FORTIGATE Endpoint Security

Hi Experts,

I want to implement the endpoint security from Fortigate.
But I have some errors.

When the client connects to the internet the correct ENDPOINT message pops up.
Here are two links to download the client.

When the user clicks the download link, he cannot download the client.

FortiClient Installer Download Failed


FortiGuard service is not available. Please inform your system administrator.

Open in new window


My FortiGuard Services are enables and still licensed.
But why I cannot download the correct client ?
Eprs_AdminSystem ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Eprs_AdminSystem ArchitectAuthor Commented:
On my dashboard I have seen :

Forticlient -> unlicensed
0/10

Is this the reason why I cannot download the client ?
0
btanExec ConsultantCommented:
You probably running the the Free edition of FortiClient which are agents running that do not come with licenses (only available if upgraded to the Premium edition). Maybe it can be contributing to the error. See if below step of checks help http://kb.fortinet.com/kb/documentLink.do?externalID=FD33529

also see the "Setting a license key during the FortiClient MSI installation" in case you need to set it http://kb.fortinet.com/kb/documentLink.do?externalID=FD30793

... and also the client version supported may influence the error as
http://kb.fortinet.com/kb/documentLink.do?externalID=FD36103
... sometimes you may also see "License Information on Dashboard shows 'Support Contract Registration Unreachable' which the FortiGuard setting are not configured fully yet http://kb.fortinet.com/kb/documentLink.do?externalID=FD36499

Sidetrack, this kb can still be handy to search for related FG error
http://pub.kb.fortinet.com/index/
0
Eprs_AdminSystem ArchitectAuthor Commented:
all is set and I have checked all links from you.

I have heard 10 licenses are free and included ?
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

btanExec ConsultantCommented:
Yes the 10 is free registration. FortiGate 30 series and higher models support ten (10) free managed FortiClient licenses. For additional managed clients, a FortiClient license subscription must be purchased. The maximum number of managed clients varies per device model. The FortiClient license for FortiOS version 5.2 includes the license file required to use the FortiClient Configurator tool used to create custom FortiClient installers.

It is recommended to uninstall the conflicting antivirus software before installing FortiClient or enabling the antivirus real-time protection feature. Alternatively, you can disable the antivirus feature of the conflicting software.

Good to check out the "FortiClient endpoint network topologies" as it run thru the steps for in guide
The following FortiClient Profile topologies are supported:
• 1: Client is directly connected to FortiGate; either to a physical port, switch port or WiFi SSID.
This topology supports client registration, configuration sync, and FortiClient profile enforcement.
• 2: Client is connected to FortiGate, but is behind a router or NAT device.
This topology supports client registration and configuration sync.
• 3: Client is connected to FortiGate across a VPN connection.
This topology supports client registration, configuration sync, and FortiClient profile enforcement.

Configure the FortiGate IP address in FortiClient for registration
- The FortiClient administrative user can specify a FortiGate IP address for registration and client
configuration management. When an unregistered FortiClient starts up, FortiClient will list all
reachable FortiGates for endpoint control registration in the registration drop-down list. The list
will include any FortiGate that sends endpoint control broadcasts. Select the registration button
in the FortiClient console to list discovered FortiGates.

On your FortiGate, use the following CLI command to list all registered FortiClient endpoints:
diagnose endpoint registration list registered-forticlients
FortiClient #1 (0):
UID = BE6B76C509DB4CF3A8CB942AED200000
vdom = root
status = registered
registering time = Fri May 2 15:00:07 2014
registration expiry time = none
source IP = 172.172.172.111
source MAC = b0:ac:6f:70:e0:a0
user = user
host OS = Microsoft Windows 7 , 64-bit
restored registration = no
remote registration = yes
registration FGT = FGT60C3G11000000
Total number of licences: 10
Total number of granted licenses: 1
Total number of available licences: 9


Connect to the FortiGate using FortiClient endpoint
-The Microsoft Windows system on which FortiClient is installed should join the domain of the
AD server configured earlier. Users may login with their domain user name....

Monitoring client registrations
>The following FortiOS CLI command lists information about registered clients. This includes
domain-related details for the client (if any).
diagnose endpoint record-list ....
status -- none: 0; uninstalled: 0; unregistered: 1; registered:0; blocked: 0
http://docs.fortinet.com/uploaded/files/1975/forticlient-admin-52.pdf
0
Eprs_AdminSystem ArchitectAuthor Commented:
ok I have tried now an old FortiClient , version 4.3.5
When I just use the recommended profile for it, then it works and the computer is compliant.

But when I try to enforce FortiAV, then the computer is not compliant.
How to get FortiClientAV and FIrewall on the client computer ?
0
btanExec ConsultantCommented:
I understand that the default client profile for Windows and Mac OS enables only AntiVirus, Web Filtering, and VPN enabled. For new profile, if using, under the "FortiClient Configuration Deployment" settings for Windows, the Antivirus Protection and Application Firewall should remain enabled. Also have the "Use FortiManager for client software/signature update" enabled so that outdated signature should not make it in state of non-compliance...

below is a example of creating a FortiClient profile via CLI
config endpoint-control profile
 edit ep-profile1
  set device-groups mac windows-pc
   config forticlient-winmac-settings
    set forticlient-av enable
    set forticlient-wf enable
    set forticlient-wf-profile default
  end
end


For further "Enabling Endpoint Protection in security policies" , see below. Note that the policy searches the list of FortiClient profiles starting from the top and applies the first profile assigned to the device group
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/nac.145.09.html
Under advanced option, if the "disable configuration sync with Fortigate" is selected, the client will be considered non-compliant. This is setting is configurable when in standalone or when registered with FG.

On  new FW policy created allows you to toggle Compliant with FortiClient Profile to ON. Users will be redirected (via a web browser) to a dedicated portal where they can download the client. Once registered to the FortiGate, the FortiClient profile will be assigned.
0
Eprs_AdminSystem ArchitectAuthor Commented:
ok I have read all about your links.

But how to enable FORTIAV on my clients ?
The client is installed but not AV ?
How to install AV on my clients ?
0
btanExec ConsultantCommented:
When you create the FortiClient profile, there should be "Antivirus Protection" which you can set to ON to enable the FortiClient realtime AntiVirus feature. Then this profile is applied to the device grp
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/nac.145.08.html

The overarching for ednpoint is summarised
To set up Endpoint Protection, you need to

• Enable Central Management by the FortiGuard Analysis & Management Service if you will use FortiGuard Services to update the FortiClient application or antivirus signatures. You do not need to enter account information. See “Centralized Management” in the System Administration chapter of this Handbook.

• By default, the FortiGuard service provides the FortiClient installer. If you prefer to host it on your own server, see “Changing the FortiClient installer download location”.

• In Security Profiles, configure application sensors and web filters profiles as needed to monitor or block applications. See the Security Profiles Guide chapter of this Handbook.for details.

• Create a FortiClient profile or use a predefined profile. See “Creating a FortiClient profile”. Enable the application sensor and web category filtering profiles that you want to use.

• Enable Compliant with FortiClient Profile in the authentication rules of Device Identity security policies that the endpoints will use.
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/nac.145.06.html
0
Eprs_AdminSystem ArchitectAuthor Commented:
After a reboot of the client computer, the fortinet setup started and installed the new client.
But still no FORTI AV is installed.
Why ?

When I set up my fortigate to enforce the FortiAV -> the clients cannot connect to internet.

How to get AV running on the Forticlient ?
0
btanExec ConsultantCommented:
strange, the forum share for clean up prior to re-installation
Is this the first time you install FortiClient on your computer? What OS is it running?

You can try the following steps to clean up the system and install it again:
1. right click on " My Computer" , click " Manage" ;
2. Click " Device Manager" on the left pane;
3. From menu click " View" , check " Show hidden devices" ;
4. Under " Network adapters" , delete anything related to FortiClient, e.g. Fortinet virtual adapter;
5. Under " Non-Plug and Play Drivers" , delete anything related to FortiClient, e.g., FARegMon, fortiapd, FortiFW, Fortinet NDIS6..., Fortips, FortiRdr, FortiStat2 etc.

If problem persists, you can send us the install log file. It' s in folder %temp%, probably has name FCTInstall.log.
https://forum.fortinet.com/tm.aspx?m=94013

After FortiClient installation, we should maybe also check if able to reach myforticlient.fortinet.net. FortiClient (after a successful installation) should use the same URL for regular daily AV engine and signature updates. Most time is lacking proxy setting. The client has a conf file to allows the user to specify proxy settings. See page 13 of the FortiClient XML Reference:
    http://docs.fortinet.com/uploaded/files/2076/forticlient-xml-52.pdf

Otherwise, I am thinking to have customised msi for installer and being explicit in stating to install the component such as AV required. See http://www.fortihelp.com/2008/12/how-to-setup-custom-forticlient-install.html
0
Eprs_AdminSystem ArchitectAuthor Commented:
I use WIN7 on the clients.
0
Eprs_AdminSystem ArchitectAuthor Commented:
I followed the link from FORTIHELP.
When I just use the latest msi installer, then the AV module is also installed.
0
btanExec ConsultantCommented:
since the AV module is installed, will we be able to send the created FortiClient profile that has the "Antivirus Protection" set to ON to enable the FortiClient realtime AntiVirus feature. And have it applied to the device grp which the machine falls in http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/nac.145.08.html


Can also ref in pdf (http://docs.fortinet.com/uploaded/files/1083/fortigate-managing-devices-50.pdf) section on Endpoint Protection, under "Creating a FortiClient profile" and going into "Enabling Endpoint Protection in security policies", there is a sample to edit authentication rule
To enable Endpoint Protection - web-based manager
1. Go to Policy > Policy > Policy and edit the device identity firewall policy where you want to
enable Endpoint Protection.
2. Create or edit an authentication rule.
3. Select Compliant with FortiClient profile.
4. Select OK.
To configure the firewall policy - CLI
In this example, the LAN connects to Port 2 and the Internet is connected to Port 1. a FortiClient profile is applied.
config firewall policy
edit 0
set srcintf port2
set dstintf port1
set srcaddr LANusers
set dstaddr all
set action accept
set identity-based enable
set identity-from device
set nat enable
config identity-based-policy
edit 1
set schedule always
set service ALL
set devices all
set endpoint-compliance enable
end
end
besides the proxy info stated in previous post, there is also mention of the FW config is inadvertently blocking the traffic and needed to include
searched for "config firewall service custom" and under it I added one line: set protocol-number 0
https://forum.fortinet.com/tm.aspx?m=119384#119424
config firewall service custom    
edit "ALL"        
 set category "General"        
 set protocol IP        
 set protocol-number 0    
next
in the profile is req in https://forum.fortinet.com/tm.aspx?m=99159#119392
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.