advertisement
FortiClient Endpoint
Security
™
Version 4.0.2
User Guide
FortiClient Endpoint Security User Guide
Version 4.0.2
23 February 2009
04-402-86641-20090223
© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Supported FortiGate models and FortiOS versions.................................................. 11
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
3
4
Contents
Integrating FortiClient antivirus scanning with Windows shell .................................. 44
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Contents
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
5
Contents
6
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Introduction About FortiClient Endpoint Security
Introduction
This chapter introduces you to FortiClient Endpoint Security software and the following topics:
•
About FortiClient Endpoint Security
•
•
Using the FortiClient system tray menus
•
•
Customer service and technical support
About FortiClient Endpoint Security
FortiClient Endpoint Security is a unified security agent for Windows computers that integrates personal firewall, IPSec VPN, antivirus, antispyware, antispam and web content filtering into a single software package.
With the FortiClient application, you can:
• create VPN connections to remote networks,
• scan your computer for viruses,
• configure real-time protection against viruses and unauthorized modification of the
Windows registry,
• restrict access to your system and applications by setting up firewall policies.
• restrict Internet access according the rules you specify.
• filter incoming email on your Microsoft Outlook® and Microsoft Outlook® Express to collect spam automatically.
• use the remote management function provided by the FortiManager System.
About this document
This document explains how to install and use the features of FortiClient Endpoint
Security.
This document contains the following chapters:
•
explains how to install the FortiClient application on your PC.
•
describes how to enter a license key, how to lock or unlock the application settings, how to configure optional proxy server settings, and how to configure WAN optimization.
•
describes how to configure an IPSec VPN with the FortiClient application.
•
describes how to scan files for viruses, how to configure real-time scanning of files as you access them, how to configure virus scanning of incoming and outgoing email, and how to prevent unauthorized modifications to the Windows startup list or to the registry.
•
describes how to configure the FortiClient firewall. You can use pre-defined or custom settings.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
7
Using the FortiClient system tray menus Introduction
•
describes how to configure the FortiClient application to control the types of web page content accessible on your PC using the Fortinet FortiGuard Web Filtering service.
•
AntiSpam describes how to configure spam filtering for your Microsoft Outlook or
Outlook Express email client. The FortiClient application works with the Fortinet
FortiGuard AntiSpam service to determine which email messages are spam. You can also create your own black list and white list of email addresses.
•
AntiLeak describes how to prevent accidental leakage of sensitive information through
Microsoft Outlook email messages.
•
describes how to perform manual or scheduled updates of the antivirus definitions and antivirus engine, and how to back up and restore the FortiClient application settings.
•
describes how to configure logging of security events and how to view log information.
Using the FortiClient system tray menus
Many frequently used FortiClient features are available from the system tray menu.
Right-click the FortiClient icon to access the menu.
Figure 1: FortiClient system tray menus
8
Open FortiClient Console
FortiClient Help
About FortiClient
Make Compliant with
Corporate Policy
Compliant with
Corporate Policy
Opens the management console so that you can configure the settings and use the services.
Opens the online help.
Displays version and copyright information.
Enables antivirus, antispam, firewall, or web filtering features as required to comply with the security policy. This item is visible if the FortiClient PC is centrally managed and a security policy is set, but the FortiClient settings do not comply.
For more information, see “Complying with corporate policy” on page 15 .
FortiClient complies with the security policy. This item is visible if the FortiClient PC is centrally managed, a security policy is set, and the FortiClient settings comply.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Introduction Documentation
VPN
Enable/Disable Realtime AV
Protection
Enable/Disable Startup
Registry Monitor
Firewall
Enable/Disable WebFilter
Enable/Disable AntiSpam
Update Now
Show AV scan window(s)
Shutdown FortiClient
If you have already added VPN tunnels, you can start or stop the
VPN connections by selecting or deselecting the connection
names. See “Connecting to the remote network” on page 29
.
For details, see “Configuring real-time protection” on page 45
.
“Monitoring Windows startup list entries” on
You can select Deny All, Normal, or Pass All. See
“Selecting a firewall mode” on page 51
.
For details, see “Web Filter” on page 59
.
For details, see “AntiSpam” on page 65 .
Update Antivirus definitions and AntiSpam rules.
View AV scan windows, hidden during scheduled scans. This menu item is available only during a scan.
Stops all FortiClient services and closes FortiClient console. The confirmation dialog imposes a four second wait for the Yes button to be available.
Documentation
In addition to this
FortiClient Endpoint Security User Guide
, the FortiClient online help provides information and procedures for using and configuring the FortiClient software.
If you are responsible for deploying FortiClient Endpoint Security to an enterprise, see the
FortiClient Endpoint Security Administration Guide
for information about customized installation, central management using a FortiManager system, network-wide per-user web filtering, and configuration of FortiGate devices to support FortiClient VPN users.
Information about FortiGate Antivirus Firewalls is available from the FortiGate online help and the
FortiGate Administration Guide
.
Fortinet Tools and Documentation CD
All Fortinet documentation is available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. (You do not receive this CD if you download the
FortiClient application.) The documents on the CD are current at shipping time. For up-todate versions of Fortinet documentation visit the Fortinet Technical Documentation web site at http://docs.forticare.com
.
Fortinet Knowledge Center
Additional Fortinet technical documentation is available from the Fortinet Knowledge
Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com
.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to [email protected].
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
9
Customer service and technical support Introduction
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.
10
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Installation System requirements
Installation
There are two types of installation packages available for FortiClient software:
• a Windows executable file
• a Microsoft Installer (MSI) package compressed into a .zip file
The Windows executable file provides easy installation on a single computer. For details
see “Installing FortiClient” on page 12 .
The MSI package is customizable for a larger roll-out to many computers in an organization. For more information, see the
FortiClient Administration Guide
.
If you are installing the FortiClient application on a 64-bit platform, you must use a 64-bit installer. The 64-bit installer files have “_x64” in their name.
System requirements
To install FortiClient 4.0 you need:
• a PC-compatible computer with Pentium processor or equivalent
• a compatible operating system and minimum RAM:
• Microsoft Windows 2000: 128 MB
• Microsoft Windows XP 32-bit and 64-bit: 256 MB
• Microsoft Windows Server 2003 32-bit and 64-bit: 384 MB
• Microsoft Windows Vista: 512 MB
• Microsoft Windows 7: 512 MB
• a compatible email application for the AntiSpam feature:
• Microsoft Outlook 2000 or later
• Microsoft Outlook Express 2000 or later
• a compatible email application for the AntiLeak feature:
• Microsoft Outlook 2000 or later
• 100 MB hard disk space
• Native Microsoft TCP/IP communications protocol
• Native Microsoft PPP dialer for dial-up connections
• an Ethernet connection
Note: The FortiClient software installs a virtual network adapter.
Supported FortiGate models and FortiOS versions
The FortiClient VPN feature is compatible with all FortiGate models running FortiOS version 2.36 and later.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
11
Language Support Installation
12
Language Support
The FortiClient Endpoint Security user interface and documentation is localized for:
• English
• French
• Simplified Chinese
• Japanese
• Korean
• Slovak
The FortiClient installation software detects the language of the operating system and installs the matching language version of the application. If a language other than one of the above is detected, the English language version of the software is installed.
Installing FortiClient
Before beginning the installation, ensure you uninstall any other VPN client software, such as SSH Sentinel. FortiClient may not function properly with other VPN clients installed on the same computer.
If you have an older version of FortiClient software installed on your computer, the
Windows executable version of the installer automatically upgrades your FortiClient installation to the new version, retaining your current configuration. FortiClient 4.0 can reuse configuration data from FortiClient versions 2.0, 1.6 or 1.2, but not from version 1.0.
Note: For FortiClient version 1.0 and 1.2 installations, it is recommended that you uninstall the software before installing version 4.0 to ensure a clean install.
You can also perform an upgrade installation of FortiClient software using the .zip version of the installer, which contains an MSI installer package.
To install the FortiClient software - Windows executable installer
1 Double-click the FortiClient installer program file.
2 Follow the instructions on the screen, selecting Next to proceed through the installation options.
When the installation has completed, the configuration wizard begins, unless you are upgrading an existing installation.
To install the FortiClient software - MSI installer
1 Extract the files from the FortiClient Setup .zip archive into a folder.
2 Do one of the following:
• To perform a new installation, double-click the FortiClient.msi file.
• To perform an upgrade installation, execute the following command at the command prompt (all on one line, case as shown): msiexec /i <path_to_installation_folder>\FortiClient.msi
REINSTALL=ALL REINSTALLMODE=vomus
3 Follow the instructions on the screen, selecting Next to proceed through the installation options.
When the installation has completed, the configuration wizard begins, unless you are upgrading an existing installation.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Installation Installing FortiClient
To configure the FortiClient software after installation
1 On the FortiClient Configuration Wizard, select Basic Setup if you are installing
FortiClient on a standalone computer, or select Advanced Setup if you are installing
FortiClient on a computer in a network.
2 For Basic Setup, configure the update settings. For more update information, see
.
3 For Advanced Setup, do the following:
• Add IP addresses to FortiClient’s public, trusted, blocked zones. For more information, see
“Configuring network security zones” on page 55
.
• If you computer uses a proxy server, enter the proxy server information. See
“Configuring proxy server settings” on page 16 .
• Configure the update settings. See
.
A note about installing on Windows Vista SP1
Make sure that Windows is not installing updates while you install the FortiClient application. If Windows Update has run and it requested a reboot, be sure to reboot your computer before installing the FortiClient application.
A note about installing on servers
In the FortClient 4.0 beta release, antivirus protection that integates with Microsoft
Exchange is available for evaluation. Install the FortiClient application from the command line with the WITHEXCHANGE=1 option. (If you use the .exe installer, the command line option is /v”WITHEXCHANGE=1”.) FortiClient Endpoint Security automatically detects
Microsoft Exchange installations and enables the Exchange Server Options under
Antivirus > Server Protection. Fortinet recommends that you enable the options that exclude Exchange filesystem folders and associated files from virus scanning. A preset list of files to exclude is then added to the antivirus and real-time protection settings.
FortiClient Endpoint Security automatically detects SQL Server installations and enables the SQL Server Options under Antivirus > Server Protection. Fortinet recommends that you enable the options that exclude SQL Server file system folders and associated files from virus scanning. A preset list of files to exclude is then added to the antivirus and realtime protection settings.
For all server software, verify that server software product folders and files are excluded from AV scanning as their vendors recommend. Do not enable real-time protection or initiate virus scanning until you have done this. Go to both Antivirus > Settings and
Antivirus > Realtime Protection to edit the exclusion lists.
A note about installing from a drive created with subst
Installing from an MSI package does not work if the MSI file is located on a drive created with the subst command. You can do any of the following:
• specify the real path to the file
• move the MSI file to a location where this is not an issue
• use the .exe installer instead, if possible
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
13
Install log
Install log
Installation
During the installation, FortiClient logs all install activities to a log file automatically. Should any problems arise during the install, you can review the install log to see where and when the issue occurred.
The install log file, fcinstalllog.txt is located in the following directory:
• on Windows 2000 in the c:\winnt\ directory.
• on Windows XP, in the c:\windows\ directory.
When installing using the msi installation, the install does not create the install log automatically. For an msi installation to produce a log, use the following command: msiexec /i FortiClient.msi /L*v c:\logfile.txt
Alternatively, you can install the appropriate logging active directory group policies.
14
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
General Settings Entering a license key
General Settings
Use the General Settings menu to:
• view the FortiClient software version and serial number,
• view the status of the VPN service,
• enable or disable real-time antivirus protection,
• enable or disable Windows system startup list monitoring,
• view the current version of the antivirus files and the last scan time
• set the FortiClient console to open automatically at startup,
• enter a product license key,
• check and restore compliance with the corporate security policy
• lock or unlock the FortiClient application
• enable and configure WAN optimization
Entering a license key
The FortiClient application uses license keys to distinguish between evaluation software and fully licensed software.
Evaluation software provides fully functional firewall and IPSec VPN features. Antivirus updates are available for 90 days. Antispam and web-filtering services are available for 90 days. You cannot extend the evaluation period by reinstalling the software.
When you purchase and enter a license key into the software, antivirus updates are available until the license expires. The General > Status page displays the license serial number and expiry date.
To use antispam and web filtering services beyond the evaluation period, you must purchase a FortiGuard service subscription. For more information, see http://www.fortinet.com/products/fortiguard.html
.
Contact your local Fortinet sales engineer or https://shop.fortinet.com or visit http://www.fortinet.com/products/forticlient.html to buy or renew a license key.
To enter a license key
1 Go to General > Status.
2 Select Enter License Key.
3 Enter the license key.
4 Select OK.
Complying with corporate policy
If the FortiClient PC is centrally managed, a security policy can be set that requires antivirus, antispam, firewall, or web filtering features to be enabled. The Corporate Policy
Compliance section of the General page is visible if this is the case.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
15
Locking and unlocking the software General Settings
16
If the FortiClient PC is not in compliance with the security policy, it cannot operate a VPN tunnel.
The Corporate Policy Compliance section shows “FortiClient is compliant with corporate policy” or it shows the Make FortiClient compliant with corporate policy check box. Select the check box to bring FortiClient settings into compliance with the policy.
Locking and unlocking the software
You can modify FortiClient software settings only if your Windows account has administrative privileges. You can prevent other administrative users from modifying the settings by locking FortiClient with a password. If your FortiClient software is remotely managed using the FortiManager System, the FortiManager administrator can lock your configuration settings. If your FortiClient application is locked, the General Settings page shows an Unlock button.
To lock the FortiClient application locally
1 Go to General > Status and select Lock Settings.
2 Enter the password in the Password field and enter it again in the Confirm field.
3 Select OK.
To unlock the FortiClient application locally
1 Obtain the password from your administrator.
2 Go to General > Status and select Unlock.
3 Enter the password in the Password field.
4 Optionally, select Remove Password to permanently unlock the application.
This is not available if FortiManager has locked the FortiClient application.
5 Select OK.
6 When you have finished modifying settings, select Relock.
Note: Even if your FortiClient software is locked, you can perform antivirus scans, use VPN tunnels, change VPN certificates and change CRLs.
Configuring proxy server settings
If you use a proxy server for your LAN, you can specify the proxy server settings so that the FortiClient software can go through the proxy server to get antivirus signature updates, to submit viruses, and to obtain certificates online using simple certificate enrollment protocol (SCEP).
FortiClient software supports HTTP, SOCKS v4, and SOCKS v5 proxy protocols.
To configure proxy server settings
1 Go to General > Connection.
2 Select Enable proxy for Updates, Virus submission, and Online SCEP as needed.
3 For Proxy Type, select HTTP, SOCKS V4, or SOCKS V5.
4 Enter the proxy server’s IP Address and Port number.
You can get this information from your network administrator.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
General Settings Enabling WAN Optimization
5 Enter the User name and Password.
6 Select Apply.
Enabling WAN Optimization
FortiClient 4.0 WAN Optimization works exclusively with WAN optimization on a FortiGate unit to accelerate network access. FortiClient will automatically detect if WAN optimization is enabled on the optimizing FortiGate unit it is connected to and transparently make use of the byte caching and protocol optimization features available. Byte caching and protocol optimization are bidirectional.
To enable WAN Optimization
1 Go to Status > WAN Optimization.
2 Select Enable WAN Optimization.
3 Enable the protocols to be optimized: HTTP (web browsing), CIFS (file sharing), MAPI
(Microsoft Exchange) and FTP (file transfers).
4 Set Maximum Disk Cache to 512, 1024, or 2048MB.
The default is 512MB. If your hard disk can accommodate a larger cache, better optimization performance is possible.
5 Select Apply.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
17
Enabling WAN Optimization General Settings
18
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN Configuring VPNs
VPN
FortiClient Endpoint Security can establish a VPN tunnel between your computer and a
FortiGate unit or other VPN gateway. With the aid of this manual, you need only a few pieces of information from the VPN administrator to configure the FortiClient VPN settings.
•
Configuring VPNs
If the VPN gateway is a FortiGate unit running FortiOS 3.0 or 4.0, it can download the settings to your FortiClient application. You need to know only the IP address or domain
name of the VPN gateway. See “Setting up a VPN with automatic configuration” on page 19
.
If the VPN gateway is a FortiGate unit running FortiOS 2.80 or earlier, or it is a third-party gateway, you must configure the FortiClient VPN settings manually. You need to know:
• the IP address or domain name of the VPN gateway
• the IP address and netmask of the network(s) you want to reach through the VPN gateway
• in some cases, a virtual IP address setting
• unless default settings are used, IKE and IPsec policy settings
• if extended authentication (XAuth) is used, your user name and password
See
“Setting up a VPN with manual configuration” on page 20 .
If you are configuring a VPN to use either local digital certificates or smartcard/eToken certificate for authentication, see
“Managing digital certificates” on page 32 before
proceeding.
Digital certificates are not required for configuring FortiClient VPN connections. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation.
Setting up a VPN with automatic configuration
If the remote FortiGate gateway is configured as a VPN policy deployment server, you can configure the FortiClient software to download the VPN policies from the FortiGate gateway.
The policy server has a daemon running all the time for incoming policy download requests. This daemon communicates with the FortiClient PC to process user authentication, policy lookup, and delivery. After the policy is sent out, the daemon closes the SSL connection, and you can start up the VPN tunnel from the FortiClient side.
Note: For VPNs with automatic configuration, only preshared keys are supported.
Certificates are not supported.
On the FortiClient side, you only need to create a VPN name and specify the IP address of the FortiGate gateway.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
19
Configuring VPNs VPN
To add a VPN with automatic configuration on the FortiClient PC
1 Go to VPN > Connections.
2 Select Advanced and then select Add.
3 In the New Connection dialog box, enter a connection name.
4 For Configuration, select Automatic.
5 For Policy Server, enter the IP address or FQDN of the FortiGate gateway.
6 Select OK.
Setting up a VPN with manual configuration
This VPN configuration described here uses default FortiClient settings and preshared keys for VPN authentication.
To set up a VPN connection, your FortiClient settings must match those of the VPN server, a FortiGate unit, for example.
To use digital certificates for VPN authentication, see
“Managing digital certificates” on page 32
.
Configuring basic FortiClient VPN settings
Go to VPN > Connections to add, delete, edit, or rename a VPN connection.
To add a FortiClient to FortiGate VPN, you need to:
• Set up the VPN tunnel from FortiClient to the remote FortiGate gateway.
• If your administrator requires it, configure the FortiClient VPN to use a virtual IP address, either manually assigned or obtained using DHCP over IPSec.
• Optionally, add the IP addresses of additional networks behind the remote gateway.
• Configure Internet browsing over IPSec if you want to access the Internet through the
VPN tunnel.
Figure 2: Creating a new VPN connection
20
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN Configuring VPNs
To create a FortiClient VPN configuration
1 Go to VPN > Connections.
2 Select Advanced and then select Add.
3 Enter the following information and select OK.
Connection Name
Configuration
Remote Gateway
Remote Network
Authentication Method
Pre-shared Key
Enter a descriptive name for the connection.
Select Manual
Enter the IP address or the fully qualified domain name (FQDN) of the remote gateway.
Enter the IP address and netmask of the network behind the
FortiGate unit.
Select Pre-shared Key.
Enter the pre-shared key.
To create a configuration based on an existing configuration
1 Go to VPN > Connections.
2 Select the connection to use as the basis for this connection.
3 Select Advanced and then select Clone.
4 Enter a name for the new connection.
5 Select Advanced and then select Edit.
6 Modify the settings of the new connection as needed.
To set the virtual IP address
If your configuration requires a virtual IP address, do the following:
1 Go to VPN > Connections.
2 Double-click a connection.
The Edit Connection dialog box opens.
3 Select Advanced.
4 In the Advanced Settings dialog box, select Acquire Virtual IP Address and then select
Config.
5 In the Virtual IP Acquisition dialog box, do one of the following:
• Select Dynamic Host Configuration Protocol (DHCP) over IPSec.
• Select Manually Set and enter the IP address, Subnet Mask, DNS Server and WINS
.
6 Select OK.
7 Select OK.
To add additional remote networks to a connection
1 Go to VPN > Connections.
2 Double-click the connection which can access the network that you want to add.
The Edit Connection dialog box opens.
3 Select Advanced.
The Advanced Settings dialog box opens.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
21
Configuring VPNs
22
VPN
4 In the Remote Network section, select Add.
5 In the Network Editor dialog box, enter the IP Address and Subnet mask of the remote network and then select OK.
6 Repeat Steps
4 and 5 for each additional network you want to add.
You can specify up to 16 remote networks.
7 Select OK.
8 Select OK.
To use Internet browsing over IPSec
1 Go to VPN > Connections.
2 Double-click a connection.
The Edit Connection dialog box opens.
3 Select Advanced.
4 In the Advanced Settings dialog box, select Add.
5 Enter 0.0.0.0./0.0.0.0 and select OK.
6 Select OK.
7 Select OK.
Note: For the FortiClient PC to be able to use Internet browsing over IPSec, the remote
FortiGate gateway must also be configured to allow such traffic.
To transfer VPN configuration settings to your Windows mobile device
1 Connect your mobile device to your PC using the USB cable.
2 Start Microsoft ActiveSync and make sure that it detects your device.
3 Go to VPN > Connections.
4 Select Advanced and then select Sync to Mobile Device.
Your tunnel definitions are transferred to your mobile device.
Configuring IKE and IPSec policies
FortiClient has two preconfigured IKE and IPSec policies:
• Use the Legacy policy for a VPN to a FortiGate unit running FortiOS v2.36, and for any
Cisco gateways that only support legacy settings.
• Use the Default policy for a VPN to a FortiGate unit running FortiOS v2.50 or higher.
To modify the Legacy or Default policy settings
1 Go to VPN > Connections.
2 Double-click a connection.
The Edit Connection dialog box opens.
3 Select Advanced.
The Advanced Settings dialog box opens.
4 Under Policy, select Legacy or Default.
The policy settings appear in the IKE and IPSec boxes. You can use the Legacy or
Default policies. If you want to configure the detailed settings, continue with following steps.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN Configuring VPNs
5 Under Policy, select Config.
6 In the Connection Detailed Settings dialog box, configure the settings in the following table. Select OK to save the settings. You can also select Legacy or Default to go back to the original legacy or default settings.
Figure 3: Editing the detailed configuration settings
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
23
Configuring VPNs VPN
Table 1: FortiClient IKE settings correspond to FortiGate phase 1 settings
IKE Proposals
Mode
DH Group
Key Life
Local ID
Add or delete encryption and authentication algorithms.
The proposal list is used in the IKE negotiation between the FortiClient software and the remote FortiGate unit. The FortiClient software will propose the algorithm combinations in order, starting at the top of the list.
The remote FortiGate gateway must use the same proposals.
Select either Main or Aggressive.
Main mode provides an additional security feature called identity protection which hides the identities of the VPN peers so that they cannot be discovered by passive eavesdroppers. Main mode requires the exchange of more messages than Aggressive mode. It is also difficult to use efficiently when a VPN peer uses its identity as part of the authentication process.
When using aggressive mode, the VPN peers exchange identifying information in the clear.
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
• When the VPN peers have static IP addresses and use aggressive mode, select a single matching DH group.
• When the VPN peers use aggressive mode in a dialup configuration, select up to three DH groups for the dialup server and select one DH group for the dialup user (client or gateway).
• When the VPN peers employ main mode, you can select multiple DH groups.
Enter the number in seconds.
The keylife is the amount of time in seconds before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. P1 proposal keylife can be from 120 to 172,800 seconds.
If you are using peer IDs for authentication, enter the peer ID FortiClient will use to authenticate itself to the remote FortiGate gateway.
If you are using certificates for authentication, you can enter the local ID, which is the distinguished name (DN) of the local certificate.
Note there is no limit to how many FortiClient peers can use the same local
ID.
Table 2: FortiClient IPSec settings correspond to FortiGate phase 2 settings
IPSec Proposals
DH Group
Key Life
Add or delete encryption and authentication algorithms.
The remote FortiGate gateway must use the same proposals.
Select one Diffie-Hellman group from DH group 1, 2, and 5. DH group 1 is least secure. DH group 5 is most secure. You cannot select multiple DH
Groups.
The remote FortiGate gateway must use the same DH Group settings.
Select either Seconds or KBytes for the keylife, or select both.
The keylife causes the IPSec key to expire after a specified amount of time, after a specified number of kbytes of data have been processed by the VPN tunnel, or both. If you select both, the key does not expire until both the time has passed and the number of kbytes have been processed.
When the key expires, a new key is generated without interrupting service.
P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to
2147483648 kbytes.
24
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN Configuring VPNs
Table 3: FortiClient advanced VPN settings
Replay Detection
PFS
NAT Traversal
With replay detection, the FortiClient software checks the sequence number of every IPSec packet to see if it has been previously received. If the same packets exceed a specified sequence range, the FortiClient software discards them.
Perfect forward secrecy (PFS) improves security by forcing a new
Diffie-Hellman exchange whenever keylife expires.
Enable this option if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal has no effect.
If you enable NAT traversal, you can set the keepalive frequency.
NAT traversal is enabled by default.
Keepalive
Frequency
If NAT Traversal is selected, enter the Keepalive Frequency in seconds.
The keepalive frequency specifies how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until the IKE and IPSec keylife expires.
The keepalive frequency can be from 0 to 900 seconds.
Autokey Keep Alive Enable this option to keep the VPN connection open even if no data is being transferred.
Dead Peer
Detection
Enable this option to clean up dead VPN connections and establish new
VPN connections.
Configuring Virtual IP address acquisition
The FortiClient software supports two methods for virtual IP address acquisition: dynamic host configuration protocol (DHCP) over IPSec and manual entry.
Select the DHCP over IPSec option to allow the DHCP server in the remote network to dynamically assign an IP address to your FortiClient computer after the VPN connection is established.
Select the Manually Set option to manually specify a virtual IP address for your FortiClient computer. This virtual IP address must be an actual address in the remote network. You can also specify the DNS and WINS server IP addresses of the remote network.
For information about how to configure the FortiGate gateway, see FortiGate
Administration Guide and FortiGate IPSec VPN Guide.
Note: If you are connecting to a v2.50 FortiGate gateway, you cannot set the virtual IP address to be in the same subnet of the remote network, because the v2.50 FortiGate gateway does not support proxy ARP. If you are connecting to a v2.80 or later FortiGate gateway, consult your network administrator for a proper virtual IP address.
Figure 4: Configuring virtual IP address acquisition
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
25
Configuring VPNs VPN
To configure virtual IP address acquisition
1 Go to VPN > Connections.
2 Double-click a connection.
The Edit Connection dialog box opens.
3 Select Advanced.
The Advanced Settings dialog box opens.
4 Select Acquire virtual IP address and then select the corresponding Config button.
5 Select Dynamic Host Configuration Protocol (DHCP) over IPSec or Manually Set.
The default is DHCP.
6 If you select Manually Set, enter the IP address and Subnet Mask. Optionally specify the DNS Server and WINS Server IP addresses.
7 Select OK.
8 Select OK.
9 Select OK.
Configuring eXtended authentication (XAuth)
If the remote FortiGate unit is configured as an XAuth server, it will require the FortiClient software to provide a user name and password when a VPN connection is attempted. The user name and password are defined by the XAuth server. They can be saved as part of an advanced VPN configuration, or they can be entered manually every time a connection is attempted.
For information about how to configure the XAuth server, see FortiGate Administration
Guide and FortiGate IPSec VPN Guide.
Figure 5: Configuring eXtended authentication
26
To configure XAuth
1 Go to VPN > Connections.
2 Double-click a connection.
The Edit Connection dialog box opens.
3 Select Advanced.
4 In the Advanced Settings dialog box, select Config for eXtended Authentication.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN Using the FortiClient VPN client
5 In the Extended Authentication dialog box, do one of the following:
• If you want to enter the login user name and password for each VPN connection, select Prompt to login. You can choose whether FortiClient permits three, two, or only one attempt to enter the correct user name and password.
• When FortiClient prompts you to log in, you can select the password save option so that you do not have to enter the password the next time you are prompted to log in.
• If you want FortiClient to automatically send the XAuth credentials, clear Prompt to
login and enter the user name and password.
6 Select OK.
7 Select OK.
8 Select OK.
Using the FortiClient VPN client
When you have configured your VPN connections, you can use FortiClient to make secure connections.
Testing the connection
After you configure a VPN, you can test the VPN connection from your FortiClient PC.
This is optional, but it provides more information than the Connect function if the connection fails.
To test the connection
1 Go to VPN > Connections.
2 Select the connection you want to test.
3 Select Advanced and then select Test.
A log window opens and begins to negotiate the VPN connection with the remote
FortiGate unit.
If the test is successful, the last line of the log will read “IKE daemon stopped”.
Note: For a VPN with automatic configuration, the FortiClient software downloads the
VPN policy first. To test the VPN connection, the FortiClient software attempts to negotiate the VPN connection but does not actually open a VPN connection.
If the last line of the log reads “Next_time = x sec”, where x is an integer, the test was not successful. The FortiClient software is continuing to try to negotiate the
connection. See “Troubleshooting VPN connections” on page 31
.
4 Select Close.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
27
Using the FortiClient VPN client
Figure 6: A successful connection test
VPN
Figure 7: A failed connection test
28
Setting connection options
The following options apply to VPN connections. You can find them on the VPN >
Connections page. Select Apply after making any changes.
Start VPN before logging on to
Windows
Keep IPSec service running forever unless manually stopped
Select this option if you need to log on to a Windows domain through a VPN when you start up your Windows workstation.
See
“Connecting to a VPN before Windows logon” on page 29 .
Select to retry dropped connections indefinitely. By default, the
FortiClient software retries a dropped connection four times.
Beep when connection error occurs
Select if you want the FortiClient software to sound a beep when a VPN connection drops.
By default, the alarm stops after 60 seconds, even if the connection has not been restored. You can change the duration or select Continuously so that the alarm stops only when the connection is restored.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN Using the FortiClient VPN client
Connecting to the remote network
After you set up a VPN connection, you can start or stop the connection as required.
Note: If the FortiClient PC is centrally managed and does not comply with the corporate security policy, the VPN will not operate. Select Make Compliant with Corporate Policy from the system tray menu to make the required changes to FortiClient settings. For more
information, see “Complying with corporate policy” on page 15
.
To connect to a remote FortiGate gateway
1 Go to VPN > Connections.
2 Select the connection you want to start.
3 Select Connect.
The FortiClient software opens a log window and begins to negotiate a VPN connection with the remote FortiGate firewall. If the negotiation is successful and the connection is established, the last line of the log will read “Negotiation
Succeeded!
”
4 Select OK or wait for the log window to close automatically.
If the last line of the log is “Negotiation failed! Please check log” and the log window does not close automatically, the connection attempt failed. Test the connection to verify the configuration.
5 To stop the connection, select Disconnect.
Connecting to a VPN before Windows logon
You can connect to a VPN before you log onto Windows if you have selected the Start
VPN before logging on to Windows option (see
“Setting connection options” on page 28 ).
A FortiClient VPN icon is displayed on the Windows login screen.
Figure 8: VPN icon on Windows login screen
No VPN connection
Active VPN connection
You need to connect to the VPN before logging onto Windows only if the VPN provides the connection to your Windows domain. In this case, you should not disconnect from the
VPN until you log off of the Windows domain.
To connect to a VPN from the Windows login screen
1 Select the VPN icon.
2 Select the required VPN connection from the Connections list.
3 Select Connect.
The FortiClient software opens a log window and begins to negotiate a VPN connection with the remote FortiGate firewall. If the negotiation is successful and the connection is established, the last line of the log will read “Negotiation
Succeeded!
”
4 Select OK or wait for the IKE Negotiation window to close automatically.
5 Log on to the Windows domain.
6 After you log off of the Windows domain, select the VPN icon to disconnect the VPN.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
29
Using the FortiClient VPN client
Monitoring VPN connections
Go to VPN > Monitor to view current VPN connection and traffic information.
Figure 9: VPN Monitor
VPN
30
Current connection
Name
Local Gateway
Remote
Time Out (sec)
The name of the current VPN connection.
The IP address of the local gateway (the FortiClient computer).
The IP address of the remote gateway (the FortiGate unit).
The remaining lifetime of the VPN connection.
Incoming
Packets
Bytes
Encryption
Authentication
The number of packets received.
The number of bytes received.
The encryption algorithm and key.
The authentication algorithm and key.
Outgoing
Packets
Bytes
Encryption
Authentication
The number of packets sent.
The of number bytes sent.
The encryption algorithm and key.
The authentication algorithm and key.
Traffic summary
The traffic summary displays a graph of the incoming and outgoing VPN traffic. The left column displays incoming traffic and the right column displays outgoing traffic. The total number of incoming and outgoing bytes transferred is also displayed.
Note: When traffic is transferred over an open VPN connection, the FortiClient system tray icon will change to a traffic summary graph. The red column indicates incoming traffic. The green column indicates outgoing traffic.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN Using the FortiClient VPN client
Exporting and importing VPN policy files
You can export a VPN policy file to your local or network computer as a backup of the VPN configuration settings. If required, you can import this file back to your local FortiClient PC or to other FortiClient PCs.
To export a VPN policy file
1 Go to VPN > Connections.
2 Select the connection for which you want to export the VPN policy file.
3 Select Advanced and then select Export.
4 Select a file folder and enter a file name.
5 Select Save.
To import a VPN policy file
1 Go to VPN > Connections.
2 Select Advanced and then select Import.
3 Locate the file and select Open.
Note: If the imported file has the same file name as an existing connection, it will overwrite the existing one.
Troubleshooting VPN connections
Most connection failures are due to a configuration mismatch between the remote
FortiGate unit and the FortiClient software.
The following are some tips to troubleshoot a VPN connection failure:
• PING the remote FortiGate firewall from the FortiClient computer to verify you have a working route between the two.
• Check the FortiClient software configuration.
Table 4 lists some common FortiClient software configuration errors.
• Check the FortiGate firewall configuration.
Table 5 lists some common FortiGate Antivirus Firewall configuration errors.
Table 4: Common FortiClient software configuration errors
Configuration Error
Wrong remote network information.
Wrong preshared key.
Correction
Check the IP addresses of the remote gateway and network.
Reenter the preshared key.
Wrong Aggressive Mode peer ID.
Mismatched IKE or IPSec proposal combination in the proposal lists.
Reset to the correct Peer ID.
Make sure both the FortiClient software and the remote
FortiGate gateway use the same proposals.
Wrong or mismatched IKE or IPSec
Diffie-Hellman group.
Make sure you select the correct DH group on both ends.
No Perfect Forward Secrecy (PFS) when it is required.
Enable PFS.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
31
Managing digital certificates VPN
Table 5: Common FortiGate Antivirus Firewall configuration errors
Configuration Error
Wrong direction of the encryption policy.
For example, external-to-internal instead of internal-to-external.
Wrong firewall policy source and destination addresses.
Wrong order of the encryption policy in the firewall policy table.
Correction
Change the policy to internal-to-external.
Reenter the source and destination address.
The encryption policy must be placed above other nonencryption policies.
Managing digital certificates
To use local or smartcard digital certificates, you need:
• a signed certificate,
• the certificate authority (CA) certificates for any CAs you are using,
• any applicable certificate revocation lists (CRLs) or the URL for Online Certificate
Status Protocol (OCSP) validation.
Getting a signed local certificate
If you want to have a local certificate signed by the CA server and then import it into
FortiClient, following the steps below.
The FortiClient software can use a manual, file based enrollment method or the simple certificate enrollment protocol (SCEP) to get certificates. SCEP is simpler, but can only be used if the CA supports SCEP.
File-based enrollment requires copying and pasting text files from the local computer to the CA, and from the CA to the local computer. SCEP automates this process but CRLs must still be manually copied and pasted between the CA and the local computer.
Note: The digital certificates must comply with the X.509 standard.
General steps to get a signed local certificate
1 Generate the local certificate request. See “To generate a local certificate request” on page 33 .
3 Send the signed local certificate request to a CA. See
“To send the certificate request to a CA” on page 34 .
4 Retrieve the signed certificate from a CA. See
“To retrieve the signed local certificate from the CA” on page 34 .
5 Import the signed local certificate into FortiClient. You can also backup the certificate by exporting it. See “To import the signed local certificate” on page 34 and
“To export the signed local certificate” on page 35
.
32
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN
Figure 10: Generating a local certificate request
Managing digital certificates
To generate a local certificate request
1 Go to VPN > My Certificates.
2 Select Generate.
3 Enter a Certificate Name.
4 Under subject information, select the ID Type for the subject.
You can select from Domain Name, Email Address or IP Address.
5 Enter the information for the ID type that you selected.
Domain name
Email address
IP address
E nter the fully qualified domain name of the FortiClient computer being certified.
E nter the email address of the owner of the FortiClient computer being certified.
E nter the IP address of the FortiClient computer being certified.
6 Optionally select Advanced and enter the advanced setting information.
Department
Company
City
State/Province
Country
Enter a contact email address for the FortiClient computer user.
Enter a name that identifies the department or unit within the organization requesting the certificate for the FortiClient computer (such as
Manufacturing or MF).
Enter the legal name of the organization requesting the certificate for the
FortiClient computer.
Enter the name of the city or town where the FortiClient Computer is located.
Enter the name of the state or province where the FortiClient computer is located.
Enter the name of the country where the FortiClient computer is located.
7 Select OK. The FortiClient software generates 1024bit keys.
8 Select either File Based or Online SCEP as the Enrollment Method.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
33
Managing digital certificates VPN
9 If you selected file based enrollment, select OK.
The private/public key pair is generated and the certificate request is displayed in the
My Certificates list with the type of Request. Continue with
“To export the local certificate request” .
10 If you selected Online SCEP as the Enrollment Method, select an issuer CA from the list provided or enter the URL of the CA server.
If the FortiClient computer uses a proxy server, you must configure the proxy server
settings before you can use online SCEP. See “Configuring proxy server settings” on page 16 .
11 In the Challenge Phrase field, enter the challenge phrase if the certificate authority requires it.
12 Select OK.
The FortiClient software:
• submits the local certificate request,
• retrieves and imports the signed local certificate,
• retrieves and imports the CA certificate.
The signed local certificate is displayed on the Local Certificates list with the type of
Certificate. The CA certificate is displayed on the CA Certificates list. The expiration dates of the certificates are listed in the Valid To column of each list.
Continue with
“Validating certificates” on page 36
.
To export the local certificate request
1 Go to VPN > My Certificates.
2 From the certificate list, select the local certificate to export.
3 Select Export.
4 Name the file and save it in a directory on the FortiClient computer.
After exporting the certificate request, you can submit it to the CA so that the CA can sign the certificate.
To send the certificate request to a CA
1 On the FortiClient computer, open the local certificate request using a text editor.
2 Connect to the CA web server.
3 Follow the CA web server instructions to:
• add a base64 encoded PKCS#10 certificate request to the CA web server,
• paste the certificate request to the CA web server,
• submit the certificate request to the CA web server.
To retrieve the signed local certificate from the CA
After you receive notification from the CA that it has signed the certificate request, connect to the CA web server and download the signed local certificate to the FortiClient computer.
To import the signed local certificate
1 Go to VPN > My Certificates.
2 Select Import.
34
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN Managing digital certificates
3 Enter the path or browse to locate the signed local certificate on the FortiClient computer.
4 Select OK.
The signed local certificate is displayed on the My Certificates list with the Type as
Certificate. The expiration date of the certificate is listed in the Valid To column.
To export the signed local certificate
1 Go to VPN > My Certificates.
2 Select the certificate and select Export.
3 In the Save As dialog box, select the folder where you want to save the file.
4 Enter a file name.
5 Select either PKCS7 or PKCS12. If you select PKCS12, you must enter a password of at least eight characters.
6 Select Save.
Getting a signed smartcard certificate
If you are using a USB token (smartcard) certificate for authentication, you must also have the certificate signed by the CA server and install the signed certificate on your token.
The following procedures use a Windows 2000 Advanced Server as an example.
Note: Current FortiClient releases have been tested with the Aladdin eToken PRO and
Aladdin eToken NG-OTP series USB tokens.
General steps to get a signed smartcard certificate
1 Send the certificate request to the CA server. See
“To send a certificate request” on page 35 .
2 Install the signed certificate on the token. See “To install a certificate” on page 36 .
To send a certificate request
1 Log on to the CA server, for example, http://<CA_server>/certsrv.
2 Select Request a certificate, then select Next.
3 Select Advanced request, then select Next.
4 Select Submit a certificate request to this CA using a form.
5 In the request form:
• Enter the identifying information.
• For Intended Purpose, select Client Authentication Certificate.
• For CSP, select eToken Base Cryptographic Provider.
• Leave all other default settings.
6 Select Submit.
7 When prompted to enter the eToken password, enter the password. If you have not plugged the USB token into your computer’s USB port, you must do so now. Then the
CA Web page displays that your certificate request has been received.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
35
Managing digital certificates
36
VPN
To install a certificate
1 Log on to the CA Server if the certificate has been signed.
2 Select Checking on a pending certificate, then select Next.
3 Select the certificate request, then select Next.
4 Select Install this certificate to install the certificate to the USB token.
Getting a CA certificate
For the FortiClient software and the FortiGate gateway to authenticate themselves to each other, they must both have a CA certificate from the same CA.
The FortiClient computer obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer. The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from the FortiClient computer.
Note: The CA certificate must comply with the X.509 standard.
To retrieve the CA certificate
1 Connect to the CA web server.
2 Follow the CA web server instructions to download the CA certificate.
To import the CA certificate
1 Go to VPN > CA Certificates.
2 Select Import.
3 Enter the path or browse to locate the CA certificate on the FortiClient computer.
4 Select OK.
The CA certificate is displayed on the CA Certificates list. The expiration date of the certificate is listed in the Valid To column.
Validating certificates
FortiClient can validate certificates using Online Certificate Status Protocol (OCSP) or
Certificate Revocation Lists (CRL).
A CRL is a list of CA certificate subscribers paired with digital certificate status. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them.
The FortiClient software uses the CRL to ensure that the certificates belonging to the CA and the remote VPN peer are valid.
OCSP, if available, provides more up-to-date validation of certificates without maintaining
CRLs in the FortiClient application.
To enable OCSP
1 Go to VPN > CRL.
2 Select Enable OCSP.
3 In the Responder Host box, enter your OCSP responder host name.
Your network administrator can provide this information.
4 In the Port box, enter your CA’s OCSP port number. The default is 80.
5 Select Apply.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
VPN Managing digital certificates
To retrieve the CRL
1 Connect to the CA web server.
2 Follow the CA web server instructions to download the CRL.
To import the CRL
1 Go to VPN > CRL.
2 Select Import.
3 Enter the path or browse to locate the CRL on the FortiClient computer.
4 Select OK.
The CRL is displayed on the CRL list.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
37
Managing digital certificates VPN
38
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Antivirus Scanning for viruses
Antivirus
Using the FortiClient antivirus feature, you can protect your computer by regularly scanning your files for viruses. The FortiClient software can also perform real-time virus protection and monitor Windows Registry changes. This section includes the following topics:
•
•
Configuring antivirus settings
•
Configuring real-time protection
•
•
•
Monitoring Windows startup list entries
Scanning for viruses
You can run a quick scan to detect the most malicious viruses and worms. You can also set up scan schedules and scan the files in a specified folder.
Depending on the option you choose on the Antivirus Settings tab, the FortiClient software does one of the following when it finds viruses:
• Displays a virus alert message.
• Quarantines the virus-infected file.
• Cleans the virus-infected file.
For information about how to configure what happens when the FortiClient software finds a virus, see
“Configuring antivirus settings” on page 41
.
Figure 11: Scanning for viruses
During AV scanning, the FortiClient system tray icon is animated.
A bar repeatedly rolls from the bottom to the top of the icon.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
39
Scanning for viruses Antivirus
To run a quick scan
1 Go to AntiVirus > Scan.
2 Select Quick Scan.
The Antivirus Scanning window opens, displaying the scanning process and results.
The Infected file list displays the names of any infected files.
3 You can use the Pause/Resume or Stop buttons to interrupt the scan.
4 In the Infected file list, you can right-click on entries and choose from the following actions:
• Delete the file
• Quarantine the file
• Submit Virus to Fortinet
• Submit as false positive to Fortinet
5 To view the log file for the scan, select View Result.
6 Select Close to close the Antivirus Scanning window.
To scan files in a specified directory
1 Go to AntiVirus > Scan.
2 In the File System Scan section, select Browse to locate the directory to scan.
3 Select Scan Now.
The Antivirus Scanning window opens, displaying the scanning process and results.
The Infected file list displays the names of any infected files.
4 In the Infected file list, you can right-click on entries and choose from the following actions:
• Delete the file
• Quarantine the file
• Submit Virus to Fortinet
• Submit as false positive to Fortinet
5 To view the log file for the scan, select View Result.
6 Select Close to close the Antivirus Scanning window.
To perform a full system scan
1 Go to AntiVirus > Scan.
2 In the File System Scan section, select Full System Scan.
3 Select Network drives or Removable media if you want them included in the scan.
Optionally, you can change the relative priority of virus scanning compared to other processes.
4 Select Start.
The Antivirus Scanning window opens, displaying the scanning process and results.
The Infected file list displays the names of any infected files.
5 Optionally, right-click on entries in the Infected file list and choose one of the following actions: Delete, Quarantine, Submit Virus to Fortinet, Submit as false positive to
Fortinet.
40
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Antivirus Configuring antivirus settings
To manage scan schedules
1 Go to AntiVirus > Scan.
2 In the Scheduled Scan section, select Add.
3 In the New Schedule dialog box, set up a new schedule.
You can set up daily, weekly, or one-time schedules. You can also specify which folder to scan.
4 To modify a schedule, select the schedule and then select Edit.
5 To delete a schedule, select the schedule, then select Delete.
During scheduled antivirus scans, the AntiVirus Scanning window normally does not display unless a virus is found. Optionally, to view this window right-click the FortiClient system tray icon and select Show AV scan window(s).
Configuring antivirus settings
You can specify what types of files to scan and what to do when a virus is detected. You can also specify an SMTP server to use when submitting a quarantined file to Fortinet for analysis. For information on how to submit a quarantined file, see
“Managing quarantined files” on page 48 .
Figure 12: Configuring antivirus settings
To configure antivirus settings
1 Go to AntiVirus > Settings.
2 Select the file types to be scanned.
3 Add or delete file types to be scanned for viruses. See
“Selecting file types to scan or exclude” on page 42
.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
41
Configuring antivirus settings Antivirus
4 Select files, folders and file types to be excluded from virus scanning.
• To exclude a file or folder, click the Select file and folders button, then select Add to add the file or folder to the exemption list.
• To exclude a file type, click the Select file types button, then add the file types. For more information, see
“Selecting file types to scan or exclude” on page 42 .
5 Select what to do when a virus is found. The default is Clean.
• Alert - display a message if a virus is detected during real-time file system monitoring.
• Quarantine - move the file to a quarantine directory
• Clean - attempt to remove the virus from the infected file. If this is not possible, move the file to the quarantine area. If you want to save a copy of the virus, select
Save a copy in quarantine area before cleaning.
7 If you want to add a FortiClient antivirus scan command to the Windows Explorer
.
8 Optionally, select the Notify user the virus signature is out of date option.
9 Optionally, select the Scan removable media on insertion option.
10 Optionally select Advanced Settings.
On the Advanced Settings dialog box, you can:
• specify whether to scan compressed files and set the file size limit. The default size limit is 0, which means no limit.
• specify whether to scan grayware and what types of grayware to look for.
• enable heuristic scanning. FortiClient software uses heuristic techniques to scan files to find unknown viruses and threats that have not yet been cataloged with signatures. Heuristics looks at characteristics of a file, such as size or architecture, as well as behaviors of its code to determine the likelihood of an infection.
Selecting file types to scan or exclude
If you do not want the FortiClient software to scan all files for viruses, you can select file types from the default list of file types. You can add file types to or delete file types from the default file types list. You can create a list of file types to exclude from virus scanning.
You can also reset the file types list to defaults.
Note: The exclusion list takes priority over the inclusion list. For example, if you select a file extension to scan, and also add the same file extension to the exclusion list, files with this extension will not be scanned.
42
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Antivirus
Figure 13: Adding a new file extension
Configuring antivirus settings
To add a new file type to the file types or exclusion list
1 Go to AntiVirus > Settings.
2 Under File types to scan, select Program files and documents.
3 Under either File types to scan or Exclusion list, click Select file types.
4 Select New.
5 Type the file extension to add to the list. You can also add file types with double extensions.
6 Select OK.
Note: Scanning files with no extension is enabled by default.
•
Selecting files and folders to exclude from scanning
There may be some folders or specific files that you do not want FortiClient software to scan for viruses. You can add these files and folders to the files and folders exclusion list.
To add files and folders to the exclusion list
1 Go to AntiVirus > Settings.
2 Click Select files and folders.
The AntiVirus Options window opens.
3 Select Add
4 Navigate to the desired file or folder and select it.,
5 Select OK.
6 Add or remove other files and folders as needed.
7 Select OK.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
43
Configuring antivirus settings Antivirus
Note: You can also exclude a file or folder from AV scanning after it has been quarantined.
In the quarantine file list, right-click the file and select Exclude file/folder from AV scanning.
For more information see
“Managing quarantined files” on page 48
.
To remove files and folders from the exclusion list
1 Go to AntiVirus > Settings.
2 Click Select files and folders.
The AntiVirus Options window opens.
3 Select the file or folder that you want to remove from the list.
4 Select Delete.
5 Add or remove other files and folders as needed.
6 Select OK.
Specifying an SMTP server for virus submission
Instead of using the default mail server, you can specify an SMTP server to use when submitting the quarantined files.
To specify an SMTP server
1 Go to AntiVirus > Settings.
2 Under Virus Submission, select Use this mail account to submit virus.
3 In the SMTP server field, enter the SMTP server that you use for outgoing email.
4 If the SMTP server needs authentication to log on, select Need authentication and enter the logon user name and password.
5 Select Apply.
Integrating FortiClient antivirus scanning with Windows shell
By integrating FortiClient antivirus scanning with Windows shell, you can use the
FortiClient antivirus shortcut menu in Windows Explorer to scan the selected folders or files for viruses.
To integrate with Windows shell
1 Go to AntiVirus > Settings.
2 Select Integrate with Windows Shell.
3 Select Apply.
In Windows Explorer, you can right-click on folders or files and select Scan with
FortiClient Antivirus to scan them.
44
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Antivirus Configuring real-time protection
Configuring real-time protection
Configure real-time protection settings to specify
• which file types to scan
• which file types to exclude from scanning
• what to do when a virus is detected during real-time monitoring
Figure 14: Configuring real-time protection
To configure real-time protection
1 Go to AntiVirus > Realtime Protection.
2 In File types to scan, select either All files or Program files and documents, as needed.
If you select Program files and documents, you can modify the list of file types to be
scanned. See “Selecting file types to scan or exclude” on page 42
.
3 Optionally, select files, folders and file types to be excluded from virus scanning.
• To exclude a file type, see
“Selecting file types to scan or exclude” on page 42
.
• To exclude a file or folder, see
“Selecting files and folders to exclude from scanning” on page 43 .
4 Under What to do when a virus is found, select Deny Access, Quarantine or Clean.
Deny Access
Quarantine
Clean
You cannot open, run or modify the file until it is cleaned.
The file is moved to a quarantine directory.
The FortiClient agent attempts to remove the virus from the infected file.
Clean is selected by default.
Optionally, select Save a copy in quarantine area before cleaning.
Note: If FortiClient cannot clean an infected file, it quarantines the file automatically.
5 Select or clear the following two options:
• Do not pop up alert message box in real-time scan
• Do not pop up alert message box in registry monitor
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
45
Configuring email scanning Antivirus
6 Optionally select Advanced Settings.
On the Advanced Settings dialog box, you can:
• enable scanning of compressed files. You can also specify the largest compressed file that FortiClient will scan. A size limit of 0 means no limit.
• enable grayware scanning and specify which types of grayware to look for.
• enable heuristic scanning. FortiClient software uses heuristic techniques to scan files to find the unknown viruses and threats that have not yet been cataloged with signatures. Heuristics looks at characteristics of a file, such as size or architecture, as well as behaviors of its code to determine the likelihood of an infection. You can choose to deny access to files heuristics finds suspicious or to only display a warning.
• enable scanning of files when written to or read from disk, optionally including files on network drives.
7 Select Apply.
To enable real-time protection
1 Go to General > Status.
2 In the Antivirus section, select Enable real-time protection.
Note: If you disable real-time protection, confirmation is required. The confirmation dialog imposes a four second wait for the Yes button to be available.
Configuring email scanning
FortiClient software can scan incoming and outgoing email and email attachments for viruses and worms.
FortiClient software can also use heuristic techniques to scan email attachments to find unknown viruses and threats that have not yet been cataloged with signatures. Heuristics looks at the characteristics of a file, such as size or architecture, as well as the behavior of its code to determine the likelihood of an infection.
To scan email for viruses
1 Go to Antivirus > Email.
2 In the Virus scanning section, select SMTP for outgoing mail, POP3 for incoming mail and MS Outlook if Outlook connects to a Microsoft Exchange server.
3 To prevent worms from spreading via email, select Enable email worm detection. Then select what to do when a malicious action is detected: either Terminate the offending
process or Prompt user to ask whether to terminate the process.
This is available only if you enabled SMTP virus scanning.
4 To apply heuristic scanning, in the Heuristics scanning section, select Enable email
attachments heuristics scanning. Then select what to do when a suspicious attachment is detected: either Log warning message or Strip and quarantine.
46
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Antivirus Configuring server protection
Configuring server protection
If FortiClient Endpoint Security is installed on a server, you have access to settings relevant to servers.
Exchange Server protection in version 4.0 of FortiClient Endpoint Security is included for customer evaluation and is available only if enabled at installation.
Figure 15: Server protection settings
1 Go to AntiVirus > Server Protection.
2 In the Exchange Server Options section, select the following options as needed:
Integrate virus scanning into Exchange 2003/2007
Scan Exchange data stores for viruses.
When a virus is found Select the action to take:
Quarantine the attachment — You can go to Antivirus >
Quarantine to see the quarantined attachment files and restore or delete them.
Remove the attachment only — The infected attachment is removed, but the body of the message remains.
Exclude the Exchange filesystem files from file scanning
Fortinet recommends that you enable this setting to avoid impairing the operation of the Exchange server.
Exclude all files that have extensions associated with Exchange Server
Fortinet recommends that you enable this setting to avoid impairing the operation of the Exchange server.
3 In the SQL Server Options section, select the following options as needed:
Exclude SQL Server filesystem files from file scanning
Fortinet recommends that you enable this setting to avoid impairing the operation of SQL server.
Exclude all files that have extensions associated
Fortinet recommends that you enable this setting to avoid impairing the operation of SQL server.
with SQL Server from virus scanning
4 Select Apply.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
47
Managing quarantined files Antivirus
48
Managing quarantined files
Infected files are quarantined if you select the Quarantine or Clean options in either
AntiVirus > Settings or AntiVirus > Realtime Protection. Unless you enable Save a copy in
quarantine area before cleaning, the Clean option quarantines only the files that it cannot clean.
Go to AntiVirus > Quarantine to manage quarantined files.
Automatically delete quarantined files
Delete files older than
Restore
Refresh
Delete
Submit >>>
Submit virus
Submit as false positive
Quarantine retains all files until you delete or restore them, unless you configure automatic deletion.
Enable to automatically delete quarantined files. Enter the number of days to retain files. Select Apply.
Move the selected file back to its original location.
Caution: The restored file might be infected.
Update the displayed list of files.
Delete the selected file.
You can select files in the quarantined file list and use either of the following options to submit it to Fortinet.
Note: You can submit a maximum of three files per day.
Submission uses the default mail server unless you specify an
alternate SMTP server in Antivirus > Settings. See “Specifying an
SMTP server for virus submission” on page 44 .
Submit the selected file to Fortinet as a virus.
Alert Fortinet that the selected file is not a virus.
If there is a file in the quarantine list that you do not want scanned in future, right-click on the list entry and select Exclude file/folder from AV scanning.
Monitoring Windows startup list entries
Some viruses can modify existing Windows registry entries or insert new entries to cause malicious code to be executed when you start or log on to Windows. The FortiClient software can monitor the Windows startup list and detect unauthorized changes to the registry. The FortiClient software assumes the following registry changes are unauthorized if the changes were not made by an authorized user:
• adding, removing or modifying an application installation,
• changing an existing application’s configuration settings.
Note: Monitoring the Windows Registry is not supported on 64-bit Microsoft Windows XP.
The startup list shows the Windows registry entries for any applications that are started as part of your Windows profile when you log on to Windows. The list includes applications that are displayed in the system tray. The list also includes any applications that are started transparently and are not displayed in the system tray.
Entries are displayed in three lists:
• The Rejected entries list displays new, unauthorized startup entries.
• The Changed entries list displays previously existing entries that have changed since the last Windows startup.
• The Current startup list displays all current registry entries.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Antivirus Monitoring Windows startup list entries
The startup list is checked when the FortiClient software starts.
Figure 16: Registry Monitor
To view Windows startup list entries
1 Go to AntiVirus > Registry Monitor.
2 Under What to view, select Rejected entries, Changed entries or Current startup list.
3 Optionally select Refresh to refresh the startup list entries to view recently added, changed or rejected registry entries.
Restoring changed or rejected startup list entries
Changed or rejected entries can be restored.
Caution: If you are unsure what application an entry is for, do not restore the startup list entry.
To restore a changed or rejected startup list entry
1 Go to AntiVirus > Registry Monitor.
2 Under What to view, select Changed entries or Rejected entries.
3 Select the entry you want to restore.
4 Select Restore.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
49
Monitoring Windows startup list entries Antivirus
50
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Firewall Selecting a firewall mode
Firewall
Using the FortiClient firewall feature, you can protect your computer by using the following
FortiClient firewall features:
• Application level network access control — You can specify the applications that can access the network and be accessed by the network.
• Network security zone — The network is categorized into two zones: the Public Zone and the Trusted Zone. You can configure different security settings for each zone.
• Intrusion detection — FortiClient firewall can detect and block common network attacks.
• Advanced firewall rules — You can create specific rules to control the traffic based on source addresses, destination addresses, protocols, or time frames.
For outbound traffic, only application level control rules are applied. The advanced firewall rules do not have effect.
For inbound traffic, the advanced firewall rules will be applied first, then the application control rules.
For the traffic related to system processes, such as NetBIOS, traffic is accepted only when it is allowed by both advanced rules and zone security settings.
Selecting a firewall mode
By default, FortiClient firewall runs in Normal mode to protect your system. You can go to
Firewall > Status to select a different firewall mode (protection level).
FortiClient firewall has the following running modes:
Deny all
Normal
Pass all
Blocks all the incoming and outgoing traffic.
You can select from the three protection profiles. See
“Selecting a firewall profile” on page 51 .
No firewall protection.
Selecting a firewall profile
If you select the Normal firewall mode on Firewall > Status, you can select from the following three firewall protection profiles:
Basic home use
Basic business
Custom profile
Allows all outgoing traffic and denies all incoming traffic. Select this profile if your PC is a standalone home computer and not connected to other networks or PCs.
Allows all outgoing traffic, allows all incoming traffic from the trusted zone, and denies all incoming traffic from the public zone. For zone
information, see “Configuring network security zones” on page 55
.
This is the default profile.
The Custom profile allows you to configure the application level permissions, network zone permissions, and advanced firewall filtering rules.
See “Configuring application access permissions” on page 52 ,
“Configuring network security zones” on page 55
, and “Configuring advanced firewall rules” on page 57
.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
51
Viewing network statistics
Viewing network statistics
You can configure the FortiClient software to display the following network traffic information:
Figure 17: Firewall status
Firewall
52
Inbound traffic
Outbound traffic
Blocked network packets
Blocked application request
Current connections
Number of incoming network packets.
Number of outgoing network packets.
Network packets that are blocked by the firewall.
Number of blocked requests from outside to access your local applications and vice versa.
Number of current connections between your system and the network.
To view the traffic information
1 Go to Firewall > Status.
2 Select the traffic type you want to view. The information displays in the graphical monitor.
3 Select View Connections to view the current active connections, listening ports, PID, and other detailed information.
4 Select Close.
5 By default, whenever FortiClient firewall blocks network traffic, a notification pops up in the FortiClient system tray area. To disable the blocked traffic notification, select the
Disable taskbar notification for blocked network traffic option.
Configuring application access permissions
You can specify which applications can access the network and be accessed by the network. To do this, you assign the applications access permissions. Three levels of access permissions are available:
Allow
Ask
Block
Allows the application network access.
Prompts to ask your permission for the application to have network access.
Blocks all network access for the application.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Firewall Configuring application access permissions
Note: For applications not listed in the access control list, you will be asked whether to allow them network access. By default, FortiClient allows the legitimate Windows system applications to access the network. These applications are displayed in the application control list. You can modify or delete the permission levels of these applications.
Note: You cannot edit or delete settings for the fortiproxy application.
Apart from application access control, network zone security, and intrusion detection,
FortiClient firewall protects your computer with another layer of security: advanced firewall rules.
The firewall rules allow or block network traffic according to the following three types of filtering criteria you specify:
• Source and destination addresses can be your own computer, one of the two zones
(Public Zone and Trusted Zone), a single IP address, a range of IP addresses, a subnet, or a address group. For information about adding an address group, see
.
• Network protocols can be TCP, UDP, or TCP/UDP.
• Day and Time ranges can be applied to a rule to restrict access based on the day of the week and the time of day.
The advance firewall rules take precedence over the zone security settings. For example, if a rule blocks the traffic to the Trusted Zone, the traffic will be blocked.
To add an application to the access control list
1 Go to Firewall > Applications.
2 Select Add.
3 In the Add New Application dialog box, enter or browse to the application Path.
4 Select permission levels for the public zone and trusted zone.
5 Select OK.
Note: Permission levels for the public zone can only be lower than or equal to those for the trusted zone.
To create a firewall rule
1 Go to Firewall > Applications.
2 Select Edit > Advanced > Add.
3 In the Advanced Firewall Filtering Rule dialog box, enter the following information and select OK.
Name
Description
State
Action
Source
Enter a name for the rule.
Optionally, enter a short description.
Either Enable or Disable the rule.
Either Allow or Block the traffic.
Apply the rule to the traffic that originates from the source address and terminates at your computer. Select Add>>> to add the source address. For information about adding an address group, see
“Managing address, protocol and time groups” on page 54
.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
53
Configuring application access permissions Firewall
Destination
Protocol
Time
Bind this rule to
Apply the rule to the traffic that originates from your computer and terminates at the destination address. Select Add>>> to add the destination address. For information about adding an address group,
see “Managing address, protocol and time groups” on page 54 .
Select Add>>> to add a protocol to the rule. While specifying the protocol in the Add Protocol dialog box, you can also specify the destination and source ports.
Select Add>>> to add a day/time range when the rule should be executed. In the Add Time dialog box, specify a description, time range and one or more days. Time range is specified using a 24 hour clock.
Select all adapters or a single ethernet adapter on your computer to apply this rule.
Note: You can use any combination of the filtering criteria.
Managing address, protocol and time groups
To simplify management, you can combine the source addresses, destination address, protocols, and time schedules into groups and use the groups when creating rules.
To create a group
1 Go to Firewall > Applications.
2 Select Edit > Advanced > Groups.
3 Select Address Group, Protocol Group, or Time Group.
4 Select Add.
5 Enter a name and description.
6 Select Add.
7 For an address group, enter the Subnet, IP Range, IP Address, or FQDN (fully qualified domain name). For a protocol group, specify the Protocol, Destination Port, and Source Port numbers. For a time group, specify the day and time range.
8 Select OK.
54
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Firewall Configuring network security zones
Configuring network security zones
FortiClient firewall protects your system by categorizing the network systems into three zones. Go to Firewall > Network to configure these zones.
Figure 18: Network security zones
Public Zone
Trusted Zone
By default, FortiClient firewall treats IP addresses in the public zone with the highest security level. You can also customize the security levels. See
“Customizing security settings” on page 56
.
By default, FortiClient firewall treats IP addresses in the trusted zone with medium-level security settings. For information about security level settings,
see “Customizing security settings” on page 56 .
All traffic to and from IP addresses in the blocked zone is not allowed.
Blocked Zone
FortiClient firewall prioritizes the zones in the order of blocked zone, trusted zone, and public zone. This means:
• If an IP address is listed in all of the three zones, it will be blocked.
• If it is listed in both the trusted and public zones, it will be trusted.
• If it is not listed in any of the three zones, it will be public.
Adding IP addresses to zones
You can add a subnet, an IP range, or an individual IP address to the network zones. You can also edit or delete the existing IP entries.
To add IP addresses
1 Go to Firewall > Network.
2 Select Add.
3 In the IP Address dialog box, select a zone and enter the IP addresses that belong to it.
4 Optionally, enter a description.
5 Select OK.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
55
Customizing security settings Firewall
Customizing security settings
For the public and trusted zones, you can use the default high, medium, or low level security settings. You can also customize these default settings.
High
Medium
Low
By default, incoming connections are allowed only if there are listening ports for these connections.
By default, most connections are allowed unless you customize the settings.
Note that the default medium security level settings for public and trusted zones are different:
• For public zone, the incoming ICMP and NetBIOS packets are blocked
• For trusted zone, these packets are allowed.
Packet level rule is disabled and application level control is on.
Note: The security level for the public zone can only be higher than or equal to that for the trusted zone.
To customize the security settings
1 Go to Firewall > Network.
2 For Public Zone Security Level or Trusted Zone Security Level, move the slider to High or Medium.
Note: Low level security disables packet level rules and you cannot customize the Low level settings.
3 Select Settings.
4 If you select High level, modify the following settings and select OK.
Allow ICMP in
Allow NetBIOS in
Allow incoming ICMP (Internet Control Message Protocol) traffic. By default, this option is not selected.
Allow incoming NetBIOS traffic. By default, this option is not selected.
Allow NetBIOS out
Allow outgoing NetBIOS traffic. By default, this option is not selected.
Select one of the following options:
Allow other inbound traffic
This option is selected by default.
coming from this zone
Block other inbound traffic
This option is not selected by default.
coming from this zone
5 If you select Medium level, modify the following settings and select OK.
Block ICMP in
Block NetBIOS in
Block NetBIOS out
Block incoming ICMP (Internet Control Message Protocol) traffic. By default, this option is not selected.
Block incoming NetBIOS traffic. By default, this option is not selected.
Block outgoing NetBIOS traffic. By default, this option is not selected.
56
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Firewall Configuring intrusion detection
Configuring intrusion detection
FortiClient software can detect and block some common network attacks using the hardcoded signatures. Because the signatures are hardcoded into the program, to get the latest signatures, you must install the latest FortiClient build.
Go to Firewall > Intrusion Detection to view the IP addresses where the detected attacks originate.
You can move the IP addresses to the blocked zone by selecting the Move to blocked
zone button, so that the traffic from these IP addresses will be blocked.
If any of the IP addresses can be trusted, you can move the IP address to the trusted IP list by selecting the Trust this IP button, so that FortiClient will not detect traffic from this IP address any more.
You can also remove an IP from the Trusted IP list by selecting the Don’t trust this IP button.
Configuring advanced firewall rules
Apart from application access control, network zone security, and intrusion detection,
FortiClient firewall protects your computer with another layer of security: advanced firewall rules.
The firewall rules allow or block network traffic according to the following three types of filtering criteria you specify:
• Source and destination addresses can be your own computer, one of the two zones
(Public Zone and Trusted Zone), a single IP address, a range of IP addresses, a subnet, or a address group. For information about adding an address group, see
.
• Network protocols can be ICMP, TCP, UDP, or TCP/UDP.
• Day and Time ranges can be applied to a rule to restrict access based on the day of the week and the time of day.
The advance firewall rules take precedence over the zone security settings. For example, if a rule blocks the traffic to the Trusted Zone, the traffic will be blocked.
To create a firewall rule
1 Go to Firewall > Advanced.
2 Select Add.
3 In the Advanced Firewall Filtering Rule dialog box, enter the following information and select OK.
Name
Description
State
Action
Source
Enter a name for the rule.
Optionally, enter a short description.
Either Enable or Disable the rule.
Either Allow or Block the traffic.
Apply the rule to the traffic that originates from the source address and terminates at your computer. Select Add to add the source address. For information about adding an address group, see
“Managing groups” on page 58 .
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
57
Configuring advanced firewall rules Firewall
Destination
Protocol
Time
Bind this rule to
Apply the rule to the traffic that originates from my computer and terminates at the destination address. Select Add to add the destination address. For information about adding an address group, see
“Managing groups” on page 58 .
Select Add to add a protocol to the rule. While specifying the protocol in the Add Protocol dialog box, you can also specify the destination and source ports.
Select Add to add a day/time range when the rule should be executed. In the Add Time dialog box, specify a description, time range and one or more days. Time range is specified using a 24 hour clock.
Select all adapters or a single ethernet adapter on your computer to apply this rule.
Note: You can use any combination of the filtering criteria.
Managing groups
To simplify management, you can combine the source addresses, destination address, protocols, and time schedules into groups and use the groups when creating rules.
To create a group
1 Go to Firewall > Advanced.
2 Select Groups.
3 Select Address Group, Protocol Group, or Time Group.
4 Select Add.
5 Enter a name and description.
6 Select Add.
7 For an address group, enter the subnet, IP range, or IP address.
For a protocol group, enter specify the protocol and port number.
For a time group, specify the day and time range.
8 Select OK.
Note: You can edit existing groups, but you cannot change their names.
58
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Web Filter Setting the administration password
Web Filter
FortiClient Endpoint Security uses the Fortinet FortiGuard Web Filtering service to help you control web URL access.
FortiGuard Web Filtering sorts hundreds of millions of web pages into a number of content categories. Each web site belongs to one or more categories. Unrated is also considered a category.
FortiGuard Web Filtering can also assign one of several classifications to web sites that provide cached content, such as Google search, or web sites that allow image, audio, or video searches.
Your FortiClient PC accesses the nearest FortiGuard Web Filtering Service Point to determine the categories and classification of a requested web page. The FortiClient application blocks the web page if the web page is in a category or classification that you have blocked.
Web filter profiles specify which categories and classifications of web sites are allowed or blocked. There are three predefined web filter profiles: Default, Child and Adult. You can modify the categories blocked in each profile and create new profiles as needed.
You specify which profile applies to each user of the PC. For instance, you can use the predefined Child web access profile to prevent your children from accessing inappropriate web sites. You also specify a global profile that applies to unknown users.
FortiClient web filtering filters both HTTP and HTTPS web traffic. The filtering process does not compromise the security of the HTTPS connection in any way.
Note: If the FortiGuard service is unreachable or the subscription is expired, URLs are not blocked even if Block all unrated URLs is enabled.
FortiClient web filtering also allows you to specify URLs to always block or to allow by bypassing the web filter.
Setting the administration password
You must set a password to prevent users from modifying the web filter settings, shutting down the program, or uninstalling the program.
To set the password
1 Go to WebFilter.
2 Select Change Password.
3 Enter a password and select OK.
Modifying web filter settings
Web filter profiles define which categories of web sites are blocked. You can modify the predefined web filter profiles or define additional profiles as needed.
You can assign a web filter profile to each user and assign a global profile that applies to any user not specified in the per-user settings.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
59
Modifying web filter settings Web Filter
Configuring the web filter global settings
FortiClient comes with three predefined profiles to allow or block different combinations of web categories:
Default
Child
Adult
Default web filter profile, which is initially the same as the Child profile.
Blocks categories that are not suitable for children.
Only blocks the security violating web sites.
You cannot delete the predefined profiles. You can, however, modify these profiles. Also you can specify URLs to always block or to bypass category blocking.
The Global Profile applies to any user for whom there are no per-user settings.
Figure 19: Web filter global settings
60
To configure the web filter global settings
1 Go to WebFilter.
2 Select Modify Settings.
3 Enter the password if you have set one.
4 In the Web Filter Settings dialog box, select Enable webfilter.
5 Optionally, you can change the Global profile. You then choose whether the change applies permanently, until the current user logs off or for the next 20, 60 or 120 minutes.
The Global profile applies to users not listed in the Per User settings.
6 Optionally, select Edit List to specify URLs to always block or to bypass the WebFilter.
See “To specify URLs to block or bypass”
.
7 Optionally, select Block all unrated URLs, otherwise unrated URLs are allowed.
8 Select OK.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Web Filter Modifying web filter settings
To specify URLs to block or bypass
1 Select Edit List.
2 Select Add.
3 In the Set URL permission dialog box, enter the URL.
In the URL box, you can enter:
• wildcard characters (* and ?) in URLs,
• complete URLs,
• IP addresses,
• partial URLs,
• file types, such as *.jpg to block all jpeg files, and *.swf to block all flash animations.
4 Select Block or Bypass.
5 Select OK.
6 Repeat steps 2 through 5 for each URL that you want to add.
You can also edit existing entries or delete unwanted entries.
7 Select Close.
8 Select OK.
Managing web filter profiles
On the Profile Management tab of WebFilter settings, you can
• modify existing profiles
• create new profiles
• delete unwanted profiles (except Default, Child and Adult)
Figure 20: Web filter profiles
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
61
Modifying web filter settings Web Filter
To modify profiles
1 Go to WebFilter.
2 Select Modify Settings.
3 Enter the password if you have set one.
4 On the Global Settings tab, ensure that Enable webfilter is selected.
5 Select the Profile Management tab.
6 Do any of the following:
• Select a profile from the list and modify its settings in the Settings of selected profile section. A red “X” indicates a blocked category or classification.
• Select a profile from the list and select Restore Defaults to undo all modifications.
• Select an unwanted profile from the list and select Delete Profile to remove it.
• Select Create Profile to create a new profile. You can copy an existing profile or create an empty profile that allows all categories. Edit the settings as needed. Select
Rename Profile to change the name as needed.
7 Optionally, select Edit List to specify URLs to always block or to bypass the WebFilter.
To specify URLs to block or bypass
1 Go to WebFilter > WebFilter.
2 Select Modify Settings.
3 Enter the password if you have set one.
4 On the Profile Management tab, select profile for which you want to specify URLs.
5 Select Edit List.
6 Select Add.
7 In the Set URL permission dialog box, enter the URL.
In the URL box, you can enter:
• wildcard characters (* and ?) in URLs,
• complete URLs,
• IP addresses,
• partial URLs,
• file types, such as *.jpg to block all jpeg files, and *.swf to block all flash animations.
8 Select Block or Bypass (allow).
9 Select OK.
10 Repeat steps 6 through 9 for each URL that you want to add.
You can also edit existing entries or delete unwanted entries.
11 Select Close.
12 Select OK.
62
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Web Filter Modifying web filter settings
Configuring web filter per-user settings
If you have administrator privileges on the PC, you can specify which webfilter profile applies to each user. The Global profile specified in webfilter Global Settings applies to any user not specified in Per User settings.
To specify per-user webfilter settings
1 Go to WebFilter.
2 Select Modify Settings.
3 Enter the password if you have set one.
4 In the Web Filter Settings dialog box, select Enable webfilter.
5 Select the Per User Settings tab.
6 Do any of the following:
• To add a user setting, select Add, enter or select a user name, select the profile to apply, and then select OK.
• To modify a user setting, select the user name, select Edit, select a different profile and then select OK.
• To delete a user setting, select the user name and then select Delete.
7 Select OK.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
63
Modifying web filter settings Web Filter
64
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
AntiSpam
AntiSpam
The AntiSpam feature is a plug-in for Microsoft Outlook and Microsoft Outlook Express
(2000 or newer versions). It is supported by the Fortinet FortiGuard AntiSpam service.
Once this feature is enabled and installed on the Outlook/Outlook Express, it filters your incoming email and sets up a spam folder on your Outlook/Outlook Express to collect spam automatically.
Note: On Microsoft Windows Vista, AntiSpam works in Outlook but not in Windows Mail.
You can do the following:
•
•
•
Adding white, black, and banned word lists
•
•
Submitting misclassified email to Fortinet
Figure 21: AntiSpam
Figure 22: Antispam plug-in on Outlook
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
65
Installing antispam plug-in AntiSpam
Installing antispam plug-in
Install the antispam plug-in on Microsoft Outlook or Outlook Express (2000 or newer version).
To install antispam plug-in on Outlook
1 On your PC, install Microsoft Outlook or Outlook Express if you do not already have it.
2 Install FortiClient software.
3 Reboot your PC.
A Spam folder appears on the Outlook folder List. Spam sent to you will be put into the
Spam folder automatically.
Fortinet website, Mark As Spam and Mark Not Spam icons appear on the Outlook toolbar.
Enabling antispam
You must enable the FortiClient antispam feature for the Outlook plug-in to work.
To enable antispam
1 Go to AntiSpam > Settings.
2 Select Enable AntiSpam.
3 Select Apply.
Note: On Outlook Express, AntiSpam filtering is not effective with an IMAP email server.
66
Adding white, black, and banned word lists
You can allow (whitelist) or block (blacklist) email addresses and ban email containing the words you specify. By doing so, incoming email will be first filtered against these lists.
• If the email address is in the white list and the email content does not contain any of the banned words, the email will go through without being filtered.
• If the email address is in the black list or the email content contains any of the banned words, the email will be sent to the spam folder.
• If the email address is neither in the white list or black list and the email content does not contain any of the banned words, the email will be filtered by the Fortinet
FortiGuard AntiSpam service.
Note: When adding banned words and email addresses to the White/black list, you can use regular expression meta characters.
To add white/black lists
1 Go to AntiSpam > Settings.
2 In the White/black list panel, select Add.
3 Enter the email address that you want to block or allow.
4 Select Block to add the address to black list, and Allow to add it to white list.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
AntiSpam Manually labelling email
5 Select OK.
6 To modify a list item, select the item, then Edit.
7 To remove a list item, select the item, then Delete.
To add banned words
1 Go to AntiSpam > Settings.
2 In the Banned word list panel, select Add.
3 Enter the word that you want to ban.
4 Select OK.
5 To modify a list item, select the item, then Edit.
6 To remove a list item, select the item, then Delete.
Manually labelling email
You can manually mark an email as a spam or as an innocent mail.
If you have not enabled the FortiClient Submit mis-rated Email automatically function, you will be prompted to submit a selected email to Fortinet when you mark an email as a spam or as an innocent mail. Otherwise, the selected email will be sent to Fortinet automatically
.
To manually mark an email as spam
1 Open Microsoft Outlook or Outlook Express.
2 If you find a spam in your Inbox folder, select the email.
3 Select the Mark As Spam icon on the toolbar.
The email is sent to the Spam folder. If it is also forwarded to Fortinet, when you update the FortiClient software next time, the Outlook plug-in will update its spam database so that when an email from the same sender/address comes in again, it will be sent to the
Spam folder.
To manually mark an email as an innocent mail
1 Open Microsoft Outlook or Outlook Express.
2 If you find an innocent email in your Spam folder, select the email.
3 Select the Mark Not Spam icon on the toolbar.
The email is sent to the Inbox folder. If it is also forwarded to Fortinet, when you update the FortiClient software next time, the Outlook plug-in will update its spam database so that when an email from the same sender/address comes in again, it will not be sent to the Spam folder.
Submitting misclassified email to Fortinet
You can configure the FortiClient program to automatically send misclassified email, that is, innocent email classified as spam or spam classified as innocent email, to the Fortinet
FortiGuard AntiSpam service to enhance the service’s email-scanning accuracy. In this case, you will not be prompted to submit misclassified email manually.
You can also just configure the FortiClient program to stop prompting users to submit misclassified email manually. In this case, no misclassified email will be sent to Fortinet.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
67
Submitting misclassified email to Fortinet
For more information, see
“Manually labelling email” on page 67 .
To configure sending misclassified email to Fortinet
1 Go to AntiSpam > Settings.
2 Select Submit mis-rated Email automatically.
3 Select Apply.
To stop prompting users to submit misclassified email manually
1 Go to AntiSpam > Settings.
2 Select Don’t prompt users to submit mis-rated email.
3 Select Apply.
AntiSpam
68
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
AntiLeak
AntiLeak
AntiLeak prevents accidental leakage of sensitive information through email messages.
When you send an email message using Microsoft Outlook (2000 or later), FortiClient searches the attachments for the words or patterns in your sensitive words list. If any of the words or patterns are found, FortiClient logs the message and can also block sending of the message.
AntiLeak can examine the following file types:
• text (.txt)
• Microsoft Word (.doc)
• Microsoft Excel (.xls)
• Microsoft PowerPoint (.ppt)
• Adobe Portable Document Format (.pdf)
Select the AntiLeak tab to configure AntiLeak settings.
Figure 23: AntiLeak settings
General
Enable AntiLeak Activate AntiLeak feature. You can define the Sensitive word list even if the feature is not active.
Log this event
Block leakage
Sensitive word list
Add
Edit
Delete
Log outgoing email messages that leak sensitive information.
Block sending of email messages that leak sensitive information.
Blocked messages are logged.
Users with administrative privileges can define the Sensitive word list, or the list can be part of a locked-down configuration.
Enter a word or regular expression.
Change the selected entry.
Remove the selected entry.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
69
AntiLeak
70
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Maintenance Updating FortiClient
Maintenance
You can use the Update feature to update the AV definition and AV engine. With the
Backup/Restore feature, you can save all the FortiClient settings to a file. If required, you can later load this file to restore all settings.
Updating FortiClient
You can view the current AV definition and AV engine version information and configure updates on the Update page.
Each copy of the FortiClient software has a unique identifier called UID. The UID is displayed at the upper right corner of the Update page. Whenever FortiClient sends out an update request, it also sends out the ID number. If you encounter any update problem,
Fortinet technical support can use this number to pinpoint the problem.
If the FortiClient computer uses a proxy server, you can specify the proxy server settings so that the FortiClient software can get updates through the proxy server. See
“Configuring proxy server settings” on page 16
.
Updates can be run manually or scheduled to run automatically on a daily basis.
To initiate immediate updates
1 Go to Maintenance > Update.
2 Select Update Now.
Under Update Status, you can view the update process and results. A status of “No update available” means that your AV definitions and AV engine are already the latest version.
To schedule updates
1 In the Update Schedule section, select Enable scheduled update.
2 Do one of the following:
• Select Daily and enter the time of day.
• Select Every and select the interval (1 to 24 hours).
3 Select Apply.
Note: The default update server is forticlient.fortinet.com. If you want to use a different server, select the Use this server to update option at the top of the update page and enter the URL of the update server. You do not need to specify http:// or https:// as part of the
URL.
To manually update the software and antivirus signatures
1 Download the FortiClient update package file (.pkg file) to the FortiClient computer.
2 Go to Maintenance > Update and select Manual Update.
3 In the Open dialog box, locate the update package file and select Open.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
71
Backing up and restoring FortiClient settings Maintenance
Backing up and restoring FortiClient settings
If you have administrative privileges on your computer, you can save all FortiClient settings to a file so that you can easily restore them at a later date. For example, if you are forced to reinstall the software after replacing a hard drive, loading a backup will restore
FortiClient to the same settings it had when you made the backup. You can also use a single backup file to configure multiple FortiClient installations with identical settings.
Note: Backup/Restore features are not available if the FortiClient application is centrally managed by a FortiManager unit.
To back up the FortiClient settings
1 Go to Maintenance > Backup/Restore.
2 Select Backup.
3 Enter a file name and location in the Save As dialog box.
4 Enter a password in the Input Password dialog box. Enter the password again in the
Confirm field to ensure you typed it correctly. Remember this password because you must enter it correctly when you restore the backup file.
To restore the FortiClient settings
1 Go to Maintenance > Backup/Restore.
2 Select Restore.
3 Choose the file you want to restore in the Open dialog box.
4 Enter the password associated with the file.
FortiClient confirms that the configuration is restored.
5 Select OK.
72
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Logs Configuring log settings
Logs
Use the FortiClient logging feature to configure logging of different types of events for any or all of the FortiClient services.
Configuring log settings
You can specify the log level, log type, log size, and log entry lifetime.
Figure 24: Configuring log settings
To configure log settings
1 Go to Logs > Settings.
2 Enter the Maximum Log Size.
The default is 5120 KB. Log entries are overwritten, starting with the oldest, when the maximum log file size is reached.
3 Select the Log Level.
You can select Error, Warning, or Information. The default is Warning.
4 Select what to log.
You can select either All events or Check to select. If you choose Check to select, specify the types of events to log.
5 Select Apply.
To configure remote logging
1 Go to Logs > Settings.
2 In the Remote logging section, select Server and enter the server IP address or FQDN in the adjacent box.
3 Select FortiAnalyzer if you are using a FortiAnalyzer unit to record logs, otherwise select Syslog.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
73
Managing log files Logs
4 From the Facilities list, select the name used to identify this FortiClient PC in the logs.
The default is local7.
5 If you are logging to a syslog, from the Syslog log level list, select the minimum severity of logs to record.
6 Select Apply.
Managing log files
The log viewer can display logs of all events or only the events associated with a specific service. You can view, save, clear, or refresh the log entries.
Figure 25: Viewing logs
74
To manage the log messages
1 Go to Logs > Logview.
2 From the dropdown list, select the log entry type you want to view.
3 Use the log navigation buttons to move between log entries or to move to the top or bottom of the log file. The most recent log entries are displayed at the top of the list.
Optionally select a specific log entry from the log window to view the complete log entry information.
4 To save the log messages, select Export.
5 To delete all the log messages, select Clear All.
6 To display the most recent log messages, select Refresh.
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Index
Index
A
antileak
antispam enabling
,
antispam plug-in installing
,
antivirus
antivirus scanning window showing
antivirus settings configuring
authentication
,
autokey keep alive
,
B
Beep when connection error occurs, option
bytes incoming VPN traffic
,
outgoing VPN traffic
C
CA certificate getting a CA certificate
importing
retrieve
,
categories web filter
,
certificate eToken
,
importing a CA certificate
smartcard
,
city local certificate request
classification web filter
,
code page
,
comments on Fortinet technical documentation
company local certificate request
configuration error
configuration data
connect to a remote FortiGate gateway
,
to the remote FortiGate network
,
corporate policy complying with
,
country local certificate request
CRL getting a CRL
importing
retrieve
,
customer service
,
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
D
dead peer detection
,
default policy settings modifying
,
department local certificate request
,
DH group policy setting
digital certificate management certificate management
domain name local certificate request
,
E
email local certificate request
,
manually labelling
email address local certificate request
,
email scanning
encryption incoming VPN traffic
outgoing VPN traffic
,
entering a license key
,
error configuration
eToken certificate
,
exclude selecting the file types to exclude
,
exclusion list adding a new file extension
,
exporting local certificate request
,
F
file extension add to the file types or exclusion list
,
file types adding a new file extension
,
selecting the file types to scan or exclude
,
FortiClient software manual update
FortiGate gateway connect to
FortiGate models supported by FortiClient
FortiGate network connect to
Fortinet customer service
,
FortiOS versions supported by FortiClient
G
general settings
,
75
Index
76
I
IKE and IPSec policies configuring
IKE proposals
,
import
CA certificate
,
CRL
,
signed local certificate
information leakage protection
,
install configuration
,
data
,
log
,
upgrade
installation
,
introduction
,
intrusion detection
IP address local certificate request
IPSec policies configuring
IPSec proposals
K
Keep IPSec service running forever unless manually stopped, option
,
keepalive frequency
,
key entering a license key
key life incoming VPN traffic
,
outgoing VPN traffic
L
language support
legacy policy settings modify
license key entering
local certificate city
,
company
country
,
department
,
domain name
,
email address
importing a signed local certificate
,
IP address
requesting
,
retrieving an signed local certificate
state/province
local gateway
,
local id
,
locking FortiClient
log file configuring settings
,
viewing
,
logging
logs
managing log files
,
M
manage log files
,
quarantined files
scan schedules
,
mis-rated email submitting
,
mode policy setting
monitoring VPN connections
,
name
,
N
name monitoring VPN connections
NAT traversal
,
O
obtaining a signed local certificate
,
OCSP, enabling
options for VPN connection
P
packets incoming VPN traffic
outgoing VPN traffic
,
PFS advanced VPN setting
policies
IKE, IPSec configuring
policy corporate security, complying with
policy settings modifying default
,
modifying legacy
profiles web filter
proposal
IKE
,
IPSec
protection configuring real-time
Q
quarantined files managing
quick scan running
R
real-time protection configuring
remote monitoring VPN connections
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
Index
remote FortiGate network connect to
,
removable drives scan in full system scan
,
scan on insertion
replay detection
request a signed local certificate
,
restore changed startup list entry
quarantined file
,
rejected startup list entry
retrieve
CA certificate
,
CRL
,
signed local certificate
S
scan files in a specified directory for viruses
for viruses
,
removable drives
selecting the file types to scan
security policy complying with
,
settings general
,
signed local certificate importing
requesting
,
smartcard certificate
Start VPN before logging onto Windows, option
,
startup list entries viewing
,
startup list entry restoring a changed or rejected startup list entry
state/province local certificate request
T
technical support
,
time out monitoring VPN connections
,
traffic summary viewing
,
troubleshooting
VPN
U
unlocking FortiClient
,
update
FortiClient software
update schedule setting
,
upgrading
URL block or bypass
,
V
VPN audible dropped connection alarm
basic settings
,
certificates
,
configuring IKE and IPSec policies
connecting before Windows logon
connecting to remote network
,
connection options
,
extended authorization (XAuth)
,
import, export policy files
introduction
,
modifying legacy and default settings
monitoring connections
,
retrying dropped connections
,
setting up automatic connection setting up connection manually
,
smartcard certificate
startup before network login
testing the connection
troubleshooting
using FortiClient VPN client
virtual IP address acquisition
,
W
WAN optimization enabling
web filter
categories
classification
,
global settings
per-user settings profiles
,
settings
,
URLs to block or bypass
X
XAuth configuring
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
77
Index
78
FortiClient Endpoint Security Version 4.0.2 User Guide
04-402-86641-20090223
http://docs.fortinet.com/
•
Feedback
www.fortinet.com
www.fortinet.com
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project