.685""","""2021-08-06""",""""""
"""Bilbo""","""WIN64""","""test""","""Skype""","""Skype""","""15.99.3202.0""","""20
23-06-23""","""C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3202.0_x64__
kzf8qxf38zg5c"""
"""Bilbo""","""WIN64""","""test""","""Snip & Sketch""","""Microsoft

Files\WindowsApps\Microsoft.ScreenSketch_10.2008.3001.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Solitaire & Casual Games""","""Microsoft

Studios""","""4.16.3140.0""","""2023-06-12""","""C:\Program
Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.16.3140.0_x64__

Fortinet Inc.
Software Inventory
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Spotify Music""","""Spotify
AB""","""1.214.1149.0""","""2023-06-23""","""C:\Program
Files\WindowsApps\SpotifyAB.SpotifyMusic_1.214.1149.0_x86__zpdnekdrzrea0"""
"""Bilbo""","""WIN64""","""test""","""Store Experience Host""","""Microsoft

Files\WindowsApps\Microsoft.StorePurchaseApp_22305.1401.2.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Take a Test""","""Microsoft
Corporation""","""10.0.19041.2311""","""2023-04-
12""","""C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_
cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""UDK Package""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Update for Windows 10 for x64-based Systems

(KB5001716)""","""Microsoft Corporation""","""8.91.0.0""","""2023-04-12""",""""""
"""Bilbo""","""WIN64""","""test""","""VP9 Video Extensions""","""Microsoft

Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.52781.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Web Media Extensions""","""Microsoft

Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.61591.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Webp Image Extensions""","""Microsoft

Files\WindowsApps\Microsoft.WebpImageExtension_1.0.52351.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Windows Barcode Preview""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Windows Calculator""","""Microsoft
Files\WindowsApps\Microsoft.WindowsCalculator_11.2210.0.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Windows Clock""","""Microsoft
Files\WindowsApps\Microsoft.WindowsAlarms_11.2304.0.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Windows Default Lock Screen""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-08-

Fortinet Inc.
Software Inventory
06""","""C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Windows Defender SmartScreen""","""Microsoft

Corporation""","""1000.19041.1023.0""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Windows Feature Experience

Pack""","""Microsoft Windows""","""1000.19041.1000.0""","""2023-04-
27""","""C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Windows Hello Setup""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Windows Maps""","""Microsoft
Files\WindowsApps\Microsoft.WindowsMaps_11.2303.5.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Windows Media Player""","""Microsoft

Files\WindowsApps\Microsoft.ZuneMusic_11.2304.2.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Windows Print""","""Microsoft
Corporation""","""6.2.1.0""","""2021-08-06""","""C:\Windows\PrintDialog"""
"""Bilbo""","""WIN64""","""test""","""Windows SDK EULA""","""Microsoft

Corporations""","""10.1.19041.685""","""2021-08-06""",""""""
"""Bilbo""","""WIN64""","""test""","""Windows Search""","""Microsoft
Corporation""","""1.14.10.19041""","""2023-06-
13""","""C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Windows Security""","""Microsoft
Corporation""","""10.0.19041.1865""","""2023-04-
12""","""C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Windows Shell Experience""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_
cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Windows Shell Experience""","""Microsoft

Corporation""","""10.0.19041.1949""","""2023-04-
12""","""C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Windows Software Development Kit - Windows

10.0.19041.685""","""Microsoft Corporation""","""10.1.19041.685""","""2021-08-
06""",""""""

Fortinet Inc.
Software Inventory
"""Bilbo""","""WIN64""","""test""","""Windows Voice Recorder""","""Microsoft

Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.2103.28.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""WindowsAppRuntime.1.2""","""Microsoft
Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x64__
8wekyb3d8bbwe"""
8wekyb3d8bbwe"""
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Work or school account""","""Assigned by your

organization""","""1000.19041.1023.0""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Xbox Game Bar Plugin""","""Microsoft

Files\WindowsApps\Microsoft.XboxGameOverlay_1.54.4001.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Xbox Game Bar""","""Microsoft

Files\WindowsApps\Microsoft.XboxGamingOverlay_5.823.3261.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Xbox Game Speech Window""","""Microsoft

Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Xbox Game UI""","""Microsoft

Corporation""","""1000.19041.1023.0""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""Xbox Identity Provider""","""Microsoft

Files\WindowsApps\Microsoft.XboxIdentityProvider_12.95.3001.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""Xbox TCUI""","""Microsoft
Files\WindowsApps\Microsoft.Xbox.TCUI_1.24.10001.0_x64__8wekyb3d8bbwe"""

Fortinet Inc.
Software Inventory
"""Bilbo""","""WIN64""","""test""","""Your account""","""Email, phone, or

Skype""","""10.0.19041.1266""","""2022-03-
02""","""C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_
cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""ms-
resource://microsoft.windowscommunicationsapps/hxoutlookintl/AppManifest_
OutlookDesktop_DisplayName""","""Microsoft
Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21490.0_x64__
8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""ms-resource:AppDisplayName""","""ms-
resource:PublisherDisplayName""","""1000.19041.1023.0""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""ms-resource:AppxManifest_
DisplayName""","""Microsoft Corporation""","""10.0.19041.1023""","""2021-08-
06""","""C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""ms-resource:AppxManifest_
12""","""C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""ms-
resource:Common.View.UWP/Resources/StoreAppName""","""Microsoft
Files\WindowsApps\Microsoft.Microsoft3DViewer_7.2211.24012.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""ms-resource:DisplayName""","""ms-
06""","""C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""ms-
resource:LensSDK/Resources/AppStoreName""","""Microsoft
Files\WindowsApps\Microsoft.WindowsCamera_2023.2304.11.0_x64__8wekyb3d8bbwe"""
"""Bilbo""","""WIN64""","""test""","""ms-
resource:StartMenuExperienceHost/PkgDisplayName""","""ms-
resource:StartMenuExperienceHost/PublisherDisplayName""","""10.0.19041.1023""","""2
021-08-06""","""C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_
cw5n1h2txyewy"""
"""Bilbo""","""WIN64""","""test""","""ms-resource:XboxApp.Resource/Resources/App_
Title""","""Microsoft Corporation""","""48.89.25001.0""","""2023-06-
12""","""C:\Program Files\WindowsApps\Microsoft.XboxApp_48.89.25001.0_x64__

Fortinet Inc.
Software Inventory
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Add Folder Suggestions

dialog""","""Microsoft Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialo
g_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""App Installer""","""Microsoft
Files\WindowsApps\Microsoft.DesktopAppInstaller_1.19.11071.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Assigned Access Lock app""","""Microsoft

Corporation""","""1000.19041.1023.0""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_
cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""AsyncTextService""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Captive Portal Flow""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_
cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""CapturePicker""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Cortana""","""Microsoft
Files\WindowsApps\Microsoft.549981C3F5F10_4.2204.13303.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Credential Dialog""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Email and accounts""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Eye Control""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Feedback Hub""","""Microsoft
Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2304.1243.0_x86__8wekyb3d8bbwe"""

Fortinet Inc.
Software Inventory
"""Boromir""","""WIN32""","""brando""","""FortiClient""","""Fortinet Technologies
Inc""","""7.2.0.0690""","""2023-06-12""","""C:\Program
Files\Fortinet\FortiClient\"""
"""Boromir""","""WIN32""","""brando""","""Get Help""","""Microsoft
Files\WindowsApps\Microsoft.GetHelp_10.2303.10961.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Google Chrome""","""Google
LLC""","""114.0.5735.135""","""2023-06-26""","""C:\Program
Files\Google\Chrome\Application"""
"""Boromir""","""WIN32""","""brando""","""HEIF Image Extensions""","""Microsoft

Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.61171.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""MSN Weather""","""Microsoft
Files\WindowsApps\Microsoft.BingWeather_4.53.51461.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft .Net Native Framework Package

8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft .Net Native Framework Package

8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft .Net Native Runtime Package

8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft .Net Native Runtime Package

8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft 365 (Office)""","""Microsoft

Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2305.1222.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Content""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_

Fortinet Inc.
Software Inventory
cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Edge DevTools

Client""","""Microsoft Corporation""","""1000.19041.1023.0""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Edge
Update""","""""","""1.3.175.29""",NULL,""""""
"""Boromir""","""WIN32""","""brando""","""Microsoft Edge WebView2

Runtime""","""Microsoft Corporation""","""114.0.1823.58""","""2023-06-
26""","""C:\Program Files\Microsoft\EdgeWebView\Application"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Edge""","""Microsoft
Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_114.0.1823.58_neutral__
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Edge""","""Microsoft
Corporation""","""44.19041.1266.0""","""2022-03-
02""","""C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Pay""","""Microsoft
Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft People""","""Microsoft
Files\WindowsApps\Microsoft.People_10.2202.31.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Photos""","""Microsoft
Files\WindowsApps\Microsoft.Windows.Photos_2023.10030.27002.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Sticky Notes""","""Microsoft

Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.6.0.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Store""","""Microsoft
Files\WindowsApps\Microsoft.WindowsStore_22305.1401.1.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Tips""","""Microsoft
Files\WindowsApps\Microsoft.Getstarted_10.2303.3.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Update Health

Fortinet Inc.
Software Inventory
Tools""","""Microsoft Corporation""","""3.72.0.0""","""2023-05-10""",""""""
"""Boromir""","""WIN32""","""brando""","""Microsoft Visual C++ 2015 UWP Desktop

Runtime Package""","""Microsoft Platform Extensions""","""14.0.32530.0""","""2023-
06-15""","""C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_
14.0.32530.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft Visual C++ 2015 UWP Runtime

8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Microsoft family features""","""Microsoft

Corporation""","""1000.19041.1023.0""","""2021-11-
26""","""C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Microsoft.UI.Xaml.2.0""","""Microsoft
"""Boromir""","""WIN32""","""brando""","""Movies & TV""","""Microsoft

Files\WindowsApps\Microsoft.ZuneVideo_10.22091.10041.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Narrator""","""Microsoft""","""10.0.19041
.1023""","""2021-11-
26""","""C:\Windows\SystemApps\microsoft.windows.narratorquickstart_

Fortinet Inc.
Software Inventory
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""NcsiUwpApp""","""Microsoft""","""1000.190
41.1023.0""","""2021-11-26""","""C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Network Connection Flow""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_
cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""OneNote for Windows 10""","""Microsoft

Files\WindowsApps\Microsoft.Office.OneNote_16001.14326.21452.0_x86__
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Paint 3D""","""Microsoft
Files\WindowsApps\Microsoft.MSPaint_6.2305.16087.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Phone Link""","""Microsoft
Files\WindowsApps\Microsoft.YourPhone_1.23052.121.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""PinningConfirmationDialog""","""Microsoft
Corporation""","""1000.19041.1023.0""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_
cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Skype""","""Skype""","""15.99.3202.0""","
""2023-06-26""","""C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.99.3202.0_
x86__kzf8qxf38zg5c"""
"""Boromir""","""WIN32""","""brando""","""Snip & Sketch""","""Microsoft

Files\WindowsApps\Microsoft.ScreenSketch_10.2008.3001.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Solitaire & Casual Games""","""Microsoft

Studios""","""4.16.3140.0""","""2023-05-09""","""C:\Program
Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.16.3140.0_x86__
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Store Experience Host""","""Microsoft

Files\WindowsApps\Microsoft.StorePurchaseApp_12303.1401.1.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Take a Test""","""Microsoft

Fortinet Inc.
Software Inventory
Corporation""","""10.0.19041.2311""","""2023-05-
10""","""C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_
cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""UDK Package""","""Microsoft
Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Update for Windows 10

(KB5001716)""","""Microsoft Corporation""","""8.92.0.0""","""2023-05-24""",""""""
"""Boromir""","""WIN32""","""brando""","""VP9 Video Extensions""","""Microsoft

Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.52781.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Web Media Extensions""","""Microsoft

Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.61591.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Webp Image Extensions""","""Microsoft

Files\WindowsApps\Microsoft.WebpImageExtension_1.0.52351.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Windows Barcode Preview""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Windows Calculator""","""Microsoft
Files\WindowsApps\Microsoft.WindowsCalculator_11.2210.0.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Windows Clock""","""Microsoft
Files\WindowsApps\Microsoft.WindowsAlarms_11.2304.0.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Windows Default Lock

Screen""","""Microsoft Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Windows Defender
SmartScreen""","""Microsoft Corporation""","""1000.19041.1023.0""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Windows Feature Experience

Pack""","""Microsoft Windows""","""1000.19041.1000.0""","""2023-05-
12""","""C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Windows Hello Setup""","""Microsoft

Fortinet Inc.
Software Inventory
Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Windows Maps""","""Microsoft
Files\WindowsApps\Microsoft.WindowsMaps_11.2303.5.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Windows Media Player""","""Microsoft

Files\WindowsApps\Microsoft.ZuneMusic_11.2304.2.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Windows Print""","""Microsoft
Corporation""","""6.2.1.0""","""2021-11-26""","""C:\Windows\PrintDialog"""
"""Boromir""","""WIN32""","""brando""","""Windows Search""","""Microsoft
Corporation""","""1.14.10.19041""","""2023-06-
15""","""C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Windows Security""","""Microsoft
Corporation""","""10.0.19041.1865""","""2022-09-
06""","""C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Windows Shell Experience""","""Microsoft

Corporation""","""10.0.19041.1023""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_
cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Windows Shell Experience""","""Microsoft

Corporation""","""10.0.19041.1949""","""2023-05-
10""","""C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Windows Voice Recorder""","""Microsoft

Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.2103.28.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""WindowsAppRuntime.1.2""","""Microsoft
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""WindowsAppRuntime.1.3""","""Microsoft
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Work or school account""","""Assigned by

your organization""","""1000.19041.1023.0""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy"""

Fortinet Inc.
Software Inventory
"""Boromir""","""WIN32""","""brando""","""Xbox Game Bar Plugin""","""Microsoft

Files\WindowsApps\Microsoft.XboxGameOverlay_1.54.4001.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Xbox Game Bar""","""Microsoft

Files\WindowsApps\Microsoft.XboxGamingOverlay_5.823.3261.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Xbox Game Speech Window""","""Microsoft

Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.21.13002.0_x86__
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Xbox Game UI""","""Microsoft

Corporation""","""1000.19041.1023.0""","""2021-11-
26""","""C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""Xbox Identity Provider""","""Microsoft

Files\WindowsApps\Microsoft.XboxIdentityProvider_12.95.3001.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Xbox TCUI""","""Microsoft
Files\WindowsApps\Microsoft.Xbox.TCUI_1.24.10001.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""Your account""","""Email, phone, or

Skype""","""10.0.19041.1266""","""2022-03-
02""","""C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_
cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""ms-
resource://microsoft.windowscommunicationsapps/hxoutlookintl/AppManifest_
OutlookDesktop_DisplayName""","""Microsoft
Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21490.0_x86__
8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""ms-resource:AppDisplayName""","""ms-
26""","""C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""ms-resource:AppxManifest_
26""","""C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy"""
"""Boromir""","""WIN32""","""brando""","""ms-resource:AppxManifest_

Fortinet Inc.
Software Inventory
10""","""C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy"""
resource:Common.View.UWP/Resources/StoreAppName""","""Microsoft
Files\WindowsApps\Microsoft.Microsoft3DViewer_7.2211.24012.0_x86__8wekyb3d8bbwe"""
"""Boromir""","""WIN32""","""brando""","""ms-resource:DisplayName""","""ms-
26""","""C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy"""
resource:LensSDK/Resources/AppStoreName""","""Microsoft
Files\WindowsApps\Microsoft.WindowsCamera_2023.2304.11.0_x86__8wekyb3d8bbwe"""
resource:StartMenuExperienceHost/PkgDisplayName""","""ms-
resource:StartMenuExperienceHost/PublisherDisplayName""","""10.0.19041.1023""","""2
021-11-26""","""C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_
cw5n1h2txyewy"""
resource:XboxApp.Resource/Resources/App_Title""","""Microsoft
Files\WindowsApps\Microsoft.XboxApp_48.89.25001.0_x86__8wekyb3d8bbwe"""
Hosts
The FortiClient EMS administrator can view installed application information for all managed endpoints by host on the
Hosts pane.
To view the Hosts content pane:
You can view information about installed applications by host on the Hosts content pane.

Fortinet Inc.
Software Inventory
1. Go to Software Inventory > Hosts. The list of hosts, a quick status bar, and a toolbar display in the content pane.
Applications Number of applications that have been installed on all managed endpoints.
Operating Systems Number of different operating systems on managed endpoints.
View Details Displays list of software installed on the selected endpoint. For details on the
application list headings, see To view the Applications content pane: on page 385.
Refresh Click to refresh the list of applications in the content pane.
Host Hostname.
User Name of the endpoint user.
OS Operating system installed on the endpoint.
IP IP address of the endpoint.
Application Count Number of applications installed on the endpoint.
Last Installation Date of the most recent application installation on the endpoint.
To filter hosts:
You can filter the list of hosts displayed on the Hosts content pane.
1. Go to Software Inventory > Hosts. The list of hosts displays.
2. You can apply filters by hostname, user name, OS name, and IP address. Click the filter icon beside the desired
To filter the list of applications installed on an endpoint, select the endpoint and click View
Details. See To filter applications: on page 386 for details on filtering the list of applications.

Fortinet Inc.
You can view and allowlist files that FortiSandbox or AV has quarantined from a central management Files pane. You
can also view and delete allowlisted files from the Allowlist pane.
This feature is only supported for Windows endpoints.
Files
FortiClient sends quarantined file information to FortiClient EMS. The FortiClient EMS administrator can view
quarantined file information for all managed endpoints on the Files pane and allowlist files from FortiClient EMS if
needed.
Viewing quarantined files
After FortiClient quarantines files on endpoints and sends the quarantined file information to FortiClient EMS, you can
view the list of quarantined files on the Files pane. You can also view details about each quarantined file and use filters to
access quarantined files with specific qualities.
To view the Files content pane:
You can view information about quarantined files on the Files content pane.
1. Go to Quarantine Management > Files. The list of quarantined files, a quick status bar, and a toolbar display in the
content pane.
Quarantined Files Number of files that FortiClient has quarantined on endpoints. Click to display the list
of quarantined files.
Restored Files Number of files that have been restored on endpoints. Click to display the list of
restored files.
Affected Hosts Number of hosts where FortiClient has quarantined files. Click to display the list of
quarantined files sorted by hostname.
New Detections Number of new detections. Click to display the list of newly detected threats sorted by
date detected.
View Toggle between the following options:

l View all files or view only quarantined files
l Show or hide full path names for files

Fortinet Inc.
Display by Select to display the list of files by instance, host, threat, or date.
Search All Fields Enter a value and press Enter to search for the value in the list of files.
Filters Click to display and hide filters you can use to filter the list of files.
Refresh Click to refresh the list of files in the content pane.
Checkbox Click to select all files displayed in the content pane.
Host Hostname of the endpoint. Also shows the group the endpoint belongs to.
File Name of the file.
Size Size of the file in bytes.
Threat Name of threat.
Source Displays how FortiClient detected the threat:

l Scheduled Scan
l Email Scan
l Startup Scan
l Manual Scan
l Realtime Scan
l Rootkit Manual Scan
l Sandbox Scan
Status Status of the file: Quarantined, Quarantined & Allowlisted, Restored, or Deleted. Also
shows the time that FortiClient quarantined the file.
Summary Displays the number of threat instances and number of affected hosts.
To filter the file list:
You can filter the list of files displayed on the Files content pane.
1. Go to Quarantine Management > Files. The list of files displays.
2. Click the Filters menu, and set filters.
The filter options display.
For text values, you can use a comma (,) to separate values and an exclamation mark (!) to exclude a value.
Filename Enter the file name(s) to include in the filter.
Location Enter the file location(s) to include in the filter.

Fortinet Inc.
Checksum Enter the checksum(s) to include in the filter.
Threat Enter the threat(s) to include in the filter. You can also select the desired
threat(s) from the dropdown list.
Source Enter the source(s) to include in the filter. You can also select the desired
source(s) from the dropdown list.
Status Enter the status(es) to include in the filter. You can also select the desired
statuse(s) from the dropdown list.
Date Enter the range of dates to include in the filter.
Host Enter the host(s) to include in the filter. You can also select the desired host
(s) from the dropdown list.
Group Enter the endpoint group(s) to include in the filter. You can also select the
desired group(s) from the dropdown list.
3. Click Apply. The filtered list of files displays.

4. Click Clear Filters to clear the filter settings.
Allowlisting quarantined files
You can allowlist and restore quarantined files. This releases the files from quarantine and makes them accessible on
the endpoint with the next Telemetry communication between FortiClient EMS and FortiClient.
To allowlist quarantined files:
1. Go to Quarantine Management > Files.

2. Select the desired files.
3. Click Allowlist & Restore.
4. In the confirmation dialog, click Yes, then Okay. The file status changes to Quarantined & Allowlisted.
Configuring quarantine management
You can configure EMS to delete quarantine records after a configured number of days.
You cannot use EMS to delete quarantined files from endpoints. To configure EMS to delete quarantined files from an
endpoint after a specified duration, configure the <cullage> XML option.
To configure quarantine management:
1. Go to Quarantine Management > Files.

2. Click the Quarantine Management Settings icon on the toolbar.
3. Enter the number of days after which to delete quarantine records from EMS. EMS determines the age of the
quarantined file as when its status was last updated. For example, if you configure the duration as 180 days,

Fortinet Inc.
EMS deletes the quarantine record 180 days after the file was last updated.
Allowlist
Viewing allowlisted files
You can view the list of allowlisted files in the Allowlist pane. You can also view details about each allowlisted file and use
filters to access allowlisted files with specific qualities:
Go to Quarantine Management > Allowlist. The list of allowlisted files and a toolbar display in the content pane.
Refresh Click to refresh the list of files in the content pane.
Advanced Information Click to view the FortiSandbox and AV signature and engine versions.
Date Date and time the file was allowlisted.
File Name of the file.
Checksum File's checksum.
Threat Name of threat.
Description The file's description. Blank by default.
To filter allowlisted files:
1. Go to Quarantine Management > Allowlist. The list of files displays.

2. You can apply filters by date, file name, checksum, threat, and description. Do the following:
a. To filter files by date, click the filter icon beside the Date heading. Select the desired date range in the Start and
End fields. You can also enter a start time and end time on the selected dates. The default time is 12:00 PM.
b. To filter by file name, checksum, threat, or description, click the filter icon beside the desired heading. Enter the
value to include in the filter. You can toggle the All/Any/Not button for the following options:
The filtered list of files displays.


Fortinet Inc.
Editing file descriptions
You can edit an allowlisted file's description. By default, the file description is blank.
To edit an allowlisted file's description:
1. Go to Quarantine Management > Allowlist.

2. Select the desired file.
3. Click Edit Description.
4. In the Required field, enter the desired description.
5. Click Confirm. The description appears under the Description heading.
Deleting a file from the allowlist
You can delete files from the allowlist. This reverts the file's status to quarantined on the endpoint with the next Telemetry
communication.
To delete a file from the allowlist:
1. Go to Quarantine Management > Allowlist.

2. Select the desired file.
3. Click Delete.
4. In the confirmation dialog, click Yes. EMS deletes the file from the allowlist. FortiClient quarantines the file on the
endpoint with the next Telemetry communication. You can view the file on the Files pane.

Fortinet Inc.
Administration
Admin Users
This section describes how to configure Windows and LDAP users, create new user accounts, and activate disabled
user accounts:
Viewing users
You can view the default admin user and all users added to FortiClient EMS.
Go to Administration > Admin Users. The following information displays:
Add Add a new user.
Refresh Refresh the list of users.
Name The username.
Source Type of user:

l BuiltIn: User accounts built into FortiClient EMS by default, such as the
admin user.
l Windows: User accounts derived from Windows user accounts on the host
server.
l LDAP: User accounts derived from users belonging to a configured AD
domain.
l EMS: User accounts created in FortiClient EMS.
Role Admin role assigned to the user. See Admin roles on page 420.
Trusted hosts Trusted hosts configured for this user.
Last login or activation Date and time of the user's last login or activation. Also shows if the account has
been disabled due to inactivity. See Activating a disabled account on page 417.
Comments Comments added when creating/configuring the user.

Fortinet Inc.
Configuring user accounts
You can configure Windows and LDAP users to have no access or administrator access to FortiClient EMS. You can
also create a new user account in EMS.
EMS derives the Windows users from the host server that it is installed on. To add more Windows users, you must add
them to the host server. EMS derives the list of LDAP users from those in the Active Directory (AD) domain imported into
FortiClient EMS. If you want to add more LDAP users, they must already exist in the AD domain configured as the user
server.
To configure Windows and LDAP user accounts:
1. Go to Administration > Admin Users.

2. Click Add.
3. Under User source, select Choose from Windows users or Choose from LDAP.
4. If you selected Choose from LDAP, select the desired server from the Authentication Server dropdown list. You
must have already configured an authentication server. See Adding an ADDS server on page 424.
5. Click Next.
6. Configure the user:
Option Description
Username (New user account only) enter the desired username.
User (Windows/LDAP only) Select the user to configure permissions for.
Role Select the desired admin role for this user. See Admin roles on page 420.
Domain Select or add access to a domain for the user. If desired, enable Allow all domains to allow this
Access user access to all domains connected to EMS.
Restrict When this option is enabled, users can only log into this account from a trusted host machine.
Login to In the Trusted Hosts field, enter a trusted host machine's IP address. Use the + button to add
Trusted multiple trusted host machines.
Hosts
Comment Enter optional comments/information for the Windows/LDAP user.
7. Click Save.
When an admin user from an AD domain logs into EMS, they must provide the domain name
as part of their username to log in successfully. For example, if the domain name is "example-
domain" and the username is "admin", the user must enter "example-domain/admin" when
logging into EMS.
Activating a disabled account
FortiClient EMS disables user accounts that have been inactive for the period configured in Admin User Settings >
Allowed inactive days. See Configuring Admin User Settings on page 436.

Fortinet Inc.
Administration
When EMS disables an account, the user cannot log into FortiClient EMS and sees an error message that reads "Your
account has been disabled due to inactivity. Please contact an EMS admin for assistance."
An FortiClient EMS super administrator can activate the disabled account. After the super administrator activates the
account, the user can log in as usual.
The built-in admin user account is always active. The Allowed inactive days setting does not
affect the admin account.
To activate a disabled account:
1. Go to Administration > Admin Users. EMS shows the deactivated user with a lock icon beside their name. Last login
or activation shows that EMS has disabled the account.
2. Click Activate. The user's status updates and they can log in as usual.
Resetting the password for a local administrator
A global super administrator can reset the password for EMS local administrators from the EMS GUI. When multitenancy
is enabled, this option is only available in the global site.
To reset the password for EMS local administrators:
1. Log in to EMS as a super administrator.

2. Go to Administration > Admin Users.
3. Edit the desired local administrator.
4. Enable Reset Password.
5. EMS automatically generates a temporary password. If desired, click Generate to generate a new random
password. Click Copy, then click Finish.

Fortinet Inc.
Administration
6. Log out of EMS.

7. Log in to EMS as the local administrator. In the Password field, paste in the temporary password.
8. EMS prompts you to update your password. Enter a new password, then click Submit.
Using the PasswordRecovery tool
If the EMS built-in administrator password is forgotten, a super administrator cannot access EMS. In this case, you can
use the PasswordRecovery tool.
To use the PasswordRecovery tool:
1. On the EMS machine, go to /opt/forticlientems/bin.

2. Run ./PasswordRecovery.
3. Enter yes to proceed. This resets the password for the built-in admin user and generates a temporary password.
4. Log in to EMS as admin and enter the temporary password.
5. EMS prompts you to create a new user. Create a new user and password, then click Submit.
You must have execute permissions to run PasswordRecovery to create a temporary

password.

Fortinet Inc.
Administration
Admin roles
You can use admin roles to define the permissions each administrator account has in FortiClient EMS. You can use a
default admin role in FortiClient EMS or create a new admin role to assign to an administrator account. Each admin role
can include permissions from the following categories: endpoint, policy, and settings.
The following describes the default admin roles in FortiClient EMS. You cannot edit or delete these admin roles:
Name Description
Super administrator Most privileged admin role. Complete access to all FortiClient EMS permissions,
including modification, user permissions, approval, discovery, and deployment.
Only built-in role that has access to the Administration section of the GUI. Has
access to all configured Windows and LDAP servers and users and authority to
configure user privileges and permissions.
The default admin account is a super administrator. You cannot assign another
admin role to the admin account.
Standard administrator Includes all endpoint and policy permissions and read-only permissions to
settings permissions.
Endpoint administrator Includes all endpoint permissions and read-only permissions to policy and
settings permissions.
Read-only administrator Includes read-only permissions to endpoint, policy, and settings permissions.
Restricted administrator No permissions enabled.
For admin roles that are not authorized for certain tasks or devices, EMS hides or disables the related menu items, items
in content pages, and buttons.
Adding an admin role
To add an admin role:
1. Go to Administration > Admin Roles.

2. Click Add.
3. In the Name field, enter the admin role name.
4. (Optional) In the Description field, enter the description.
5. Configure the permissions as desired. See Admin role permissions reference on page 421.
6. Click Save.
Cloning an admin role

2. Select the desired admin role.
3. Click Clone.
4. Configure settings for the cloned admin role, then click Save.

Fortinet Inc.
Administration
Deleting admin roles

2. Select the desired admin role.
3. Click Delete.
Admin role permissions reference
The following tables list the permissions available when configuring an admin role. The tables also include a description
of what the permission allows the user to do and a link to the relevant section in this guide.
Permissions that apply to Chromebook management are denoted with an asterisk (*).
Endpoint permissions
Permission Link to description
Manage LDAPs Manage connections to LDAP servers to import users from.

See Configuring user accounts on page 417.
Manage Google domains* Manage connections to Google domains to decide which

Chromebooks to manage. See Google Domains on page
161.
Manage custom groups Create, rename, and edit endpoint groups. See Managing
groups on page 128.
Run commands on endpoints Perform actions to endpoints on the Endpoints pane,

including uploading FortiClient logs, requesting diagnostic
results, and so on. See Managing endpoints on page 147.
Block/Unblock/Quarantine/Unquarantine/Reregister Manage endpoint access to the network through blocking,

endpoints quarantine, and registration. See Managing endpoints on
page 147.
Manage and assign endpoint policies See Endpoint Policy & Components on page 175.
View group assignment rules View group assignment rules. See Group assignment rules
on page 157.
Manage group assignment rules Create, delete, and edit group assignment rules. See Group
assignment rules on page 157.
View endpoint filter bookmarks View endpoint filter bookmarks. See Using bookmarks to
filter the list of endpoints on page 142.
Manage endpoint filter bookmarks Create, delete, and edit endpoint filter bookmarks. See
Using bookmarks to filter the list of endpoints on page 142.
View quarantine management View lists of quarantined and allowlisted files. See
Quarantine Management on page 411.

Fortinet Inc.
Administration
Manage quarantine management Allowlist and restore quarantined files and remove files from
the allowlist. See Quarantine Management on page 411.
View software inventory See Software Inventory on page 385.
Manage software inventory See Software Inventory on page 385.
Policy permissions
View endpoint View endpoint policies. See Endpoint Policy & Components on page 175.
policies*
View endpoint View endpoint profiles. See Endpoint Profiles on page 189.
profiles*
Manage Create, delete, and edit endpoint profiles. See Endpoint Profiles on page 189.
endpoint
profiles*
View Security View security posture tagging rules. See Security Posture Tagging Rules on page 367.
Posture tagging
rules
Manage Security Create, delete, and edit security posture tagging rules. See Security Posture Tagging Rules on
Posture tagging page 367.
rules
View Zero Trust View Telemetry server lists.

telemetry server
lists
Manage Zero Create, delete, and edit Telemetry server lists.

Trust telemetry
server lists
View installers View installers. FortiClient Installer on page 169.
Manage Create, delete, and edit installers. See FortiClient Installer on page 169.
installers
View View CA certificates. See CA Certificates on page 181.

CA certificates
Manage Upload, import, and delete CA certificates. See CA Certificates on page 181.
CA certificates
View on-fabric View on-fabric detection rules. See On-fabric Detection Rules on page 183.
detection rules
Manage on- Create, delete, and edit on-fabric detection rules. See On-fabric Detection Rules on page 183.
fabric detection
rules

Fortinet Inc.
Administration
Setting permissions
View server View Server settings. See Configuring EMS settings on page 472
settings*
Manage server Modify Server settings. See Configuring EMS settings on page 472.
settings*
View Fortinet View FortiGuard Services settings. See Configuring FortiGuard Services settings on page 484.
services
settings
Manage Modify FortiGuard Services settings. See Configuring FortiGuard Services settings on page 484.
Fortinet
services
settings
View endpoint View Endpoints settings. See Configuring EMS settings on page 472.
settings
Manage Modify Endpoints settings. See Configuring EMS settings on page 472.
endpoint
settings
View login View login banner settings. See Configuring EMS settings on page 472.
banner
settings*
Manage login Modify login banner settings. See Configuring EMS settings on page 472.
banner
settings*
View alert View Alerts settings. See Alerts on page 488.

settings*
Manage alert Modify Alerts settings. See Alerts on page 488.

settings*
View custom View endpoint quarantine message settings. See Customizing the endpoint quarantine message on
message page 492.
settings
Manage Modify endpoint quarantine message settings. See Customizing the endpoint quarantine message
custom on page 492.
message
settings
View feature View feature select settings. See Feature Select on page 494.
select settings
Manage Modify feature select settings. See Feature Select on page 494.
feature select
settings

Fortinet Inc.
Administration
Authentication Servers
Adding an ADDS server
You can manually import endpoints from an Active Directory Domain Services (ADDS) server. You can import and
synchronize information about computer accounts with an LDAP or LDAPS service. You can add endpoints by
identifying endpoints that are part of an AD domain server.
The LDAP connection is read-only.
A video on how to add a domain is available in the Fortinet Video Library.
You can add the entire domain or an organization unit (OU) from the domain.
EMS does not support importing subdomains if you have already imported the parent domain
in to EMS.
To add endpoints using an AD domain server:
1. Go to Administration > Authentication Servers.

2. Click Add > ADDS.
3. Configure the following options:
IP address/Hostname Enter the domain server IP address or hostname or the domain FQDN.
Password Enter the user password.
Show Password Turn on and off to show or hide the password.
LDAPS connection Enable a secure connection protocol.
Certificate Browse to and upload a certificate authority or server certificate in PEM or

DER format to secure the LDAPS connection. This option is only available if
LDAPS connection is enabled.
Certificate hostname check When enabled, EMS checks if the provided certificate's common name (CN)
matches the CN of the certificate that the LDAPS connection provides.
Alias Enter the alias (optional).

Fortinet Inc.
Administration
Comment If desired, enter a comment about the server (optional).
Use Connector If desired, enable this option to configure an AD connector to act as a proxy
between EMS and the AD server. See AD connector on page 432.
Connector From the dropdown list, select the desired AD connector.
4. Click Test to test the domain settings connection.

5. If the test succeeds, click Save to save the new domain. If not, correct the information as required, then test the
settings again.
After importing endpoints from an AD server, you can move them to custom created groups.
These groups are not seen in AD and EMS does not have the ability to modify the AD server in
any way. See Managing groups on page 128.
Adding an Entra ID server
You can integrate Microsoft Entra ID with on-premise EMS and FortiClient Cloud.
FortiClient (macOS) does not support Entra ID integration with EMS.
To create an enterprise application for FortiClient:
1. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
2. Click Create your own application.
3. In the What's the name of your app? field, enter the desired name.
4. Under What are you looking to do with your application?, select Register an application to integrate with Azure AD
(App you're developing).
5. Click Create.
To add Microsoft Graph API application permissions required for searching user groups:
1. In the left menu, click App registrations, then click the All applications tab.
2. Click your FortiClient enterprise application.
3. In the left menu, click API permissions, and click Add a permission.
4. In the Request API permissions slide-in, click Microsoft Graph.
5. Select Application permissions.
6. In the Select permissions section, search for and select the following permissions:
l Device.Read.All
l Domain.Read.All
l Group.Read.All
l GroupMember.Read.All
l User.Read
l User.Read.All

Fortinet Inc.
Administration
7. Click Add permissions.
8. In the API permissions page, click Grant admin consent for Default Directory. If this option is grayed out, you must
log into an Azure admin account to perform this step.
To add a client secret string and determine its value:
1. In the left menu, click App registrations, then click the All applications tab.
2. Click your FortiClient enterprise application.
3. In the left menu, click Certificates & secrets, and click New client secret.
4. In the Add a Client Secret slide-in, add a Description and select the desired Expires option. Click Add.
5. Observe that a new client secret has been created. Immediately after creation, copy the Value of the client secret
string, which EMS uses as the Azure Client Secret. This value is not visible after this initial creation step and moving
to another page.
To configure an Entra ID server in EMS:
1. Configure the Entra ID server as an authentication server in EMS:

a. In the Azure management console, collect your tenant ID, client ID, and client secret.
b. Go to Administration > Authentication Servers.
c. Click Add > Azure.
d. In the Tenant ID and Client ID fields, enter the IDs that you collected from the Azure management console.
e. For Authorization Type, select Client Secret.
f. In the Client Secret field, enter the client secret that you collected from the Azure management console.
g. Configure other fields as desired.

Fortinet Inc.
Administration
h. Click Test.
i. After the test succeeds, click Save.


Fortinet Inc.
Administration
does not preserve the hierarchy from the AD server.
When using user management, Entra ID users can register their FortiClient to EMS using an invitation code or with
SAML.
To configure the Azure tenant app for initiating passthrough (domain):
This is necessary for registering an Entra ID endpoint to EMS using an invitation code. This only applies for Entra ID-
joined endpoints.
1. Configure the redirect URL:
a. In the Azure portal, go to App registration. Copy the application/client ID of the application used to connect with
EMS.
b. Click the application, then click the Redirect URIs link.
c. Click Add a Platform > Select Mobile and Desktop applications.
d. Add the following URL: ms-appx-web://microsoft.aad.brokerplugin/<application client ID>.
e. Under Allow public client flows, toggle to Yes for Enable the following mobile and desktop flows.
f. Save the configuration.
2. Go to Roles and administrators.
3. Search for and select Directory Readers.
4. Click Add assignments.
5. Select the application used to connect with EMS.
6. Add desired users to the application in Entra ID:
a. Go to Enterprise applications, and select the application used to connect with EMS.
b. Go to Users and groups.
c. Click Add user/group, and select the users that you will invite to EMS using an invitation code.

Fortinet Inc.
Administration
To register an Entra ID user's endpoint to EMS using an invitation code:
1. In the EMS top banner, click Invitations.

2. Click Add.
3. For Verification Type, select Domain.
4. From the LDAP Domain dropdown list, select the Entra ID server.
5. Configure other settings as desired, then click Save.
6. On the endpoint, go to Settings > Accounts.
7. Under Access work or school, click Connect.
8. Log in as an Entra ID user.
9. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to
EMS as the logged in Entra ID user without additional prompts.
To register an Entra ID user's endpoint to EMS using SAML:
You must copy some values from the Azure portal to EMS and other values from EMS to the Azure portal to complete the
configuration.
1. In EMS, create a SAML configuration:
a. In EMS, go to User Management > SAML Configuration.
b. Click Add.
c. For Authorization Type, select LDAP.
d. From the Domain dropdown list, select the Entra ID server.
e. In this configuration, EMS acts as the service provider, while the Entra ID server is the identity provider. In the
SP Address field, enter the EMS IP address or FQDN. You can also use the Use Current URL button to
populate the field.
2. In Azure, add and configure the Entra ID SAML Toolkit:
a. Go to Enterprise applications, then click New application.
b. Search for and select Microsoft Entra SAML Toolkit.
c. Configure a name for the toolkit as desired, then click Create.
d. Click into the toolkit, select Single sign-on, then SAML.
e. Under Basic SAML Configuration, click Edit.

Fortinet Inc.
Administration
f. Copy the values from EMS in User Management > SAML Configuration > Service Provider Settings to the
Azure portal. This table maps the EMS SAML fields that you must copy from EMS and configure in Entra ID.
Configure as the table summarizes, then click Save.
EMS SAML field Entra ID Basic SAML Configuration field
SP Entity ID Identifier (Entity ID)
SP ACS (login) URL Reply URL (Assertion Consumer Service URL)
SP Address Sign on URL
g. Under Attributes & Claims, click Edit.

h. Click Unique User Identifier.
i. From the Source attribute dropdown list, select user.localuserprincipalname. Click Save.
3. In Azure, add a new claim:

a. Click Add new claim.
b. In the Name field, enter the domain identification value from EMS. You can find this value on EMS in User
Management > SAML Configuration > Assertion Attributes > Domain Identification. This field is only visible
when LDAP is selected as the Authorization Type and the Domain field is populated in SAML Configuration.
c. Ensure that Namespace is empty.
d. From the Source attribute field, select user.localuserprincipalname. Click Save.
e. Under SAML Certificates, download the Certificate (Base64) file.
4. Copy the URLs under Set up Tutorial SAML Toolkit to EMS:
a. Copy the Entra ID Identifier value to the IdP Entity ID field in EMS.
b. Copy the Login URL value to the IdP single sign-on URL field in EMS.
c. In the IdP certificate field, upload the certificate that you downloaded in step 3. Save the SAML configuration in
EMS.

Fortinet Inc.
Administration
5. In Azure, go to Users and groups. Add users to the list as desired. Azure authorizes any user added to this list to
connect to EMS.
6. Configure the invitation in EMS:
a. In the top banner, click Invitations.
b. Click Add.
c. For Verification Type, select SAML.
d. From the SAML Config dropdown list, select the SAML configuration.
e. Configure other settings as desired, then click Save.
7. You can authenticate the endpoint using Entra ID by doing one of the following:
a. To join the device to the Entra ID server, do the following:
i. On the endpoint, go to Settings > Accounts.
ii. Under Access work or school, click Connect.
iii. Log in as an Entra ID user.
iv. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient
register to EMS as the logged in Entra ID user without additional prompts.
b. For a workgroup endpoint or an endpoint joined to an on-premise domain, in FortiClient, on the Zero Trust
Telemetry tab, enter the invitation code to register to EMS. A Microsoft single sign on prompt displays. Enter
the Entra ID user credentials to authenticate and connect FortiClient to EMS.
You can configure endpoint policies and deployment configurations for specific endpoint groups from an Entra ID server.

Fortinet Inc.
Administration
Adding an API key
You can add an API key and use it to configure an Active Directory (AD) connector to act as a proxy between EMS and
the AD server. See AD connector on page 432.
To add an API key:

2. Click Connectors.
3. Click API Keys, then Add.
4. In the Alias field, enter the desired alias, then click Add.
AD connector
You can configure an Active Directory (AD) connector that acts as a proxy between the AD server and EMS.
The following shows an example environment, which consists of the following virtual machines (VM):
l VM1: EMS
l VM2: AD server (ems104.com)
l VM3: AD connector
In this example, VM2 is connected to a local network with an IP address of 192.168.178.13/24. EMS is connected to a
public network with an IP address of 10.71.5.77/24. In this scenario, when you attempt to add the AD server as an
authentication server in Administration > Authentication Servers in EMS, it cannot reach the AD server. The AD
connector solves this problem. The AD connector has the following network adapters:

Fortinet Inc.
Administration
Adapter IP address
Adapter connector 192.168.78.14
Adapter data 192.168.1.105
Default gateway 192.168.1.1
The gateway for adapter data is 192.168.1.1, which is a FortiGate that is connected to the Internet. The AD server
cannot directly connect to EMS. EMS cannot access the AD server. The connector serves as a proxy to add the AD
server to EMS.
To configure the AD connector:
1. Add an API key:

a. In EMS, go to Administration > Authentication Servers.
b. Click Connectors.
c. Click API Keys, then Add. Add a new API key.
2. Create the AD connector:

a. You can install the AD connector in a host that EMS and the AD server can reach. On the host machine, from
the EMS installation package, run FortiClientEndpointManagementServerADConnector_7.4.0.XXXX_x64.msi.
b. In the Connect to EMS Configuration dialog, enter the EMS IP address, fully qualified domain name, or account
ID in the EMS IP/FQDN/Account ID field.
c. In the EMS Port field, enter the port number.
d. In the Connector UID field, enter the desired AD connector UID. Entering a meaningful string to help identify the
AD connector is recommended. Do not leave this field blank.
e. In the Connector Api Key field, enter the API key value.
f. Click Add Site, and enter the EMS site information. Ensure that a Connection established message displays,

Fortinet Inc.
Administration
then click Next.
3. If desired, configure the directories configuration. You can also click Next to configure it later:
a. In the Directory Host field, enter the hostname of the desired AD server.
b. In the Directory Port field, enter the port number that the AD server uses to communicate with EMS.
c. In the Username and Password fields, enter the credentials used to log in to the AD server.
d. If desired, enable Use LDAPS.
e. If you enabled LDAPS, in the CA Certificate Path field, enter the path to the desired CA certificate to use for the
LDAPS connection.
f. If you enabled LDAPS, if desired, enable Check Cert Hostname.
g. Under Non-Selected Sites for Directory and Selected Sites for Directory, click Include Sites and Exclude Sites
to include and exclude sites as desired.
h. Click Add Directory and Remove Directory to populate the Configured Directories List as desired. Click Next.
4. In EMS, go to Administration > Authentication Servers > Connectors to confirm that you successfully created an AD
connector.

Fortinet Inc.
Administration

6. Enable Use Connector.
7. From the Connector dropdown list, select the AD connector.
8. Save the configuration. EMS successfully adds the AD server as an authentication server.

Fortinet Inc.
Administration
Configuring Admin User Settings
To configure Admin User Settings:
1. Go to Administration > Admin User Settings.

Option Description
Expire login session after x Specify how long to keep inactive users logged into FortiClient EMS. When the
minutes time expires, EMS automatically logs the user out. Enter 0 to keep inactive
users logged into FortiClient EMS indefinitely.
Disable administrators' Specify the number of days of inactivity after which to disable a user account.
accounts when inactive for x For example, if you specify this field to 10 and a user does not log into
days FortiClient EMS for ten days, EMS disables their account so that they cannot
log into FortiClient EMS. A super administrator can reactivate their account.
See Activating a disabled account on page 417.
Change password after x days Specify the number of days after which to force the user to change their
password. Enter 0 to disable this setting. This setting only applies to built-in
users such as the admin user and local administrators created in EMS.
3. Click Save.
Fabric Devices
You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. You can also deny or
authorize a FortiGate. These FortiGates receive endpoint data from EMS. FortiClient does not directly connect to
FortiGates listed on this page.
Fabric Devices displays the relationships between FortiGates if they are part of a cooperative Fortinet Security Fabric
(CSF) or high availability (HA) cluster. The following shows Fabric Devices showing two FortiGates that are part of a
CSF tree:
The following shows Fabric Devices showing two FortiGates that are part of an HA cluster:

Fortinet Inc.
Administration
FortiOS 7.0.2 to 7.0.6 only supports security posture tags and does not support other tag types when used with EMS.
Endpoints connected via zero trust network access do not provide IP addresses to FortiOS.
For connection to FortiAnalyzer, see Incoming ports.
To edit the Fabric device tag sharing settings:
1. Go to Administration > Fabric Devices.

2. Select the desired device, then select Edit.
3. From the FortiClient Endpoint Sharing dropdown list, select one of the following:
Option Description
Share all FortiClients Selected FortiGate receives all endpoints' resolved IP or MAC addresses
(hereafter referred to as "host tag"), regardless of whether the gateways point
to the selected FortiGate.
Only share FortiClients Default setting. Selected FortiGate only receives the host tags for endpoints
connected to this fabric device whose gateways point to the selected FortiGate.
(Recommended)
Share FortiClients connected to The selected FortiGate receives host tags for the following:
selected fabric devices l Endpoints whose gateways point to the selected FortiGate
l Endpoints whose gateways point to the configured additional FortiGates.
You can configure up to four additional FortiGates.
4. In Tag Types Being Shared, select at least one tag type to share. Security Posture Tags is selected by default and
you cannot deselect it. EMS only shares the selected tag types with the configured Fabric devices.
Tag Description
Security posture tags See Security Posture Tags on page 367.
FortiGuard outbreak alert tags See FortiGuard Outbreak Alerts on page 383.
Classification tags See Viewing the Endpoints pane on page 131.
Fabric tags Fabric tags require connection to FortiAnalyzer. See the following process:
1. EMS administrator configures FortiAnalyzer in a System Settings profile.
See System Settings on page 338.
2. FortiClient connects to EMS and receives FortiAnalyzer connection

Fortinet Inc.
Administration
Tag Description
information from the profile.

3. FortiClient sends logs to FortiAnalyzer.
4. FortiAnalyzer administrator configures rule to tag endpoints which have
indicators of compromise (IOC).
5. If a log entry received from FortiClient on the FortiAnalyzer matches an
IOC, FortiAnalyzer adds a tag to that endpoint.
6. EMS adds this tag to the endpoint. You can view the tag in the endpoint
details, as well as in Security Posture Tag Monitor. This tag displays as a
Fortinet Security Fabric tag in Security Posture Tag Monitor, but the tag
displays under Classification Tags in endpoint details. See Viewing the
Endpoints pane on page 131.
7. If FortiGate is configured to receive all tags for this specific endpoint, EMS
sends the tag to FortiGate.
See EMS API support for FortiAnalyzer to notify and tag suspicious endpoints.
5. Click Save.
To change the FortiGate authorization status:

2. Select the desired FortiGate.
3. Click Deny or Authorize. The FortiGate status in the Authorized column changes.
Configuring EMS to share tagging information with multiple FortiGates
When an endpoint has a security posture tag applied and EMS is operating as part of a Fortinet Security Fabric, the
FortiGate that the endpoint's FortiClient gateway points to receives the endpoint's resolved IP or MAC address
(hereafter referred to as "host tag") from EMS.
If your EMS is operating as part of a Security Fabric with multiple FortiGates, you may want to configure EMS to send the
host tag to other FortiGates in the Fabric, in addition to the FortiGate that the endpoint's FortiClient gateway points to.
You can configure this as follows.
The following illustrates the topology in this example:
The following is true for this scenario:

Fortinet Inc.
Administration
l Both FortiGates are connected to EMS as part of a Security Fabric.

l FortiClient is registered to EMS.
l The FortiClient gateway points to the first floor FortiGate.
l The FortiClient endpoint has the TAG_ANTIVIRUS_ON security posture tag applied.
l The host tag of the FortiClient endpoint with TAG_ANTIVIRUS_ON applied is 10.100.91.100.
By default in this example, the core FortiGate does not retrieve the host-tag information for TAG_ANTIVIRUS_ON. This
is because the FortiClient device gateway is 10.100.91.1, which does not match the core FortiGate.
You can configure the core FortiGate to retrieve the host tag for TAG_ANTIVIRUS_ON by allowing the host tag to sync
from FortiClient endpoints connected to the first floor FortiGate to the core FortiGate.
To configure EMS to share the host tag to additional FortiGates:

2. Select the serial number associated with the core FortiGate. In this example, it is FGVM02TM21011924.
3. Click Edit.
4. From the FortiClient Endpoint Sharing dropdown list, select Share FortiClients connected to selected fabric devices.
5. From the Filter Tag IPs From Specific FortiGates dropdown list, select the serial number of the FortiGate on the first
floor. In this example, it is FGVM02TM21011669. This change triggers EMS to resynchronize tag information to the
first floor FortiGate.
6. Click Save.
7. Reselect the core FortiGate. It now displays that it receives host tag information from the first floor FortiGate.
8. Verify that the core FortiGate is receiving the tag information:
a. In FortiOS on the core FortiGate, go to Policy & Objects > ZTNA > ZTNA Tags.
b. Hover over the ZTNA tag TAG_ANTIVIRUS_ON. Confirm that the Resolves To IP address displays the
FortiClient IP address.
Configuring FortiGate per-VDOM connection
Each FortiOS virtual domain (VDOM) can connect to a separate EMS or EMS multitenancy site. This provides EMS with
the ability to only send FortiClient and tagging information to a single FortiOS VDOM.
This feature requires FortiOS 7.4.
To configure EMS support for FortiGate per-VDOM connection:
1. In FortiOS, enable the VDOM feature by doing one of the following:

a. Go to System > VDOM and create a new site.
b. Run the following commands:
config system global
set vdom-mode multi-vdom
end

Fortinet Inc.
Administration
2. In EMS, enable multitenancy. Create a new multitenancy site.

3. Configure a Fortinet Security Fabric connection from the FortiGate root VDOM to the EMS default site. Once
connected, the EMS default site shows the FortiGate root VDOM in Administration > Fabric Devices in <FortiGate
serial number> - <VDOM name> format:
config vdom
edit root
config endpoint-control settings
set override enable
end
config endpoint-control fctems-override
edit 1
set status enable
set name "ems_default"
set server "default.ems1.fortitest.ca"
next
end
4. Configure a Fabric connection from the FortiGate non-root VDOM to the EMS non-default site. Once connected, the
EMS non-default site shows the FortiGate non-root VDOM in Administration > Fabric Devices in <FortiGate serial
number> - <VDOM name> format:
config vdom
edit site1
config endpoint-control settings
set override enable
end
config endpoint-control fctems-override
edit 1
set status enable
set name "ems_site1"
set server "site1.ems1.fortitest.ca"
next
end

Fortinet Inc.
Administration
5. Tagging information from an EMS site is only shared with the FortiGate VDOM that the EMS site has established a
Fabric connection with. In this example, the ems_connected_default site is a tag configured on the EMS default site.
ems_connected_site1 is a tag configured on the EMS non-default site.
You can hover over the FortiGate in EMS and select Edit to update tag and FortiClient endpoint sharing information.
You can also configure an alias for easier FortiGate identification. EMS shows one of the following authorization
states for the Fabric connection: authorized, deauthorized, or pending.

Fortinet Inc.
Administration
SAML SSO
You can enable SAML single sign on (SSO) to allow users to log in to EMS using an identity provider (IdP), such as
FortiAuthenticator (on-premise and Cloud), FortiOS, and third party IdPs such as Azure, Okta, and Active Directory
Federation Services. The following topics provide information on configuring SSO with different IdPs:
SAML SSO with FortiGate as IdP
You can enable SAML SSO to allow users to log in to EMS using a FortiGate as an identity provider (IdP).
To configure SAML SSO:
1. Configure SAML SSO in FortiOS with EMS as the service provider (SP). See Configuring single-sign-on in the
Security Fabric. Ensure that you download the IdP certificate and copy the IdP entity ID and IDP single sign-on URL
values to use when configuring SAML SSO on EMS.
2. In EMS, go to Administration > SAML SSO.

3. Click Enable SAML SSO.
4. (Optional) EMS prepopulates the Assertion Attributes > Username Claim field with username as the value. This is
the same default value as in FortiOS. If you change this value, ensure that you also change the value in FortiOS by
going to Security Fabric > Fabric Connectors > Security Fabric Setup > SAML Single Sign-On Advanced Options.
Edit the EMS SP and confirm that the value in SAML Attribute > Name is the same as the value in EMS in Assertion
Attributes > Username Claim.
5. Configure Service Provider Settings:
Setting Description
Enter the EMS IP address. You can also click the Use Current Browser
SP Address Address button to autopopulate the field. Your browser must be able to
access this IP address.
SP Entity ID This field is prepopulated. You do not need to provide this value to
SP ACS (login URL) FortiOS when configuring SAML SSO for EMS using FortiGate as an IdP.
SP Certificate Click Upload new certificate to upload the SP certificate.

Fortinet Inc.
Administration
Setting Description
Only upload an SP certificate if you uploaded the same certificate for this SP
(in this case, EMS) in FortiOS in step 1.
6. Configure Identity Provider Settings. In this configuration, the FortiGate is the IdP:
Setting Description
IdP Entity ID Enter the IdP entity ID value that you copied from FortiOS.
IdP single sign-on URL Enter the IdP single sign-on URL value that you copied from FortiOS.
IdP Certificate Click Upload new certificate to upload the IdP certificate.
Upload the same certificate that you configured for the IdP (the FortiGate) in
FortiOS in step 1.
7. (Optional) If desired, toggle on Enable Authorization Rules. When this feature is disabled, all SSO users from the
IdP can become EMS admin users. When this feature is enabled, only SSO users from the IdP that satisfy a
configured rule can become an EMS admin user. To add a rule, click Add. In the Authorization Rule field, enter a
username. This field is case-insensitive. Add multiple rules as desired. Only SSO users from the IdP with
usernames that match the configured authorization rules can access EMS as an admin user.
Deleting an authorization rule does not remove its associated users as admin users from
EMS. You must delete them from Administration > Admin Users.
8. Click Save.
9. In FortiOS, create a new system administrator. These users can log in to EMS using SAML SSO.
For a user to log in using SAML SSO, you must enable remote HTTPS access on EMS. See
Configuring EMS settings on page 472.
To log in to EMS using SSO:
1. Double-click the FortiClient Endpoint Management Server icon.

2. Click Sign in with SSO.
3. EMS displays the SSO login page. Enter a username and password configured in FortiOS, then click Login.
When an administrator logs in to EMS with SSO for the first time, they have restricted
permissions. An EMS super administrator can adjust permissions for the new administrator.
SAML SSO with Okta as IdP
You can configure a single sign on (SSO) connection with Okta via SAML, where Okta is the identity provider (IdP) and
FortiClient EMS is the service provider (SP). This feature allows administrators to log in to EMS by logging in with their

Fortinet Inc.
Administration
Okta credentials.
To configure FortiClient EMS with Okta SSO:
1. In FortiClient EMS, go to Administration > SAML SSO.

2. Toggle on Enable SAML SSO. Service Provider Settings displays the SP settings. You may need to click Use
Current Browser Address for the field to populate. You use these values to configure FortiClient EMS as an SP in
Okta. Copy these values.
3. Create the FortiClient EMS application in Okta:
a. On the Okta Dashboard, go to Applications. Click Create App Integration.
b. Select SAML 2.0, then click Next.
c. Under Create SAML Integration > General Settings > App name, enter an application name, then click Next.
d. Configure the Single sign-on URL field with the SP ACS login URL value from EMS and the Audience URI field
with the SP Entity ID field from EMS. Click Next.
e. Click Feedback. For App Type, select This is an internal app that we have created, then click Finish.
f. On the Assignment tab, from the Assign dropdown list, select Assign to People.
g. In the dialog, assign the desired users to the FortiClient EMS Okta application.
4. Obtain the IdP information from Okta:
a. On the Sign On tab in Okta, click View Setup Instructions.
b. Scroll to step 5. This step lists the IdP information that you must provide to FortiClient EMS. Copy the values in
the IdP Entity ID and IdP Single Sign-On URL fields.
c. Download the IdP certificate from the provided link. Save the certificate to your device.
5. Configure the IdP information in FortiClient EMS:
a. In FortiClient EMS, in the IdP Entity ID and IdP single sign-on URL fields, paste the values that you copied from
the IdP Entity ID and IdP Single Sign-On URL fields, respectively.
b. (Optional) If desired, configure the Assertion Attributes > Username Claim field. Only configure this option if
you want to use a value other than username.
c. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click
Next.
6. (Optional) If desired, toggle on Enable Authorization Rules. When this feature is disabled, all SSO users from the
IdP can become EMS admin users. When this feature is enabled, only SSO users from the IdP that satisfy a
configured rule can become an EMS admin user. To add a rule, click Add. In the Authorization Rule field, enter a
username. This field is case-insensitive. Add multiple rules as desired. Only SSO users from the IdP with
Deleting an authorization rule does not remove its associated users as admin users from
EMS. You must delete them from Administration > Admin Users.
7. Review the SAML configuration, then click Save.
SAML SSO with Entra ID as IdP
You can configure a single sign on (SSO) connection with Microsoft Entra ID (formerly known as Azure Active Directory
(AD)) via SAML, where Entra ID is the identity provider (IdP) and FortiClient EMS is the service provider (SP). This
feature allows users to log in to EMS by logging in with their Entra ID credentials.

Fortinet Inc.
Administration
To configure FortiClient EMS with Entra ID SSO:
1. In FortiClient EMS, go to Administration > SAML SSO. Service Provider Settings displays the SP Address, SP Entity
ID, and SP ACS (login) URL fields. You use these values to configure FortiClient EMS as an SP in Azure. Copy
these values.
2. Create and configure your FortiClient EMS environment in Azure:
a. In the Azure portal, go to Microsoft Entra ID > Enterprise applications > New application.
b. Click Create your own application and provide a name, for instance, FortiClient EMS.
c. Click Create.
d. Assign Entra ID users and groups to FortiClient EMS.
e. Go to Set up single sign on.
f. For the SSO method, select SAML.
g. In Basic Configuration, enter the values that you copied in step 1. The following summarizes the mapping
between EMS fields and Azure fields:
EMS Service Provider Settings field Entra ID Basic SAML configuration field
SP Entity ID Identifier (Entity ID)
SP ACS (login) URL Reply URL (Assertion Consumer Service URL)
SP Address Sign on URL
3. Obtain the IdP information from Azure:

a. The SAML Signing Certificate box contains links to download the SAML certificate. Download the certificate.
b. The Set up <FortiClient EMS instance name> box lists the IdP information that you must provide to FortiClient
EMS. Copy the values in the Login URL and Entra ID Identifier fields.
a. In EMS, under Identity Provider Settings, In the IdP Entity ID and IdP single sign-on URL fields, paste the
values that you copied from the Entra ID Identifier and Login URL fields, respectively.
b. From the IdP Certificate dropdown list, select Create, then upload the certificate that you downloaded. Click
Next.
5. Review the SAML configuration, then click Save.
SAML SSO with AD FS as IdP
You can configure a single sign on (SSO) connection with Active Directory Federation Services (AD FS), where AD FS is
the identity provider (IdP) and FortiClient EMS is the service provider (SP). This feature allows users to log in to EMS by
logging in with their AD FS credentials.
The following instructions assume that you have already installed and configured AD FS.
To configure SAML SSO with AD FS as IdP:
1. In FortiClient EMS, go to Administration > SAML SSO. Service Provider Settings displays the SP Address, SP Entity
ID, and SP ACS (login) URL fields. You use these values to configure FortiClient EMS as an SP in AD FS. Copy
these values.
2. Create and configure your FortiClient EMS environment in AD FS:
a. Open AD FS Management and right-click Relying Party Trusts and select Add Relying Party Trust. This
launches the Add Relying Party Trust Wizard. Select Claims Aware and click Next.

Fortinet Inc.
Administration
b. In Select Data Source, select Enter data about the relying party manually and click Next.
c. Enter a Display name and click Next.
d. In Configure Certificate, leave the certificate settings at their default values. Click Next.
e. In Configure URL, select Enable Support for the SAML 2.0 WebSSO protocol, then enter the SAML SSO URL
obtained from EMS (SP ACS (login) URL).
f. In Configure Identifiers, enter the Relying party trust identifier URL obtained from EMS (SP Entity ID), then click
Add and Next.
g. In Choose Access Control Policy, leave the default value (Permit everyone) and click Next.
h. In Ready to Add Trust, review your settings, click Next.
i. In Finish, select Configure claims issuance policy for this application, then click Close.
3. Create claim rules:
a. In the Issuance Transform Rules tab of the Claim Rules editor, click Add Rule.
b. In Choose Rule Type, select Send LDAP Attributes as Claims from the dropdown list, then click Next.
c. In Configure Claim Rule, enter a Claim Rule Name, select Active Directory as the Attribute Store, then add the
following mapping: from the LDAP Attribute column, select SAM-Account-Name. In the Outgoing Claim Type
column, enter Name ID, then click Finish to add the rule. Click OK.
4. Export the IdP certificate, which you must later upload to EMS to finish SAML configuration:
a. Open the AD FS management snap-in, select AD FS > Service > Certificates, then double-click the certificate
under Token-signing. You can also right-click the field, then select View Certificate in the context menu.
b. In Certificate, open the Details tab, then select Copy to File and click OK.
c. In Certificate Export Wizard, click Next.
d. Select Base-64 encoded X.509 (.CER), then click Next.
e. In Certificate Export Wizard, select Browse to specify the location to export the IdP certificate to, then specify
the file name and click Next.
f. In Completing the Certificate Export Wizard, click Finish, then click OK to confirm the export succeeded.
a. Export the metadata from AD FS by appending FederationMetadata/2007-06/FederationMetadata.xml to the
AD FS server root URL. See the following example: https://adfs.domain.com/federationmetadata/2007-
06/FederationMetadata.xml. The following shows an example on a local AD FS server:
https://localhost/FederationMetadata/2007-06/FederationMetadata.xml.
b. Obtain the IdP single sign-on URL and entity ID from the metadata. The following shows example values: IdP
entity ID: http:/adfs.domain.com/adfs/services/trust IdP single sign-on URL: https:/adfs.domain.com/adfs/ls/
c. In EMS, under Identity Provider Settings, paste the values obtained from the metadata in the IdP Entity ID and
IdP single sign-on URL fields.
d. Provide the certificate extracted in previous steps.
e. (Optional) If desired, toggle on Enable Authorization Rules. When this feature is disabled, all SSO users from
the IdP can become EMS admin users. When this feature is enabled, only SSO users from the IdP that satisfy a
configured rule can become an EMS admin user. To add a rule, click Add. In the Authorization Rule field, enter
a username. This field is case-insensitive. Add multiple rules as desired. Only SSO users from the IdP with

Fortinet Inc.
Administration
Licenses
See Licensing FortiClient EMS on page 78.
Log Viewer
To view logs:
1. Go to Administration > Log Viewer.

2. Click the Filter icon in each column heading to apply filters.
3. Click Clear Filters to remove the filters.
To download logs:
You can download the logs that FortiClient EMS generates.

1. Go to Administration > Logs.
2. Click Download. A zip of the raw logs is downloaded to your computer.
Generate Diagnostic Logs
You can create a diagnostic logs package that includes a snapshot of EMS CPU and memory usage, PostgreSQL logs,
performance data, and so on. You can send this package to the Fortinet technical support team for troubleshooting.
To create a diagnostic logs package:
1. Go to Administration > Generate Diagnostic Logs.

2. If desired, select Include Database Backup. If enabled, the package includes a partial database backup. This
backup is not intended to replace the regular backup. See To back up the database: on page 110.
3. If you select to include a database backup, EMS displays fields to enter a password. In the Password and Confirm
Password fields, enter the password.
4. Click Create.
Marking all endpoints as uninstalled
You can mark all endpoints as uninstalled, which erases their historical event data.
This option is mainly useful for customers using virtual desktop infrastructure environments, where temporary desktop
instances are used for a short duration, then terminated. After you use this option to mark all endpoints as uninstalled,
only active instances reconnect to EMS. This conveniently frees up the licenses that the terminated instances were
using, and you can provision these licenses to active unlicensed endpoints.

Fortinet Inc.
Administration
To mark all endpoints as uninstalled:
1. Go to Administration > Mark All Endpoints As Uninstalled.

2. In the dialog, click Yes.

Fortinet Inc.
User Management
In User Management, you can configure options for user verification. EMS supports the following user verification
methods:
Verification type Description
None End user does not need to provide any credentials to connect to EMS.
Local End user must provide credentials that match a local user configured in User
Management > Local Users to connect to EMS.
You must create a local user to configure this option. See Local users on page
452.
LDAP End user must provide their domain credentials to connect to EMS.
You must configure an LDAP domain to configure this option. See Adding
endpoints using an AD domain server on page 129.
SAML End user must provide their credentials for an SAML identity provider, such as
Microsoft Entra ID (formerly kown as Azure Active Directory (AD)), to connect to
EMS.
You must configure SAML settings to configure this option. See SAML
Configuration on page 452.
The process is as follows:

1. The EMS administrator configures the desired verification method. For example, the EMS administrator can
configure an AD server for EMS to connect to. EMS imports user groups from the configured AD server. See
Authorized User Groups on page 449.
2. The EMS administrator creates an invitation, which includes a FortiClient installer and verification method. In this
example, the EMS administrator would create an invitation that only applies to users that belong to the desired AD
domain. See Invitations on page 454.
3. The EMS administrator sends the invitation to end users by email or SMS.
4. The end user downloads the FortiClient installer using the link included in the email.
5. The end user installs FortiClient on their endpoint.
6. FortiClient automatically launches and prompts for the user to enter their credentials. The end user enters their
AD credentials. EMS verifies that the credentials match a known user in the AD domain that was configured in the
invitation code and allows the user to connect to FortiClient EMS.
This feature requires per-user licensing. See Windows, macOS, and Linux licenses on page 23.
Authorized User Groups
Authorized User Groups displays OUs and user groups from all imported LDAP servers.
This page displays the following columns of information:

Fortinet Inc.
User Management
Column Description
Domain Name Group name.
Server IP LDAP server IP address.
Last Synced Time that EMS and the LDAP server last synchronized configurations.
Invitation Status Whether an invitation was created for this user group.
Selecting a domain in the list displays the following columns of information:
Column Description
Group Name Group name.
Users Number of users that belong to the group.
Group Status Can be Authorized or Excluded. If a group is authorized, its users can onboard to
EMS. If a group is excluded, its users cannot onboard to EMS.
You can filter the list of groups by authorized or excluded, OUs or groups.
To authorize or exclude a group:
1. Go to User Management > Authorized User Groups.

2. Select the desired domain.
3. Select the desired group(s).
4. Click Authorize or Exclude.
Verified Users
Verified Users shows a list of users who have successfully connected to FortiClient EMS by using an invitation and
authenticating using a specified verification method.
This page displays the following columns of user information:

Fortinet Inc.
User Management
Column Description
User Username of the connected user.
Invitation Names of the invitation(s) that the user received.
Domain Domain that the user used to authenticate and connect to EMS, if applicable.
SAML SAML server that the user used to authenticate and connect to EMS, if applicable.
Device Count Number of devices that the user has connected to EMS.
Email/Phone User's email address and phone number.
Last Seen Time that the user was last active.
User Type Displays the type of authentication the user used to connect to EMS.
Status Displays whether the user is currently managed by EMS.
You can click the user to view the devices that they have currently connected to EMS. The following information displays
for devices:
Column Description
Device Name Name of the connected device.
Platform Operating system installed on the device.
Group Endpoint group that the device belongs to.
FortiClient ID ID of the FortiClient instance installed on the device.
Last Seen Time that the device was last active.
Device Status Displays whether the device is currently managed by EMS and whether the
device is licensed.
You can exclude users from management. This frees up the license seat that the user was consuming.
To exclude users from management:
1. Go to User Management > Verified Users.

2. Select the desired users.
3. From the Action dropdown list, select Exclude from Management.
Unverified Users
Unverified Users shows a list of users who have not verified their identity using one of the specified authentication
methods. This page displays the following columns of user information:

Fortinet Inc.
User Management
Column Description
User Name Username of the user.
Domain Domain that the user used to authenticate and connect to EMS, if applicable.
Device Count Number of devices that the user has connected to EMS.
Email/Phone User's email address and phone number.
Last Seen Time that the user was last active.
You can click the user to view the devices that they have currently connected to EMS. The following information displays
for devices:
Column Description
Device Name Name of the connected device.
Platform Operating system installed on the device.
Group Endpoint group that the device belongs to.
FortiClient ID ID of the FortiClient instance installed on the device.
Last Seen Time that the device was last active.
Device Status Displays whether the device is currently managed by EMS and whether the
device is licensed.
Local users
You can configure local users. Users can provide credentials that match a configured local user to connect their
FortiClient to FortiClient EMS. This is mainly useful for environments that do not use Active Directory or SAML.
To add a local user:
1. Go to User Management > Local Users.

2. Click Add.
3. In the Username field, enter the desired username.
4. In the Password and Confirm Password fields, enter a password that conforms to the displayed password rules.
5. (Optional) In the Comments field, enter any desired notes.
6. Click Save.
SAML Configuration
In SAML Configuration, you can configure connections to SAML identity providers (IdP), such as Microsoft Entra ID. This
allows end users to connect to FortiClient EMS and authenticate using their relevant credentials, such as to Entra ID.
The following provides an example for configuring SAML connection to Entra ID.

Fortinet Inc.
User Management
To add a SAML configuration:
1. In EMS, go to User Management > SAML Configuration.

2. In the Name field, enter the desired name for this configuration.
3. For Authorization Type, do one of the following:
a. Select LDAP to associate a domain with this SAML configuration. From the Domain dropdown list, select the
desired domain.
b. Select None to not associate a domain with this SAML configuration. This is only recommended for non-
domain endpoints.
4. In the Domain Identification field, enter userPrincipalName for EMS to use to verify the user's domain. You must add
the userPrincipalName in Azure as well for verification to succeed. The following shows userPrincipalName
configured in the Domain Identification field in EMS and added to Attributes & Claims in the Azure portal.
5. Configure Service Provider Settings. EMS is the service provider (SP):
Setting Description
SP Address Enter the EMS IP address. You can also click the Use Current URL button to
autopopulate the field. Your browser must be able to access this IP address.
Prefix Enter the prefix generated in EMS for the IdP. You can generate a new prefix
by clicking the Generate button.
SP ACS (login) URL Enter the SP login URL.
SP Entity ID Enter the SP entity ID.
SP Certificate Click Upload new certificate to upload the SP certificate.

Only upload an SP certificate if you uploaded the same certificate for this SP
(in this case, EMS) in the IdP server.

Fortinet Inc.
User Management
6. Configure Identity Provider Settings:
Setting Description
IdP single sign-on URL Enter the IdP single sign-on URL, including the http or https prefix as
applicable.
IdP entity ID Enter the IdP entity ID, including the http or https prefix as applicable.
IdP Certificate Click Upload new certificate to upload the IdP certificate.
Upload the same certificate that you configured in the IdP.
7. Click Save.
To use SAML to verify user identity when users connect FortiClient to EMS using an invitation
code, you must select SAML for the Verification Type when configuring an invitation. See
Invitations on page 454.
Invitations
You can configure invitation codes to email to end users. After installing FortiClient, end users can enter the invitation
codes to connect FortiClient to EMS.
To add an invitation code:
1. Go to Invitations in the upper right corner, in Endpoints > Invitations, or in User Management > Invitations.
l To create a new invitation code, click Add.
l To edit an existing invitation code, select the desired invitation code. Click Edit.
3. Configure the invitation:

a. From the EMS Listen Address dropdown list, select the desired address.
b. To send the code to a single recipient, select Individual. Otherwise, select Bulk.
c. Enable Send Email Notifications. You can only enable this option if you have configured SMTP settings. See
Configuring SMTP Server settings on page 490.
d. In the Include FortiClient Installer field, click Create a new installer to add a deployment package to the
invitation. The invitation email includes a link that the user can download the configured deployment package
from. For deployment package option details, see Adding a FortiClient deployment package on page 170.
e. In the Email recipients field, enter the email addresses of the desired end users.
f. If desired, enable Send SMS notifications.
g. If desired, enable Expiring.
h. In the Expiry date field, set the expiry date.

Fortinet Inc.
User Management
i. For Verification Type, select one of the following:
Verification type Description
None End user does not need to provide any credentials to connect to EMS.
Local End user must provide credentials that match a local user configured in
User Management > Local Users to connect to EMS.
You must create a local user to configure this option. See Local users on
page 452.
LDAP End user must provide their domain credentials to connect to EMS.
You must configure an LDAP domain to configure this option. See Adding
endpoints using an AD domain server on page 129.
SAML End user must provide their credentials for an SAML identity provider, such
as Microsoft Entra ID (formerly known as Azure Active Directory), to
connect to EMS.
You must configure SAML settings to configure this option. See SAML
Configuration on page 452.
j. In the Comments field, enter any comments if desired. Click Save.

End users receive an email or SMS notification as configured that includes the configured invitation code and installer.
They can install FortiClient on their devices using the included installer, and enter the invitation code in the Register with
Zero Trust Fabric field on the FortiClient Zero Trust Telemetry tab to connect to EMS if their FortiClient did not connect
automatically to EMS after installation. Based on the verification type configured in the invitation code, the user may also
need to enter their credentials to connect to EMS.
Configuring user verification with an LDAP server for authentication
The following provides an example of configuring user verification, using an LDAP server for authentication. This
example sends the invitation code to a single user. This configuration consists of the following steps:
1. The EMS administrator adds the LDAP server to EMS.
2. The EMS administrator configures an invitation code, and send the invitation code to the desired user.
3. The end user receives the invitation email, and uses it to download FortiClient.
4. The end user connects to EMS using their Active Directory (AD) credentials.
To add the LDAP server to EMS:

2. Click Add.
3. In the IP address/Hostname field, enter the server IP address.
4. In the Username and Password fields, provide the credentials required to access the LDAP server.
5. Enable LDAPS connection and upload a certificate authority certificate or server certificate file in PEM or DER
format.
6. If needed, configure other fields.
7. Click Test.
8. After the test succeeds, click Save. After a few minutes, EMS imports devices from the LDAP server.

Fortinet Inc.
User Management
To create an invitation code:
1. Go to User Management > Invitations.

2. Click Add.
a. In the Name field, enter the desired invitation name.
b. For Type, select Individual.
c. Enable Send Email Notifications.
d. In the Email Recipients field, enter the desired user email address.
e. In the Include FortiClient Installer field, add a FortiClient deployment package. The email that the user receives
includes a link to download this deployment package.
f. If desired, use the Expiring and Expiry Date fields to set an expiry date for this invitation.
g. For Verification Type, select LDAP.
h. From the LDAP Domain User dropdown list, select the desired domain user. This option is available when
configuring an invitation to send to an individual. When configuring a bulk invitation, you select an LDAP
domain instead of a domain user.
4. Click Save.
To install FortiClient on the user device:
1. The endpoint user receives the invitation email. They click the download link the email to download the FortiClient
deployment package.
2. The user uses the deployment package to install FortiClient on their endpoint.
3. Once the install completes, FortiClient launches and prompts for the user to enter their AD credentials. EMS verifies
that the credentials match a known user in the AD domain that was configured in the invitation code and allows the
user to connect to FortiClient EMS.
Configuring user verification with SAML authentication and an

LDAP domain user account
To configure individual onboarding with SAML authentication using an LDAP domain user account:
1. Configure EMS:
a. In EMS, go to Endpoints > Manage Domains.
b. Import the desired Active Directory domain. During the onboarding process, EMS authenticates user identities
based on this domain. In this example, the domain is qatest0824.local.
c. Go to User Management > SAML Configuration.

d. Add a SAML configuration with the imported domain. For Authorization Type, select LDAP. From the Domain
dropdown list, select the newly imported domain. In this configuration, EMS is the service provider (SP), and
FortiAuthenticator is the identity provider (IdP). Under Identity Provider Settings, enter your FortiAuthenticator

Fortinet Inc.
User Management
details. Click Save.

Fortinet Inc.
User Management
e. In FortiAuthenticator, configure EMS as an SP.
f. In EMS, go to User Management > Invitations. Click Add. Configure the desired recipients to receive their
invitation codes over email. For Verification Type, select SAML. From the SAML Config dropdown list, select
the SAML configuration that you created. Click Save.

Fortinet Inc.
User Management
g. Go to System Settings > EMS Settings. Enable Enforce User Verification. This forces FortiClient to register to
EMS using user onboarding.

Fortinet Inc.
User Management
h. Go to Security Posture Tags > Security Posture Tagging Rules. Add a security posture tagging rule to tag
registered endpoints with verified users.

Fortinet Inc.
User Management
2. In FortiClient on an unregistered endpoint, attempt to register to EMS using the EMS fully qualified domain name.
EMS rejects the connection attempt. FortiClient displays an error that EMS require an invitation code.

Fortinet Inc.
User Management
3. Register FortiClient to EMS:

a. Do one of the following to start the process of registering FortiClient to EMS:
i. Open the invitation email. and click Register to EMS. Follow the instructions to register to EMS.
ii. Open the invitation email, and copy the invitation code. Enter the invitation code on the Zero Trust

Fortinet Inc.
User Management
Telemetry tab, and click Connect.
b. In the popup, provide your LDAP user credentials, then click Login. FortiClient proceeds with the registration
process after authentication succeeds. After FortiClient successfully registers to EMS, the username in
FortiClient changes to the verified user account, and a chain icon appears beside the username to indicate that
FortiClient is registered with a verified user.
4. Go to the About page to confirm that the Verified User tag displays.
5. In EMS, go to Endpoint Policy & Components > Managed Policies. Create a policy to apply to the selected user. In
the Users field, select the desired user. This policy takes priority over group-based policies that the endpoint may
also be eligible for.
6. Go to Endpoints > All Endpoints. Select the endpoint. Confirm that EMS applied the user-specific policy that you
created to the endpoint.

Fortinet Inc.
User Management
7. On the same endpoint, register FortiClient with a new user. the endpoint summary displays a new active user. As
the endpoint is no longer eligible for the user-specific policy, EMS applies a group-based policy to the endpoint
instead. You can view all registered users for that endpoint.
Configuring user verification with Entra ID authentication
The following provides an example of configuring user verification, using an Microsoft Entra ID server for authentication.
This configuration consists of the following steps:
1. The EMS administrator adds the Entra ID server to EMS.
4. The end user connects to EMS using their Entra ID credentials.
To configure the Azure tenant app for initiating passthrough (domain):
This is necessary for registering an Entra ID endpoint to EMS using an invitation code. This only applies for Entra ID-
joined endpoints.
1. Configure the redirect URL:
a. In the Azure portal, go to App registration. Copy the application/client ID of the application used to connect with
EMS.
b. Click the application, then click the Redirect URIs link.
c. Click Add a Platform > Select Mobile and Desktop applications.
d. Add the following URL: ms-appx-web://microsoft.aad.brokerplugin/<application client ID>.
e. Under Allow public client flows, toggle to Yes for Enable the following mobile and desktop flows.
2. Go to Roles and administrators.
3. Search for and select Directory Readers.
4. Click Add assignments.
5. Select the application used to connect with EMS.

Fortinet Inc.
User Management
6. Add desired users to the application in Entra ID:

a. Go to Enterprise applications, and select the application used to connect with EMS.
b. Go to Users and groups.
c. Click Add user/group, and select the users that you will invite to EMS using an invitation code.

h. Click Test.

Fortinet Inc.
User Management

To create an invitation code:
1. Go to User Management > Invitations.

2. Click Add.
a. In the Name field, enter the desired invitation name.
b. For Type, select Individual.
c. Enable Send Email Notifications.
d. In the Email Recipients field, enter the desired user email address.
e. In the Include FortiClient Installer field, add a FortiClient deployment package. The email that the user receives
includes a link to download this deployment package.
f. If desired, use the Expiring and Expiry Date fields to set an expiry date for this invitation.
g. For Verification Type, select LDAP.
h. From the LDAP Domain User dropdown list, select the desired domain user. This option is available when
configuring an invitation to send to an individual. When configuring a bulk invitation, you select an LDAP
domain instead of a domain user.

Fortinet Inc.
User Management
4. Click Save.
To register an Entra ID user's endpoint to EMS using an invitation code:
1. Add an ivitation:
a. In the EMS top banner, click Invitations.
b. Click Add.
c. For Verification Type, select Domain.
d. From the LDAP Domain dropdown list, select the Entra ID server.
e. Configure other settings as desired, then click Save.
2. On the endpoint, go to Settings > Accounts.
3. Click Join this device to Azure Active Directory.
4. Under Access work or school, click Connect.
5. Log in as an Entra ID user.
6. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient register to
EMS as the logged in Entra ID user without additional prompts.
Configuring user verification with SAML authentication and an Entra

ID server user account
The following provides an example of configuring user verification, using a Microsoft Entra ID (formerly known as Azure
Active Directory (AD)) server for authentication. This configuration consists of the following steps:
1. The EMS administrator adds the Entra ID server to EMS.
2. The EMS administrator creates a SAML configuration in EMS, with EMS as the service provider (SP) and the Entra
ID server as the identity provider (IdP).
5. The end user connects to EMS using their Entra ID credentials.


Fortinet Inc.
User Management
h. Click Test.


Fortinet Inc.
User Management
To register an Entra ID user's endpoint to EMS using SAML:
1. Create a SAML configuration:

a. In EMS, go to User Management > SAML Configuration.
b. Click Add.
c. For Authorization Type, select LDAP.
d. From the Domain dropdown list, select the Entra ID server.
e. In the SP Address field, enter the EMS IP address or FQDN. You can also use the Use Current URL button to
populate the field.
f. Under Identity Provider Settings, enter the Entra ID entity ID and single sign on URLs. Click Save.
2. In the top banner, click Invitations.
3. Click Add.
4. For Verification Type, select SAML.
5. From the SAML Config dropdown list, select the SAML configuration.
6. Configure other settings as desired, then click Save.
7. You can authenticate the endpoint using Entra ID by doing one of the following:
a. To join the device to the Entra ID server, do the following:
i. On the endpoint, go to Settings > Accounts.
ii. Under Access work or school, click Connect.
iii. Log in as an Entra ID user.
iv. In FortiClient, on the Zero Trust Telemetry tab, enter the invitation code to register to EMS. FortiClient
register to EMS as the logged in Entra ID user without additional prompts.

Fortinet Inc.
User Management
b. For a workgroup endpoint or an endpoint joined to an on-premise domain, in FortiClient, on the Zero Trust
Telemetry tab, enter the invitation code to register to EMS. A Microsoft single sign on prompt displays. Enter
the Entra ID user credentials to authenticate and connect FortiClient to EMS.

Fortinet Inc.
System Settings

Fortinet Inc.
Configuring EMS settings
FortiClient EMS installs with a default IP address and port configured. You can change the IP address and port and
configure other server settings for FortiClient EMS.
When you enable multitenancy, you must configure some EMS settings at the global level, and other settings at the site
level. See Global and per-site configuration on page 501.
To configure EMS settings:

2. Configure the following options under Shared Settings. EMS uses these settings for FortiClient EMS managing
Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints:
Option Description
Hostname Displays the FortiClient EMS server's hostname.
Listen on IP Displays the IP addresses for the FortiClient EMS server. FortiClient
connects to FortiClient EMS on the specified IP address.
You can generate a QR code for the specified IP address. See Generating a
QR code for centrally managing FortiClient (Android) and (iOS) endpoints on
page 477.
Use FQDN Specify a fully qualified domain name (FQDN) for the FortiClient EMS server.
FortiClient's connection to EMS is critical to managing endpoint security.
Managing this is relatively easy for internal devices. For external devices or
devices that may leave the internal network, you must consider how to
maintain this connection. FortiClient can connect to EMS using an IP address
or FQDN. An FQDN is preferable for the following reasons:
l Easy to migrate EMS to a different IP address
l Easy to migrate to a different EMS instance
l Flexible to dynamically resolve the FQDN
The third reason is particularly valuable for environments where devices may
be internal or external from day to day. When using an FQDN, you can
configure your internal DNS servers to resolve the FQDN to the EMS internal
IP address and register your external IP address with public DNS servers.
You must then configure the device with your external IP address to forward
communication received on port 8013 to your EMS internal IP address. This
allows your external clients to leverage a virtual IP address on the FortiGate
so that they can reach EMS, while allowing internal clients to use the same
FQDN to reach EMS directly.
Alternatively, you can use a private IP address for the connection. This
configuration requires external clients to establish a VPN connection to reach
the EMS (VPN policies permitting). This configuration can be problematic if
all endpoints need an urgent update but some are disconnected from VPN at
that time.

Fortinet Inc.
System Settings
Option Description
FQDN Enter the FortiClient EMS server FQDN. FortiClient can connect using the
specified IP address in the Listen on IP Addresses option or the specified
FQDN.
Remote HTTPS access Specify settings for remote administration access to FortiClient EMS.
Turn remote HTTPS access to FortiClient EMS on and off. When enabled,
enter a hostname in the Custom hostname field to let administrators use a
browser and HTTPS to log into FortiClient EMS. When disabled,
administrators can only log into FortiClient EMS on the server.
HTTPS port Available when Remote HTTPS Access is enabled. Displays the predefined
HTTPS port. You cannot change the port.
Pre-defined Available when Remote HTTPS Access is enabled. Displays the predefined
hostname hostname. You cannot change the name.
Custom Available when Remote HTTPS Access is turned on. Displays the predefined
hostname hostname of the server on which FortiClient EMS is installed. You can
customize the hostname. When you change the hostname, the web server
restarts.
Management Available when Remote HTTPS Access is turned on. If the EMS has an IP
IP and Port address that is usually not publicly reachable but the FortiGate could reach,
specify this IP address. In most cases, this is an internal IP address. The
FortiOS administrator can use this IP address to connect the FortiGate to the
EMS using a Fabric connector.
Redirect HTTP Available when Remote HTTPS Access is turned on. If this option is enabled,
request to if you attempt to remotely access FortiClient EMS at http://<server_name>,
HTTPS this automatically redirects to https://<server_name>.
Webserver certificate Displays the SSL certificate currently used for the Apache service and the
Notify (websockets) daemon. If desired, you can select another certificate
from the dropdown list. See EMS Server Certificates on page 486.
Use Webserver certificate for Enable to use the certificate uploaded in the Webserver certificate field for
Endpoint Control endpoint control.
Endpoint Control certificate Displays the SSL certificate currently used on port 8013 for the endpoint
control daemon. If desired, select another certificate from the dropdown list.
See EMS Server Certificates on page 486.
When this option is enabled and FortiClient tries to connect to EMS using the
endpoint control protocol, EMS sends the SSL certificate so that FortiClient
can use the certificate to verify the connection.
If the SSL certificate is from a publicly signed certificate authority, only
endpoints with the following FortiClient versions can connect to EMS:
l 6.4.7 and later
l 7.0.2 and later

Fortinet Inc.
System Settings
Option Description
EMS CA certificate (ZTNA) This feature requires the zero trust network access (ZTNA) or endpoint
protection platform license. See Windows, macOS, and Linux licenses on
page 23.
Displays the EMS CA certificate expiry. EMS sends this certificate to FortiOS.
See FortiClient in the Security Fabric on page 14.
Click the Revoke and Update button to revoke and update the certificate. You
may want to revoke a certificate if it is compromised and can no longer be
trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient
with a new certificate signing request. This may affect existing connections.
Enable ZTNA token Enable the ZTNA JSON web token (JWT). See JWT support for ZTNA UID
and tag sharing on page 478.
ZTNA token If you enabled the ZTNA JWT, enter the JWT expiry time in minutes. The
timeout minimum and default value is 60 minutes. When the expiry time is reached,
EMS generates a new JWT and sends it to endpoints.
Reset Stalled Deployment Enter number of hours after which to reset stalled deployments.
Interval
Admin Lockout Attempt Configure the number of unsuccessful login attempts after which EMS locks
out the admin. The default is three times.
Admin Lockout Period Configure the number of seconds that EMS locks out an admin for after they
have reached the number of unsuccessful login attempts configured in Admin
Lockout Attempt.
3. Configure the following options under EMS Settings. FortiClient EMS uses these settings when managing
Windows, macOS, and Linux endpoints:
Listen on port Displays the FortiClient EMS server default port. You can change
the port by typing a new port number. FortiClient connects using the
specified port number.
Use persistent connections Allow FortiClient to create a persistent connection with EMS. This
feature allows it to not tear down and renegotiate the
TLS connection at every keepalive (KA) interval.
FortiOS Connector port Displays the default port that FortiClient EMS uses to connect to
FortiOS, where FortiClient EMS is the server and FortiOS is a client.
You can change the port by typing a new port number. FortiOS
connects using the specified port number.
FortiClient download URL FortiClient deployment packages created in FortiClient EMS are
available for download at this URL.
Open port 10443 in Open port 10443 or close port 10443. Port 10443 is used to
Windows Firewall download FortiClient.
Enforce User Verification Enforce user verification for endpoints. Users must log in to verified
user accounts to register to EMS. See Invitations on page 454.

Fortinet Inc.
System Settings
Enforce invitation-only registration for Enforce invitation-only registration for some or all users. When you
select all, FortiClient can only register to EMS using an invitation.
See Invitations on page 454.
User Verification Period Enter the desired number of days for the user verification period.
The minimum number of days is seven. When enable enforcing user
verification, EMS deauthenticates all authenticated users that were
authenticated earlier than the configured verification period. For
example, if you configure the period as 30 days and then enable it,
EMS immediately deauthenticates users that were authenticated
more than 30 days ago. The timeout takes effect immediately.
Sign software packages Enable this option to have Windows FortiClient software installers
created by or uploaded to FortiClient EMS digitally signed with a
code signing certificate.
Timestamp server Enter the server address to timestamp software installers with.
Certificate Upload the desired code signing certificate. This must be a .pfx file.
After a certificate has been uploaded, its expiry date is also
displayed.
Password Enter the certificate password. This is required for FortiClient EMS
to sign the software installers with the certificate.
Configure EMS server list Select an option from the dropdown list. Users can configure this
IP address in Shared Settings > Listen on IP.
Connect to local subnets only Only allow connection to local subnets.
Enable login banner When you enable the login banner, a message appears prior to a
user logging into FortiClient EMS. In the Message field, type your
message. The Preview section displays a preview of the message.
4. If managing Chromebooks, enable EMS for Chromebooks Settings. You may need to restart FortiClient EMS after
enabling this option.
5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiClient EMS
managing Chromebook endpoints:
Listen on port Displays the default port for the FortiClient EMS server
for Chromebooks. You can change the port by typing a
new port number. The FortiClient Web Filter extension
on Chromebooks connects to FortiClient EMS using
the specified port number.
User inactivity timeout Enter the number of hours of inactivity after which to
timeout the user.
Profile update interval Specify the profile update interval (in seconds).
Chromebook certificate Displays the SSL certificate currently used for the
Chromebook daemon. If desired, you can select
another certificate from the dropdown list. See EMS
Server Certificates on page 486.

Fortinet Inc.
System Settings
Service account Displays the service account ID currently in use.
Update service account Update the service account with new credentials.
Reset service account In the event your service account is broken, you can
revert back to the default service account by clicking
the Reset button. This restores the default service
account. You must Save the settings for the change to
take effect.
ID Available if the Update service account button is

clicked. Enter a new service account ID.
Private key Available if the Update service account button is

clicked. Upload a new service account private key.
6. Configure the following options under Endpoints Settings:
FortiClient telemetry connection Add the FortiClient Telemetry connection key for FortiClient EMS. FortiClient
key must provide this key during connection.
The key cannot contain a semicolon ;.
You can generate a QR code for the specified key. See Generating a QR code
for centrally managing FortiClient (Android) and (iOS) endpoints on page 477.
Keep alive interval Each connected FortiClient endpoint sends a short KA message to FortiClient
EMS, reports client-side changes, and checks for configuration changes on
EMS at the specified interval. A large number of endpoints frequently
connecting to the EMS server can affect server and network performance. In
this case, increasing the KA interval is recommended.
Offline timeout Configure the number of KA intervals after which EMS considers the endpoint
to be offline.
Tag timeout Configure the number of minutes after EMS considers an endpoint to be offline
(as configured in the Offline timeout field), that EMS then removes tags from
the endpoint.
EMS license timeout Configure the number of days after the endpoint has not contacted EMS that
EMS removes that endpoint's registration record from EMS.
FortiClient license timeout Configure the number of days after the endpoint has not contacted EMS that
EMS removes the license from FortiClient. This setting only applies for
endpoints running FortiClient 6.4.
Delete timeout Configure the number of days after which EMS deletes a deregistered
endpoint. For example, if you configure this value to be 45 days, EMS deletes
the endpoint 45 days after its deregistration.
Deauthorized user inactivity Enable and configure the number of days after which EMS deletes FortiClient
timeout user records for unauthorized users.
Stale verified user cleanup Enable and configure the number of days after which EMS deletes FortiClient
timeout user records associated with a single device user for unauthorized users. You
can click Delete now to delete the records immediately.

Fortinet Inc.
System Settings
Automatically upload avatars FortiClient uploads user avatars to all FortiGates, FortiAnalyzers, and
FortiClient EMS servers it is connected to.
Enable endpoint snapshot Enable endpoint snapshot reports and enter the interval at which to take
reports reports in seconds. The interval must be between 300 and 86400 seconds.
7. Enable Manage Multiple Customer Sites. This enables multitenancy for EMS.
8. Configure the following options under EMS FSSO Settings. These settings add SSL encryption to the Fortinet single
sign on protocol between EMS and FortiOS.
SSL certificate Displays the SSL certificate currently imported. If you have already uploaded
an SSL certificate, a Replace button displays.
Certificate Browse and upload a new SSL certificate file.
Password Configure a new SSL password.
9. Click Save.
Generating a QR code for centrally managing FortiClient (Android) and (iOS)

endpoints
You can create a QR code to distribute to FortiClient (Android) and (iOS) users. FortiClient (Android) and (iOS) users
can scan the QR code from their device to automatically enable FortiTelemetry and attempt connection to the specified
FortiClient EMS.
QR codes can contain the FortiClient telemetry connection key if desired.
To generate the QR code:

l To generate the QR code without a connection key, beside the Listen on IP field, click the View QR Code
button.
l To generate the QR code with a connection key, ensure that the FortiClient telemetry connection key field is
populated, then click the View QR Code button beside it.

3. In the dialog, select or deselect Show FortiClient telemetry connection key as desired.
4. Click Continue.
5. Click Download.
6. Save the QR code image to your machine.
7. Email the QR code to FortiClient (Android) and FortiClient (iOS) users.
For instructions on scanning the QR code from an Android or iOS device, see Launching FortiClient (Android) for the first
time or Running FortiClient iOS.
Persistent connection
When Use persistent connections is enabled, FortiClient creates a persistent connection with EMS. It does not tear down
and renegotiate the TLS connection at every keepalive interval.

Fortinet Inc.
System Settings
To enable persistent connections:
1. In EMS, go to System Settings > EMS Settings.

2. Under EMS Settings, enable Use persistent connections.
3. Click Save.
This feature requires FortiClient 7.2.1 and EMS 7.2.1. If either FortiClient or EMS is on a version older than 7.2.1,
FortiClient and EMS establish a non-persistent connection.
JWT support for ZTNA UID and tag sharing
As an enhancement to security posture tag sharing in the Fortinet Security Fabric connection between EMS and
FortiOS, EMS also sends security posture tags to FortiClient in JSON web token (JWT) format. You can install JWTs on
endpoints. A browser on an endpoint can use JWTs to share endpoint identity and tags with FortiOS directly. This
feature makes security posture tag sharing more resilient, resulting in a more fault-tolerant zero trust network access
(ZTNA) connection between the endpoint and ZTNA server. This feature makes it possible for endpoints to access
remote resources via the ZTNA server in the event of EMS, FortiClient, and FortiOS network loss or connection
interruption.
Prior to the addition of JWT support, in the event of connection loss between FortiClient and EMS or a Fabric connection
issue between EMS and FortiOS, legitimate endpoints could not access remote resources via a ZTNA server.
This feature has the following limitations:

Fortinet Inc.
System Settings
l Endpoint default gateway must be the ZTNA server.

l The FortiGate only receives tokens on physical interfaces.
l ZTNA server configuration only uses TCP forwarding.
To configure JWT support for ZTNA UID and tag sharing:
1. Configure the feature in EMS:

a. Configure EMS Settings:
i. Go to System Settings > EMS Settings.
ii. Click Enable ZTNA token.
iii. In the ZTNA token timeout field, enter the JWT expiry time in minutes. The minimum and default value is
60 minutes. When the expiry time is reached, EMS generates a new JWT and sends it to endpoints.
Configure other fields as desired, then save.
b. Go to Endpoint Profiles > ZTNA Destinations.

c. Create a new profile or edit an existing one.
d. Enable Destinations.
e. Add a remote resource and ZTNA server address to the profile. Configure other fields as desired, then save.
f. Go to Administration > Fabric Devices.
g. Confirm that EMS has authorized the FortiGate which acts as the ZTNA server. This FortiGate must also be the
default gateway for endpoints that use the JWT.
h. Go to Security Posture Tags > Security Posture Tagging Rules.

Fortinet Inc.
System Settings
i. Configure tags and tagging rules as desired. The JWT and FortiGate ZTNA server use these tags to allow
traffic to remote resources if the ZTNA policy matches with the tags. For example, you could create a security
posture tagging rule that tags endpoints as win10 if they have Windows 10 installed.
2. In FortiOS, go to Policy & Objects > Proxy Policy.
3. Create a new policy or edit an existing one.
4. For Type, select ZTNA.
5. Under Security Posture Tag, select the tags that you configured in EMS.
6. Configure other fields as desired, then click OK.
7. After FortiClient receives the profile changes from EMS, in FortiClient, go to the ZTNA Destination tab to view the
ZTNA destination received from EMS.
8. To ensure EMS successfully pushed the generated JWT to FortiClient, in Registry Editor, view Computer\HKEY_
LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_ESNAC\ztna_token.
9. To verify that FortiClient maintains ZTNA connection with the ZTNA server to access remote resources in the event
of EMS network connection loss or Fabric connection interruption, disable EMS interfaces to simulate the network

Fortinet Inc.
System Settings
connection loss. Confirm that FortiClient can still access a remote resource via the ZTNA server, for example an
SSH server that runs in a different subnet.
Configuring Logs settings
You can specify what level of log messages to capture in the logs for FortiClient EMS. You can also specify when to
automatically delete logs and alerts.
To configure Logs settings:
1. Go to System Settings > Logs.

2. Configure the following options:
Log level Select the level of messages to include in FortiClient EMS logs. For example, if
you select Info, all log messages from Info to Emergency are added to the
FortiClient EMS logs.
Automatically clear logs older Enter the number of days that you want to store logs. For example, if you enter
than 30, EMS stores logs for 30 days. EMS automatically deletes any logs older
than 30 days.
Automatically clear alerts older Enter the number of days that you want to keep alerts. For example, if you
than enter 30, EMS keeps alerts for 30 days. EMS automatically deletes any alerts
older than 30 days.
Automatically clear events older Enter the number of days that you want to keep events. For example, if you
than enter 30, EMS keeps events for 30 days. EMS automatically deletes any
events older than 30 days.
Automatically clear Enter the number of days that you want to keep Chromebook events. For
Chromebook events older than example, if you enter 30, EMS keeps Chromebook events for 30 days.
EMS automatically deletes any Chromebook events older than 30 days.
Clear all now Click to immediately delete all FortiClient EMS logs or alerts.
Send system log messages Select one of the following:

externally l Disabled: FortiClient EMS does not send system log messages to an
external server.
l FortiAnalyzer: configure a FortiAnalyzer for FortiClient EMS to send
system log messages to by entering the desired FortiAnalyzer address,

port, and data protocol. See Incoming ports and Sending EMS system log
messages to FortiAnalyzer on page 482.
l SysLog: configure a syslog server for FortiClient EMS to send system log
messages to by entering the desired syslog server address, port, and

data protocol.
When you have configured a FortiAnalyzer or syslog server for this option,
EMS sends system log messages for the following events. This list is not
exhaustive:
l When FortiClient status changes to online

Fortinet Inc.
System Settings
l When EMS considers the FortiClient status as offline

l When FortiClient reports a change in its IP address
System log messages include information regarding date, time, hostname,
device IP and MAC addresses, event time, operational system, message
(online/offline/IP-changed, and so on), policy name, EMS name, and EMS
serial number.
3. Click Save.
Sending EMS system log messages to FortiAnalyzer
EMS can send server logs to FortiAnalyzer for reporting and investigation. For audit purposes, you should log all admin
activity.
To configure sending EMS system log messages to FortiAnalyzer:
1. Authorize the EMS in FortiAnalyzer to allow FortiAnalyzer to receive logs from the EMS instance:
a. In FortiAnalyzer, go to Device Manager.
b. Click Add Device.
c. In the Add Device dialog, in the Serial Number field, enter the EMS serial number. FortiAnalyzer automatically
recognizes that the device is an EMS instance from the serial number.
d. Configure other fields as desired, then click Next.
EMS is added as an authorized device and FortiAnalyzer is ready to receive its logs.

Fortinet Inc.
System Settings
2. In EMS, go to System Settings > Log Settings.

3. For Send system logs externally, select FortiAnalyzer.
4. In the FortiAnalyzer server address field, enter the FortiAnalyzer server IP address.
5. In the FortiAnalyzer server port field, configure the desired port. This example keeps the default value, 514.
6. From the Data protocol dropdown list, select the desired data protocol. This example selects UDP.
7. Click Save.

Fortinet Inc.
System Settings
8. In FortiAnalyzer, go to Log View > FortiClient to view EMS logs.
Configuring FortiGuard Services settings
FortiClient relies on several signature databases to identify and stop malware. Keeping these database up-to-date to
remain protected from new threats as they are identified is imperative.
In some situations, FortiClient may fail to update these signatures. In these situations, you must be able to readily
identify these endpoints so corrective action can be taken.
EMS can detect when an endpoint is out-of-date by downloading a list of the current versions for signatures and engines
and comparing that to the versions reported from FortiClient status updates. EMS can also send an email when this
happens. See Configuring Endpoint Alerts on page 490.
You can verify if EMS has up-to-date signatures by going to System Settings > FortiGuard Services > View Signature
List, and comparing that to FortiGuard.com > Services > Service of interest, such as AV.

Fortinet Inc.
System Settings
To configure FortiGuard Services settings:
1. Go to System Settings > FortiGuard Services.

2. Under Forensics Services, select the desired upload server location for FortiGuard forensic analysis logs.

Fortinet Inc.
System Settings
3. Configure the Software and Signature Update Services options:
FortiGuard
Server Location Configure FortiGuard server location to Global, US, or Europe. Europe is only
available if you have selected the Enable SSL checkbox.
Port Enter the desired port number to communicate to the FortiGuard server.
Enable SSL Enable SSL to connect to FortiGuard using HTTPS, or disable SSL to connect using
HTTP. HTTPS must be enabled to use the FortiGuard Europe server.
View Signature List View a list of latest signature versions.
Use FortiManager for Turn on to use FortiManager for updating FortiClient software or signatures. You must
client specify the IP address or hostname for FortiManager as well as the port number.
software/signature
updates
IP address/Hostname Enter the IP address/hostname.
Port Configure the port number.
Failover port Configure the failover port.
Timeout Configure the timeout interval (in seconds).
Failover Enable failover to FDN when FortiManager is unavailable.
4. Configure the Cloud Services options:
FortiCloud
Region Select the FortiCloud region from the dropdown list.
Time Offset Select the FortiCloud time offset from the dropdown list.
5. Click Save.
EMS Server Certificates
You can view and manage certificates from EMS Server Certificates.
EMS supports the following certificate types:

Fortinet Inc.
System Settings
Type Description
Default EMS uses this certificate when there are no other available certificates. You
cannot delete this certificate. Using the other certificate types is recommended.
When other certificates are present, you cannot select the default certificate for
use.
Uploaded User-uploaded certificates. You can upload certificates in PEM, DER, or PKCS12
format. See Adding an SSL certificate to FortiClient EMS on page 488.
ACME The public Let's Encrypt certificate authority uses the Automated Certificate
Management Environment (ACME), as defined in RFC 8555 to provide free SSL
server certificates. You can configure FortiClient EMS to use certificates that Let's
Encrypt manages and other certificate management services that use the ACME
protocol. See Adding an SSL certificate to FortiClient EMS on page 488.
FortiCare When you apply or renew a license on EMS, EMS retrieves FortiCare-generated
certificates with the license information. These certificates are named
FCTEMS<serial number>.1.cert and FCTEMS<serial number>.2.cert. While
browsers normally do not trust these certificates, they are preferred over the
default certificate. In the case that only these certificates and the default certificate
are available, EMS uses these certificates, with a preference for .1.cert over .2.
cert. You cannot delete these certificates.
EMS uses certificates for the following services. If EMS is currently using a certificate for a certain service, EMS Server
Certificates displays this information in the Assigned To column:
Service Description Ports used
Web server Apache service and the Notify (websockets) daemon. This Apache service:
certificate must be trusted by any browser connecting to EMS l 443 (GUI)
or a warning is shown. l 10443 (installers)
You can configure the certificate for this service in System Notify (websockets) daemon:
Settings > EMS Settings > Shared Settings. See Configuring 8015
Endpoint Endpoint Control daemon. 8013

control You can configure the certificate for this service in System
Settings > EMS Settings > Shared Settings. See Configuring
Chromebook Chromebook daemon. 8443

You can configure the certificate for this service in System
Settings > EMS Settings > EMS for Chromebooks Settings.
See Configuring EMS settings on page 472.
You can delete certificates from EMS Server Certificates. If an ACME certificate is eligible for renewal (within 30 days of
expiry), you can also select the certificate to renew it.

Fortinet Inc.
System Settings
Adding an SSL certificate to FortiClient EMS
The following procedures describe how to configure an ACME certificate or manually upload a certificate to EMS. The
other certificate types do not require user upload or configuration.
To configure an automated SSL certificate in FortiClient EMS:

2. Ensure that Remote HTTPS access and Redirect HTTP request to HTTPS are enabled. Externally accessing EMS
via ports 80 and 443 using the configured fully qualified domain name (FQDN) is possible.
3. Add an automated certificate:
a. Go to System Settings > EMS Server Certificates.
b. Click Add.
c. For Type, select Automated.
d. In the Domain field, enter the EMS fully qualified domain name (FQDN). For the Let's Encrypt server to issue
the certificate, the public DNS server must resolve the EMS FQDN to the EMS public IP address.
e. In the Email field, enter a valid email address.
f. If desired, enable Auto Renew. When Auto Renew is enabled, FortiClient EMS automatically renews the
certificate before expiry.
g. If desired, expand the Advanced section to configure a certificate authority (CA) server address and HTTP
challenge port to communicate with an alternative public CA.
h. Select the checkbox to agree to Let's Encrypt's terms of service.
i. Click Import.
To manually upload an SSL certificate in FortiClient EMS:
1. Go to System Settings > EMS Server Certificates.

2. Click Add.
3. For Type, select Upload PKCS12 or Upload PEM.
4. In the Certificate field, browse to and select the desired certificate.
5. In the Certificate Password field or Private Key field, configure the desired password or private key for the
certificate.
6. Click Upload.
Alerts
Configuring EMS Alerts
You can set up an SMTP server to enable alerts for FortiClient EMS or endpoint events. When an alert is triggered, EMS
sends an email notification.

Fortinet Inc.
System Settings
To configure EMS Alerts:
1. Go to System Settings > EMS Alerts.

2. Set the following options to send an email when the following events happen:
Version Alerts
New EMS version is available for New FortiClient EMS version is available.
deployment
Remind me Remind you when a new FortiClient EMS version is available

everyday for 2 everyday for two weeks.
weeks
New FortiClient version is available for New FortiClient version is available for deployment.
deployment
Remind me Remind you when a new FortiClient version is available for

everyday for 2 deployment everyday for two weeks.
weeks
FortiClient Alerts
EMS license is expired or about to expire Expiring or expired FortiClient EMS license.
EMS fails to sync with LDAP domains FortiClient EMS does not sync with LDAP domains.
Less than 10% of client licenses are left Be notified when there are less than 10% of client licenses left.
Client licenses have run out Be notified when you run out of client licenses.
New software is detected Be notified when new FortiClient software is detected.
Forensics Analysis is updated Be notified when a forensic analysis task is updated.
AD Connector is offline Be notified when the Active Directory connector is offline.
Server certificate expiring Be notified when the server certificate is close to expiry.
FortiClient for Chromebook Alerts
EMS license for Chromebooks is expired or Expiring or expired FortiClient EMS license for Chromebooks.
about to expire
Less than 10% of the client licenses for Be notified when there are less than 10% of client licenses left for
Chromebooks are left Chromebooks.
Client licenses for Chromebooks have run Be notified when you run out of client licenses for Chromebooks.
out
3. Click Save. If you have not already set up an SMTP server, the GUI automatically prompts you to configure SMTP
server settings. See Configuring SMTP Server settings on page 490.

Fortinet Inc.
System Settings
Configuring Endpoint Alerts
To configure endpoint alerts:
1. Go to System Settings > Endpoint Alerts.

2. From the Send an email every... dropdown list, select the frequency to send emails.
3. Select the events to send emails for:
a. Malware is detected
b. Repeated malware is detected (same malware is detected on the same machine within the last 24 hours)
c. Multiple malwares are detected (different malwares are detected on the same machine within the last 24 hours)
d. Malware outbreak is detected (same malware is detected on different endpoints within the last 24 hours)
e. Zero-day malware is detected by FortiSandbox
f. C&C attack communication channel is detected
g. Critical vulnerability is detected
h. Endpoint FortiClient Telemetry is manually disconnected by user
i. Endpoint signature database is out-of-date
j. Endpoint software is out-of-date
k. Ransomware is detected
Configuring SMTP Server settings
You can set up an SMTP server to enable alerts for EMS and endpoint events. When an alert is triggered, EMS sends an
email notification to the configured email address(es).
To configure SMTP server settings:
1. Go to System Settings > SMTP Server.

Option Description
Server Enter the SMTP server IP address or fully qualified domain name.
Security Select None, STARTTLS, or SMTPS for the security type, or select
the Auto Detect button to automatically select the security type. If
STARTTLS or SMTPS is selected, the Username and Password
fields become available.
Password Enter the password.
Email Size EMS detects the maximum email size from the configured SMTP
server and sets it as the default value. Otherwise, EMS sets the
default value to 10 MB.

Fortinet Inc.
System Settings
Option Description
You can optionally configure a custom email size in MB. If you

configure a size larger than the maximum and default value, EMS
displays a warning as such.
From Enter the email address to send the alerts from.
Reply-to Enter the email address to send the replies to.
Subject Sent e-mail alert's subject.
Recipients Enter email address(es) to send alerts to. Press Enter to add more
email addresses.
Test subject Test email's subject.
Test message Test email's message.
Test recipient Email address to send the test email to.
Send Test Email Click the button to test the configured email settings.
3. Click Save.
To confirm that the EMS server can verify the SMTP server certificate:
When using STARTTLS or SMTPS, the SMTP server presents a certificate to prove its identity. If the server hosting
EMS does not have the corresponding CA in its certificate store, EMS cannot trust the SMTP server certificate and the
connection fails to establish.
You can verify this using tools on the server hosting EMS to establish a secure connection to the SMTP server. Using
openssl as an example, you can run the following from the Windows command line:
openssl s_client -starttls smtp -crlf -connect <smtp_url:port>
The following is an example of an SMTP URL and port: smtp.office365.com:587

The command output displays the certificate that the mail server offers in the first few lines, accompanied by unable to
get local issuer certificate. This indicates that Windows cannot verify the certificate.

Fortinet Inc.
Viewing alerts
You can view alerts that FortiClient EMS generates. Examples of events that generate an alert include:
l A new version of FortiClient is available.
l FortiClient deployment failed.
l Failed to check for signature updates.
l Error encountered when downloading Active Directory server entries.
l Error encountered when scanning for local computers.
A red label is associated with the Alert icon when new notifications are available or received. EMS clears the label when
you view the alert.
1. Click the Alert icon (a bell) in the toolbar.
2. Click the Filter icon in each column heading to apply filters.
3. Click Clear Filters to remove the filters.
Custom Messages
You can customize messages that display on endpoints in certain situations, such as if EMS has quarantined the
endpoint. For example, you can customize the message to include your organization's help desk phone number so that
users can contact the network administration about their machine.
Customizing the endpoint quarantine message
You can customize the message that displays on an endpoint when FortiClient EMS has quarantined it.
To customize the endpoint quarantine message:
1. Go to System Settings > Custom Messages.

2. Select Endpoint Quarantine Message.
3. In the Message field, enter the desired message. You can enter up to 512 characters. The Preview section displays
the custom message as it would appear on the latest version of FortiClient. You can also use the Preview slider to
zoom in and out on the message preview.

Fortinet Inc.
4. Click Save.
Customizing Web Filter messages
You can customize the messages that display on an endpoint in in-browser Web Filter result pages.
To customize Web Filter messages:
1. Go to System Settings > Custom Messages.

2. Select WebFilter Custom Messages. The left panel displays the customization fields, while the right panel previews
the custom messages as they appear in a web browser when using the latest version of FortiClient. There are
different types of Web Filter messages:
l Blocklisted page
l Blocked page
l Blocked FortiGuard inaccessible page
l Warning page
l Warning FortiGuard inaccessible page
Some customization fields apply to all messages, while others apply to only specific messages. This is indicated
beside the field name.
3. In the left pane, enable/disable the fields and enter the desired messages. You can also upload images for logo and
icon fields. The right pane displays previews of the messages.
4. Click Save.

Fortinet Inc.
Feature Select
In Feature Select, you can choose which features to show and hide in EMS. Only features that are enabled in Feature
Select are available for configuration in other areas of EMS. For example, disabling Web and Video Filtering in Feature
Select results in the following:
l Endpoint profiles:
l The Web and Video Filter profiles are unavailable for configuration.
l The options to enable Web and Video Filter logs on System Settings profiles are unavailable.
l If you enable Web Filter in a deployment package, the deployment package installs Web Filter on the endpoint.
However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.
l The Web Filter Detection widget is unavailable on the Status dashboard.
l Importing a profile from FortiGate/FortiManager is unavailable.
Only an EMS superadministrator can enable and disable features in Feature Select. Other EMS users can view which
features are enabled and disabled in Feature Select, but cannot modify the configuration.
If an endpoint previously had a feature enabled, but you later disable the feature in Feature Select, EMS then disables
the feature on the endpoint.
The following table provides details on features that you must enable for certain functionalities to be available in
FortiClient. You must enable the feature in Feature Select, then configure on the applicable endpoint profile for the
functionality to be available in FortiClient. This table is not exhaustive:
Feature to enable in Feature FortiClient functionalities

Select
Firewall l C&C blocking

l Endpoint quarantine
Web and Video Filtering l Category-based malicious site blocking

l Keyword blocking (also requires web browser plugin)
Only features that FortiClient EMS is licensed for are available for enablement in Feature Select. For example, if you
have only applied the zero trust network access license, you cannot enable Firewall. See Windows, macOS, and Linux
licenses on page 23 for details on which features each license type includes.
You cannot disable Web Filter if you have enabled the Chromebook feature in Feature Select.

Fortinet Inc.
To enable/disable a feature in Feature Select:
1. Go to System Settings > Feature Select.

2. Enable or disable features as desired. This example disables Web Filter.
3. Click Save. The Web Filter tab is not available for configuration in an endpoint profile. The Import from
FortiGate/FortiManager option under Endpoint Profiles in the left pane is also not available.
When creating a deployment package, a warning displays beside Web Filtering that the feature is disabled. You
cannot create a deployment package that installs the Web Filter feature on endpoints while Web Filter is disabled in
Feature Select.

Fortinet Inc.
In Dashboard > Status, when you click Manage Widgets, the Web Filter Detection widget is not available under Top
3 Lists.

Fortinet Inc.
MDM Integration
You can configure integration with a mobile device management (MDM) platform, such as VMware Workspace ONE.
The following table provides descriptions for options that are common to all supported MDM platforms:
Option Description
Enable MDM Integration Enable MDM integration configuration.
Vendor Select the desired MDM platform. This feature supports the following:
l VMware Workspace ONE
l Microsoft Intune
l Jamf
Test Connection After configuring other fields as the following tables describe, verify that EMS can
communicate with the MDM platform.
For details on deployments using MDM, see:

l Workspace ONE Deployment Guide
l Intune Deployment Guide
l Jamf Deployment Guide
The following provides descriptions for options that are specific to each MDM platform:
Workspace ONE
Option Description
Site URL Enter your site URL. Workspace ONE is a software-as-a-service deployment and
each enterprise has a unique URL. The URL format is https://<unique
identifier>.awmdm.com/api.
Smart Group Name Enter the name of the Workspace ONE assignment group that contains the
mobile devices to issue zero trust network access certificates to.
Authorization Type Select Basic Auth, Certificate, or OAuth 2.0 for the authorization between
EMS and Workspace ONE.
The on-premise version of Workspace ONE does not support OAuth. When using
OAuth, ensure that you are using the SaaS version of Workspace ONE.
API Key Available if you selected Basic Auth or Certificate for the authorization type. Enter
the API key value from Workspace ONE.
Username Available if you selected Basic Auth for the authorization type. Enter the
Workspace ONE username.

Fortinet Inc.
Option Description
Certificate Available if you selected Certificate for the authorization type. Upload the
certificate that you exported from Workspace ONE. You must create an admin
user with certificate authentication and the Console Administrator role in
Workspace ONE, and then export hthe certificate.
Password Available if you selected Basic Auth or Certificate for the authorization type. Enter
the Workspace ONE password.
Region Available if you selected OAuth 2.0 for the authorization type. Select your
assigned geographic region. For redundancy, VMware has set up multiple
servers to generate OAuth tokens
Client ID Available if you selected OAuth 2.0 for the authorization type. Enter the client
ID from the Workspace ONE portal.
Client Secret Available if you selected OAuth 2.0 for the authorization type. Enter the client
secret from the Workspace ONE portal.
Microsoft Intune
Option Description
Tenant ID Enter the tenant ID from Intune.
Authorization Type Select Client Secret or Certificate for the authorization between EMS and Intune.
Client ID Enter the client ID from Intune.
Client Secret Enter the client secret from Intune.
Certificate Available if you selected Certificate for the authorization type. Upload the
certificate from Intune.
Jamf
Option Description
Site URL Enter your site URL.
Username Enter the Jamf username.
Password Enter the Jamf password.
Site Name This field is optional. Enter the Jamf site name.
Deploying ZTNA certificates to FortiClient mobile via MDM
FortiClient (Android) and (iOS) 7.2.2 and later versions support zero trust network access (ZTNA) to create a secure
connection via HTTPS. You can use the following mobile device management (MDM) platforms to deploy

Fortinet Inc.
ZTNA certificates to FortiClient (Android) and (iOS):
MDM platform Supported FortiClient mobile platforms

l Android
Intune
l iOS
Workspace ONE
iOS
Jamf
FortiClient (Android) and (iOS) do not support ZTNA for TCP forwarding.
See the following:
l Mobile
l Provisioning ZTNA certificates to FortiClient (iOS) using Jamf
l Provisioning ZTNA certificates to FortiClient (iOS) using Workspace ONE

Fortinet Inc.
Multitenancy
With EMS multitenancy, you can create multiple sites to provide granular access to different sites for different
administrators and separate endpoint data and configuration into different sites. The sites are completely separate from
each other and cannot share data between them. For example, if an administrator only has access to Site A, they cannot
view data from any other site. EMS supports up to 20 multitenancy sites.
The following sections detail how to enable multitenancy and multitenancy-specific settings.
When you enable multitenancy, Fortinet Security Fabric connectors must use an FQDN to connect to EMS, where the
FQDN hostname matches a site name in EMS (including "Default"). The following are examples of FQDNs to provide
when configuring the connector to connect to the default site and to a site named SiteA, respectively:
default.ems.yourcompany.com, sitea.ems.yourcompany.com.
Enabling and configuring multitenancy
By default, multitenancy is disabled in EMS.
To configure multitenancy:

2. Enable Manage Multiple Customer Sites, then click Save. EMS forces the GUI to restart for the changes to take
effect. After you enable multitenancy, all previously created administrators except the default admin user become
administrators for the default site.
3. After restarting, the GUI displays the global dashboard. When you initially enable multitenancy, there are two sites:
global, where you can set and view global settings; and default, which contains your original EMS instance's
endpoints. Your original EMS instance's settings are retained. To switch between sites, select the site name in the
upper right corner, then select the desired site from the dropdown list.
4. Select Configure Sites from the site selection list. You can also go to Administration > Configure Sites. This page
displays all sites and their license usage.
5. Click Add.
6. In the Add FortiClient EMS Site dialog, enter the desired site name. You must use only ASCII characters in site
names.
7. Select the checkboxes to assign the desired number of licenses to this site. The dialog displays how many licenses
are available for assignment. Click Save. The newly created site appears in the FortiClient Sites list. You can go to
the site using the site selection list in the upper right corner.

Fortinet Inc.
Multitenancy
Global and per-site configuration
When you enable multitenancy, you can configure some settings only from the global level, and other settings only from
the site level. You cannot view site-level settings from the global site. For setting descriptions, see the relevant section in
this document.
Global configuration
The following lists settings you must configure from the global site:
l System Settings > EMS Settings:
l Shared Settings:
l Hostname
l Listen on IP
l Use FQDN
l Remote HTTPS access
l SSL certificate
l Show FortiGate Server List
l EMS Settings:
l Listen on port
l Enable TLS 1.0/1.1
l FortiClient download URL
l Enable login banner. This login banner only shows when you sign in to the global site.
l EMS for Chromebooks Settings:
l Listen on port
l SSL certificate
l Service account
l Administrators with multisite access. See Adding a multitenancy administrator on page 506.
l Database backup and restoration
l (On-premise EMS-only) License management: You must license EMS from the global site. You can then assign the
licenses to other sites. For example, consider that you have three other sites: Sites A, B, and C. If you then activate
500 ZTNA licenses on the global site, you could assign 200 ZTNA licenses to Site A, 150 to Site B, and 150 Site C.
See Editing a site on page 505.
l EMS Alerts
l SMTP Server
On the global site Dashboard, you can only view the System and License Information widgets. The other widgets, which
display endpoint information, are available at the site level.
Site level configuration
The following lists settings you must configure separately for each site:

Fortinet Inc.
Multitenancy
l System Settings > EMS Settings:

l Shared Settings > Reset Stalled Deployment Interval
l EMS Settings:
l Sign software packages
l Enable Managed by EMS
l Enable login banner. This login banner only shows when you sign in to the current specified site.
l EMS for Chromebooks Settings:
l User inactivity timeout
l Profile update interval
l Endpoints Settings
l EMS FSSO Settings
l System Settings > FortiGuard Services

l System Settings > Custom Messages
l System Settings > Feature Select
l Dashboard widgets and charts. The License Information widget for each site displays the information for the
licenses that are assigned to that site. When using an on-premise EMS, you cannot update any licensing
information from the site-level Dashboard.
l (FortiClient Cloud-only) License management: You must license EMS at the site level. You cannot later assign
these licenses to other sites.
l Site-level administrator permissions
l Endpoint management
l Endpoint policies
l Endpoint profiles
l Deployment packages. When an endpoint installs FortiClient using a deployment package configured from a
particular site, it registers to that site automatically.
l Endpoint profile components
l Security posture tagging rules
l Software Inventory
l Email endpoint alerts
Left pane with multitenancy enabled
The left navigation pane displays content in the right pane. The following describes the left pane for the global site when
multitenancy is enabled:
Option Description
Dashboard

endpoints.
Administration

Fortinet Inc.
Multitenancy
Option Description
User Settings Configure the inactivity timeout and other user settings.
Configure License Upgrade or renew the FortiClient EMS license.
Configure Sites Configure multitenancy sites.
raw logs.
System Settings
management.

The following describes the left pane at the site level when multitenancy is enabled. For all options at the site-level, you
can only view and manage endpoints and settings for the current selected site:
Option Description
Dashboard

endpoints.
Vulnerability Scan Displays the Current Vulnerabilities Summary chart that provides
a centralized vulnerability summary for all managed endpoints.
You can observe high-risk hosts and critical vulnerabilities
existing on endpoints. You can also access links on how to fix or
repair the vulnerabilities.
Chromebook Status Displays a dashboard of information about all managed

Chromebooks. Only available if the EMS for Chromebooks
Settings option is enabled in System Settings > EMS Settings.
Endpoints
All Endpoints Manage all endpoints.
Manage Domains Add and manage AD domains.
Domains Manage endpoints from AD domains. You can also add an

AD domain if none exist.

Fortinet Inc.
Multitenancy
Option Description
Workgroups Manage endpoints from workgroups.
Group Assignment Rules Configure rules to automatically place endpoints into custom
groups based on their installer ID, IP address, or OS.
Google Domains Only available if the EMS for Chromebooks Settings option is
enabled in System Settings > EMS Settings.
All Users Manage users from all Google domains.
Manage Domains Add and manage Google domains.
Domains Manage users from specific Google domains. You can also add a
Google domain if none exist.
Manage Deployment Create deployment configurations to deploy FortiClient to

endpoints.
FortiClient Installers Add and manage FortiClient deployment packages.
Manage Policies Create endpoint policies and manage policy updates for
Windows, macOS, and Linux endpoints.
CA Certificates Upload and import CA certificates into FortiClient EMS.
On-fabric Detection Rules Configure on-fabric detection rules for endpoints.
Chromebook Policy Create endpoint policies and manage policy updates for
Chromebook endpoints. Only available if the EMS for
Chromebooks Settings option is enabled in System Settings >
EMS Settings.
Endpoint Profiles
Manage Profiles Create profiles and manage profile updates for all profiles.
Import from Import Web Filter profiles from FortiOS or FortiManager.

FortiGate/FortiManager
Security Posture Tagging Define security posture tagging rules.

Rules
Security Posture Tag Monitor View tagged endpoints.
Software Inventory
Applications View applications installed on endpoints. Display applications by

application or application vendor name.
Hosts View applications installed on endpoints, sorted by endpoint.

Fortinet Inc.
Multitenancy
Option Description
Files View and allowlist files on endpoints that Sandbox or AV has

quarantined.
Allowlist View and delete allowlisted files from the Allowlist pane.
Administration
Admin Roles Add and manage FortiClient EMS admin roles and permissions.
Fabric Devices View Fabric devices connected to EMS.
SAML SSO Configure SAML SSO authentication.
raw logs.
System Settings
management.

Endpoint Alerts Enable alerts for endpoint events.
Custom Messages Customize the message that displays on an endpoint when it has
been quarantined by FortiClient EMS
Feature Select Choose which features to show and hide in EMS.
Editing a site
To edit a site:
1. From the global site, go to Administration > Configure Sites.

2. Select the desired site.
3. Click Edit.
4. Edit the site as desired. You can edit its name and the number and type of licenses assigned.
5. Click Save.

Fortinet Inc.
Multitenancy
Adding a multitenancy administrator
To add a multitenancy administrator:
1. From the global site, go to Administration > Administrators.

2. Click Add.
3. Configure the administrator as Configuring user accounts on page 417 describes. When adding a new administrator
from the global site, you can create a local administrator or configure a Windows or LDAP user. When adding a new
administrator from the site level, you can only configure an LDAP user. Administrator names from the same source
(EMS, LDAP, or Windows) must be unique across all sites. Administrators can have the same name if they are from
different sources. When configuring the administrator role, select from one of the following. The following
administrator roles are specific to global administrator mangement when multitenancy is enabled:
Administrator role Description
Super administrator Full access to the global site and all other sites. Can access all configuration
options on all sites, including the global site. The built-in admin account is a
super administrator and cannot be configured as another administrator role.
Settings administrator Access to the global site only. Can access all configuration options on the
global site, except for administrator configuration.
Site administrator Access to specified sites only, with no access to the global site. A site
administrator can have access to multiple sites. By default, a site administrator
is a super administrator for all sites that they have access to. A site
administrator can configure the site license and system settings, including
server, FortiGuard, login banner, alerts, and SMTP server settings. You can
modify the site administrator's available configuration options for a site by
assigning them a different admin role for that site after you log in to the site.
See Admin roles on page 420.
4. Click Finish. The new administrator appears on the Administrators page.

The following example shows a site administrator, AlecB. The Global Administration > Administrators page shows that
AlecB has access to two sites, SiteA and SiteB.
The SiteA Administration > Administrators page shows that AlecB is a super administrator for this site. This means that
AlecB has complete access to all EMS permissions within SiteA, as described in Admin roles on page 420.

Fortinet Inc.
Multitenancy
The SiteB Administration > Administrators page shows that AlecB is a read-only administrator for this site. This means
that AlecB has only read-only access to endpoint, policy, and settings permissions within SiteB, as described in Admin
roles on page 420.
If you had configured a SAML SSO administrator prior to enabling multitenancy, enabling
multitenancy causes this administrator to become a global superadministrator. You can
configure a different role for this administrator. You can only have one
SAML SSO administrator for the entire EMS server.
Logging into EMS with multitenancy enabled
To log into EMS with multitenancy enabled:
1. Double-click the FortiClient Endpoint Management Server icon.

2. Enter the username and password for an administrator with the desired site access. If you are logging in as an
LDAP user, add the domain prefix for the user.
3. Click Sign in. If you logged in as a global administrator, the EMS GUI displays the Global dashboard. You can then
switch sites using the site selection list in the upper right corner.
If you logged in as a site administrator, the EMS GUI displays the dashboard for the first site that you have access to
in the dropdown list. The site selection list displays sites that you have access to in alphabetical order.

Fortinet Inc.
Fabric connection setup using FortiGate as a load balancer
The FortiGate to EMS Fortinet Security Fabric connection in a high availability (HA) environment has the following
limitations:
l If round robin is enabled on the DNS server, FortiOS may reach a secondary EMS node during Fabric connection,
resulting in Fabric connection failing.
l If there is a Fabric connection that is already configured, after EMS failover, the connector disconnects, since
DNS still resolves to the primary EMS node.
For EMS HA failover to function correctly with FortiOS Fabric connectors, you can use a FortiGate as a load balancer
(LB). This effectively brokers the data routing to the correct EMS based on availability.
To demonstrate this configuration, the example EMS HA environment uses the following components:
l Two EMS nodes configured in an HA environment
l FortiGate acting as the LB
l FortiGate acting as the gateway
l Endpoint running FortiClient
To configure a FortiGate as the LB:
1. On the FortiGate acting as the LB, configure the secondary IP address for port4. FortiOS uses this secondary IP
address as a virtual IP address to connect with EMS. In this case, the virtual server IP address is 172.16.16.102.
2. Go to Policy & Objects > Health Check.
3. Click Create New.
4. For Type, select TCP.
5. In the Port field, enter 8013.
6. Configure other fields as desired.
7. Create virtual servers:
a. Go to Policy & Objects.
b. Create a virtual server.

Fortinet Inc.
c. In the Virtual Server IP field, enter the secondary IP address that you configured in step 1. In this example, it is
172.16.16.102.
d. In the Virtual Server Port field, enter 8013.
e. For Load Balancing method, select First Alive.
f. For Health check, select monitor that you configured.
g. Configure real servers:
i. On the Real Servers tab, select Create New.
ii. In the IPv4 address field, enter the primary EMS node IP address. In this example, it is 192.168.0.4.
iii. In the Port field, enter 8013.
iv. In the Max connections field, enter 0.
v. For Mode, select Active.
vi. Repeat these steps for the secondary EMS node. Click Save.
h. Repeat steps a-g to create three additional virtual servers. The additional servers use ports 443, 8015, and
10443, but otherwise have identical settings to the first virtual server created. If you have enabled Chromebook
management, create a virtual server for port 8443. Similarly, if you require importing an ACME certificate,
create a virtual server for port 80.
8. Create a security policy that includes the LB virtual server as a destination address:
a. Go to Policy & Objects > Firewall Policy.
b. Click Create New.
c. Configure the Incoming Interface and Outgoing Interface fields. The outgoing interface connects to the primary
EMS node.
d. For Source, select all.
e. In the Destination field, select ports 10443, 443, 8013, and 8015.
f. For Service, select ALL.
g. For Inspection Mode, select Proxy-based.
h. Save the policy.
i. If the EMS nodes are in different subnets, repeat these steps to configure a policy for the secondary EMS node.
In this example, the nodes are in the same subnet, so you do not need to add a separate policy for the
secondary EMS.
The FortiGate LB monitors the EMS nodes' statuses and forwards traffic to the active EMS node for ports 8013, 8015,
443, and 10443.
To configure the Fabric connection between FortiOS and EMS:
1. In FortiOS, go to Security Fabric > Fabric Connectors.

2. Double-click the FortiClient EMS card.
3. Under FortiClient EMS Settings, in the IP/Domain name field, enter the EMS fully qualified domain name (FQDN).
The FQDN resolves to the virtual server IP address, which in this case is 172.16.16.102. Similarly, the end user
uses the FQDN to connect FortiClient to EMS.

Fortinet Inc.
Creating a support package
You can create a support package to provide to the Fortinet technical support team for troubleshooting. Creating a
support package backs up your database but clears all sensitive username and password fields.
To create a support package:
1. Go to Help > Create Support Package.

2. In the Password field, enter a password that conforms to the displayed rules. The Fortinet technical support team
needs this password to access the support package.
3. In the Confirm Password field, enter the password again.
4. Click Create.

Fortinet Inc.
Migrating to another EMS instance
You can simply and efficiently move configurations, data, and endpoint connections between EMS instances without
disrupting FortiClient endpoint functionality. This document describes migrating one EMS on-premise environment to
another. This migration requires the following:
l The EMS version in both environments is 6.4.3 GA or newer.
l FortiClient for all supported endpoint platforms (Windows, macOS, Linux, Android, and iOS) are connected before,
during, and after migration.
l You have fully configured EMS and generated data such as logs and events before starting the migration.
l Licensing on the two EMS instances is similar, if not the same, in terms of the number of seats, entitlement, license
types, and duration.
This guide only provides instructions for migrating one EMS on-premise environment to another. Migrating an on-
premise EMS environment to FortiClient Cloud requires a Best Practice Service (BPS) license. Contact the BPS team for
details.
This guide refers to the EMS instance that you are migrating from as "EMS A". It refers to the EMS instance that you are
migrating to as "EMS B".
To migrate from EMS A to EMS B:
1. Install and license EMS B as Installation and licensing on page 37 describes.

2. Back up the EMS A database as To back up the database: on page 110 describes.
3. Restore the database on EMS B as To restore the database: on page 110 describes.
4. Migrate the FortiClient endpoints. This migration process supports all FortiClient endpoint platforms, except
Chromebook:
a. On EMS A, go to Endpoints.
b. Select the desired endpoints to migrate.
c. Select Action > Switch EMS > Switch by IP.
d. In the dialog, enter the EMS B FQDN or IP address, and if required, the site name and connection key. Once
the migration begins, the Connections column on the Endpoints pane in EMS B for the selected endpoints

Fortinet Inc.
Migrating to another EMS instance
displays as Migrating. Events may not display immediately on the Endpoints pane in EMS B, but are present in
the database. Endpoints that are offline when you apply the Choose a Different IP action migrate when they
reconnect to EMS A.
e. Shut down EMS A.
f. For any remaining endpoints that have not been migrated, manually connect them to EMS B by entering the
EMS B IP address on the Zero Trust Telemetry tab. See Connecting FortiClient Telemetry after installation.
g. Monitor EMS B services and system performance to ensure stability.
Limitations
l Chromebook: The migration does not support migration for Chromebook endpoints.

Fortinet Inc.
FortiClient EMS API
The FortiClient EMS API allows you to perform configuration operations on EMS. You can view the API documentation
on the FortiAPI tab on FNDN.

Fortinet Inc.
Appendix - FortiClient EMS services
The following lists FortiClient EMS services:
Critical severity
Service Description
apache2 Serves the EMS administration console and the APIs that FortiOS uses to get
endpoint and posture information.
fcems_chromebook Processes requests and serves profiles to Chromebook endpoints.
fcems_das Allows most processes to access and cache endpoint-related data. When this
service is down, processing requests from endpoints results in error.
fcems_ecsocksrv Receives connections from endpoints and routes their requests to other
processes within EMS. If this process is down, endpoints cannot communicate
with EMS.
fcems_ka Processes heartbeat requests from endpoints and pushes profile changes and
commands to be executed on the endpoints (vuln scan, AV scan, etc.)
fcems_monitor Ensures EMS services are running and restarts ones that are down. It also can
restart running services when it detects settings that affect those services have
changed to ensure they use the latest settings.
fcems_notify Notifies FortiOS when there are important changes in the endpoints.
fcems_pgbouncer Database connection pooler. This is where all EMS processes except apache2
connect to to connect to the database.
fcems_probe Handles probe requests, which are tests that endpoints perform to ensure they
are talking to a supported EMS. When this service is down, new endpoints cannot
connect to EMS and existing endpoints cannot reconnect.
fcems_reg Handles registration requests from endpoints.
fcems_tag Processes network change requests from endpoints. When down, network
changes that affect the endpoint's posture may take longer for EMS to realized
and inform FortiOS of.
fcems_wspgbouncer Exclusive database connection pooler for the webserver (apache2).
fcems_ztna Provides some APIs that FortiOS consumes to get information on endpoints and
posture.

Fortinet Inc.
Medium severity
Service Description
fcems_adconnector Connects and pulls data from Active Directory (AD) or Microsoft Entra ID to add to
EMS.
fcems_addaemon Parses AD information and links it to existing endpoints or adds new devices,
groups, and users pulled from those directories to EMS.
fcems_adtask Performs periodical syncs to get updates from AD added to EMS.
fcems_deploy Schedules deployment of FortiClient upgrades to eligible endpoints.
fcems_sip Processes software inventory lists that endpoints uploads and checks for
potentially unwanted applications.
fcems_task Performs schedule tasks for license maintenance, such as removing seats from
endpoints that have not connected to EMS in a long time, and other functions,
such as revoking expired zero trust network access (ZTNA) certificates.
fcems_update Downloads updates from FortiGuard distribution servers (FDS) and other Fortinet
systems. This includes FortiClient installer lists and vulnerability and signature
information.
fcems_upload Processes data uploads from endpoints. Uploads can be any of the following:
l Endpoint logs
l Endpoint diagnostics
l Software inventory
l Alerts:
l Web Filter
l Antivirus
l Firewall
l Vulnerability Scan results
redis Used by most other services for caching and inter-process communication.
Low severity
Service Description
fcems_adevtsrv If syncing AD to EMS using a remote connector, this process parses the
connector's requests.
fcems_dbop Performs database-related tasks, such as site database creation, deletion,

update, backup, and restore.
fcems_forensics Integrates with the Forensics platform to pull updates from Forensics tickets
associated with any of the endpoints under management.

Fortinet Inc.
Service Description
fcems_ftntdbimporter Decodes and imports signature and vulnerability databases downloaded from
FDS.
fcems_installer Interfaces with the FortiCloud repackaging services to generate installers with the
EMS configuration.
fcems_mdmproxy Integrates with mobile device management (MDM) platforms to exchange

information about mobile endpoints.
fcems_scep Serves ZTNA certificates for mobile endpoints that MDM platforms manage.

Fortinet Inc.
Change log
Date Change description
2024-06-03 Initial release.
2024-06-04 Updated:
l Downloading the installation file on page 37
l Anti-Ransomware on page 323
2024-06-05 Updated Installation on page 43 subtopics.
2024-06-06 Updated Required services and ports on page 25.
2024-06-10 Updated:
l Remote Access on page 192
l To configure a ZTNA destination: on page 294
l To enable the FortiPAM feature in EMS: on page 350
Added To configure the Azure tenant app for initiating passthrough (domain): on page 464.
2024-06-12 Updated Installation and licensing on page 37.
2024-06-13 Updated:
l Free trial license on page 22
l Adding a FortiClient deployment package on page 170
2024-06-14 Updated:
l Management capacity on page 29
l Hardware configuration when EMS and PostgreSQL run on different machines with no
FortiGate connected on page 31
2024-06-17 Updated:
l Installing FortiClient EMS 7.4.0 on page 37
l Adding a FortiClient deployment package on page 170
2024-06-18 Updated:
l Migrating EMS from 7.2.4 to 7.4.0 on page 38
l EMS installation with Postgres in Docker on page 44
l Configuring EMS settings on page 472
2024-06-19 Updated To configure the Postgres server: on page 56.
2024-06-24 Updated Remote Access on page 192.
2024-06-25 Updated Sandbox on page 330.
2024-07-09 Updated:
l Installation preparation on page 21
l Installation on page 43
l EMS installation with standalone remote database without Docker on page 47

Fortinet Inc.
Change log
Date Change description

l EMS HA installation with standalone remote database without Docker on page 56
2024-07-31 Updated Security posture tagging rule types on page 370.
2024-08-01 Updated Starting FortiClient EMS and logging in on page 76.
2024-08-06 Updated:
l EMS installation with Postgres in Docker on page 44
l EMS HA with Postgres HA using Bitnami Docker on page 51
l Adding an Entra ID server on page 425
2024-08-08 Updated:
l Adding the FortiClient Web Filter extension on page 88
l Configuring the FortiClient Web Filter extension on page 89
l Migrating to another EMS instance on page 511
2024-08-19 Added EMS HA installation with native Postgres HA without Docker on page 61.
2024-08-21 Updated SAML SSO with Entra ID as IdP on page 444.
2024-08-26 Updated Adding an Entra ID server on page 425.
2024-09-03 Updated SAML Configuration on page 452.
2024-09-19 Updated:
l Upgrading from an earlier FortiClient EMS version on page 33
l Migrating EMS from 7.2.4 to 7.4.0 on page 38
2024-09-23 Updated:
l Configuring a profile to allow or block endpoint from VPN tunnel connection based on the
applied security posture tag on page 207

l Configuring EMS settings on page 472
2024-10-01 Updated:
l Per-machine prelogon VPN connection without user interaction on page 213
l Web Filter on page 303
2024-10-07 Updated Adding an Entra ID server on page 425.
2024-10-16 Updated Relationship between FortiClient EMS, FortiGate, and FortiClient on page 14.

Fortinet Inc.
www.fortinet.com
Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiClient EMS 7.4.0 Administration Guide

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

FortiClient EMS 7.4.0 Administration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiClient EMS 7.4.0 Administration Guide

Uploaded by

Copyright:

Available Formats

Administration Guide

FortiClient EMS 7.4.0

FORTINET VIDEO LIBRARY

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

FORTINET TRAINING INSTITUTE

END USER LICENSE AGREEMENT

October 16, 2024

FortiClient EMS 7.4.0 Administration Guide 3

FortiClient EMS 7.4.0 Administration Guide 4

FortiClient EMS 7.4.0 Administration Guide 5

FortiClient EMS 7.4.0 Administration Guide 6

FortiClient EMS 7.4.0 Administration Guide 7

FortiClient EMS 7.4.0 Administration Guide 8

FortiClient EMS 7.4.0 Administration Guide 9

FortiClient EMS components

FortiClient EMS Manages FortiClient on endpoints that connect to your network.

FortiClient EMS 7.4.0 Administration Guide 10

Includes the following software:

Database Stores security profiles and events.

FortiClient EMS allows you to:

FortiClient EMS 7.4.0 Administration Guide 11

l Establish and enforce security profiles

FortiClient EMS 7.4.0 Administration Guide 12

Getting started with managing Windows, macOS, and Linux

Initially deploying FortiClient software to endpoints

Deployment method Description

l Workspace ONE (macOS only)

FortiClient EMS 7.4.0 Administration Guide 13

Installing FortiClient may require administrator privileges on the endpoint. See:

Pushing configuration information to FortiClient

To push configuration information to FortiClient:

Relationship between FortiClient EMS, FortiGate, and FortiClient

FortiClient in the Security Fabric

FortiClient EMS 7.4.0 Administration Guide 14

FortiClient EMS 7.4.0 Administration Guide 15

FortiClient EMS 7.4.0 Administration Guide 16

FortiClient with EMS

FortiClient EMS 7.4.0 Administration Guide 17

Quarantining an endpoint from FortiOS using EMS

FortiClient EMS 7.4.0 Administration Guide 18

Getting started with managing Chromebooks

The following tasks are specific to Chromebook management.

Configuring FortiClient EMS for Chromebooks

To configure FortiClient EMS for Chromebooks:

Configuring the Google Admin console

To configure the Google Admin console:

Deploying a profile to Chromebooks

FortiClient EMS 7.4.0 Administration Guide 19

the Chromebook user logs into the Chromebook.

To deploy a profile to Chromebooks:

How FortiClient EMS and FortiClient work with Chromebooks

FortiClient EMS 7.4.0 Administration Guide 20

The minimum system requirements for FortiClient EMS are:

FortiClient EMS 7.4.0 Administration Guide 21

This section contains licensing information for FortiClient EMS:

Free trial license

FortiClient EMS 7.4.0 Administration Guide 22