Forticlient User Guide

Introduction:

             FortiClient extends the power of FortiGate's Unified threat management to endpoints on your network. Desktops, laptops, tablets and smartphones, FortiClient enables every device - local or remote, stationary or mobile - to integrate with your FortiGate. With no per-seat license fees, FortiClient takes the headaches out of managing multiple endpoints so your users and guests can work efficiently anywhere, without compromising your security. It's the end-point solution for your FortiGate network.

The FortiClient software provides a variety of features, including antivirus, web filtering, firewall, and parental controls, to individual computers and mobile devices. It can also be used to connect to a FortiGate using either an SSL or IPsec VPN.

Forticlient VPN configuration:
Virtual Private Network (VPN) technology enables remote users to connect to private computer networks to gain access to their resources in a secure way. For example, an employee traveling or working from home can use a VPN to securely access TeraTerm and Network Drives through the Internet.

VPN gateways:

A gateway is a router that connects the local network to other networks. The default gateway setting in your computer’s TCP/IP properties specifies the gateway for your local network.
A VPN gateway functions as one end of a VPN tunnel. It receives incoming IPsec packets, decrypts the encapsulated data packets and passes the data packets to the local network. Also, it encrypts data packets destined for the other end of the VPN tunnel, encapsulates them, and sends the IPsec packets to the other VPN gateway. The VPN gateway is a FortiGate unit because the private network behind it is protected, ensuring the security of the unencrypted VPN data. The gateway can also be FortiClient software running on a PC since the unencrypted data is secure on the PC.
The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet. Optionally, you can define a secondary IP address for the interface and use that address as the local VPN gateway address. The benefit of doing this is that your existing setup is not affected by the VPN settings.

The following diagram shows a VPN connection between two private networks with FortiGate units acting as the VPN gateways. This configuration is commonly referred to as Gateway-to-Gateway IPsec VPN.

VPN tunnel between two private networks:
Fig : 1

FortiClient Benefits:

Unified endpoint features including compliance, protection, and secure access into a single, modular lightweight client.
End-to-end threat visibility and control by natively integrating endpoint into the Security Fabric architecture.
Advanced threat protection against exploits and advanced malware, powered by FortiGuard along with FortiSandbox integration.
Integrated patch management and vulnerability shielding to harden all endpoints.
Simplified management and policy enforcement with Enterprise Management Server (EMS) and FortiGate, respectively
Remote FortiClient Deployment that allows administrators to remotely deploy endpoint software and perform controlled upgrades.
Centralized Client Provisioning makes deploying FortiClient configuration to thousands of clients an effortless task with a click of a button.
Software Inventory Management provides visibility into installed software applications and license management to improve security hygiene. You can use inventory information to detect and remove unnecessary or outdated applications that might have vulnerabilities to reduce your attack surface. Windows AD Integration helps sync organizations AD structure into EMS so same OUs can be used for endpoint management.
Real-time Endpoint Status always provides current information on endpoint activity & security events.
Vulnerability Dashboard helps manage organizations attack surface. All vulnerable endpoints are easily identified for administrative action.

Next Generation Endpoint Protection:

Integrated endpoint protection platform that provides automated next-generation threat protection, visibility and control of your software and hardware inventory across the entire security fabric. Identify & remediate vulnerable or compromised hosts across your attack surface.
  • Provides Endpoint Visibility & Compliance throughout security fabric
  • Prevent Known Vulnerabilities from Being Exploited by Attackers
  • Automated behavior based protection against unknown threats
  • Simplified Endpoint Management.
Fig : 2
Integrate Endpoints to Fortinet Security Fabric:
As a key piece of the Fortinet Security Fabric, FortiClient integrates endpoints into the fabric for early detection and prevention of advanced threats. Security events including zero-day malware, botnet detections, and vulnerabilities are reported in real-time.
The deep real-time visibility into the network allows administrators to investigate and remotely quarantine compromised endpoints. Endpoint protection is more than just antimalware protection, the endpoint compliance and vulnerability detection features enable simplified enforcement of enterprise.
Fig : 3 
Automated Security Fabric Protection:



Fig : 4
Vulnerability Management:
FortiClient Vulnerability Management solution helps you detect OS and third-party Application vulnerabilities in real time across your attack surface.
Fig : 5

Automated Advanced Threat Protection and Detection:
As a next-generation endpoint protection solution, FortiClient helps connect endpoints to FortiSandbox, which uses behavior-based analysis to automatically analyze in real-time all files downloaded to FortiClient endpoints. Millions of FortiClient and FortiSandbox users worldwide share information about known and unknown, malware with cloud-based FortiGuard. FortiGuard automatically shares the intelligence with other FortiSandbox units and FortiClient endpoints to prevent attacks from known and unknown malware. By integrating with FortiSandbox and cloud-based FortiGuard Global Threat Intelligence, FortiClient automatically detects and prevents zero-day, advanced malware and known threats.

Secure Remote Access:

Fig : 6

FortiClient uses SSL and IPSec VPN to provide secure, reliable access to corporate networks and applications from virtually any internet-connected remote location. FortiClient simplifies remote user experience with built-in auto-connect and always-up VPN features. Two-Factor authentication can also be used to provide an additional layer of security.

Anti-Exploit:

This behavioral-based detection technology protects against zero day attacks that target applications with zero-day or unpatched vulnerabilities.
Protects against zero-day attacks targeting undiscovered or unpatched application vulnerabilities.
Detects various memory techniques used in an exploit, such as ROP, Heap Spray, buffer overflow.
File-less Attacks PowerShell & other scripted attacks.
Shields web browsers, Java/Flash plug-ins, Microsoft Office applications, and PDF Reader.
Identifies and Blocks exploit kits, prevents drive-by downloads.

Windows FortiClient SSL VPN Installation and Setup:

Purpose to support staff who may be conducting work either remotely or without a direct connection to the college’s wired network. Whilst the use of a secure virtual private network (VPN) will provide better assurances against the potential of data leakage than previously offered, it will not, however, ensure that data is completely safe, as various forms of malware and key loggers could still be active. The Department of Information Technology strongly advocates that any device used to undertake college work must be completely up to date with operating system and application security patches as well as having an anti-malware product installed and active. 
If you are working with personal, confidential or commercially sensitive data, you must ensure that you are using a secure connection (VPN), especially if you are using an unsecured public network, such as in a hotel or train station. 
You should not connect to any unsecured wireless network unless you are sure of its legitimacy.
Google Chrome is the browser that will be used throughout this guide.

 FortiClient Installation:

Please enter the following URL into the address bar of your browser.
Click the red FREE Download button
Fig : 7
The browser will take you to a new page with the relevant section. At this point, please click of the relevant version based on the platform you are using i.e. Windows, Mac, iOS, etc. 
Fig : 8
Please save FortiClientInstaller.exe to your desired location (by default this will be your Downloads folder).
Fig : 9
Once you double click or open the installer the download will start and you will see a notification similar to the following screenshot. This download can sometimes proceed slowly, depending on demand. At this stage, you may be prompted with the User Account Control screen dependent on your settings. If so, may need to enter your details or simply click Yes.
Fig : 10
On the following screen, please tick the box to confirm that you have read the terms and conditions and then click Next.  
Fig : 11
When prompted by the “setup type” screen, please choose Secure Remote Access only.
Fig : 12
On the following screen, leave the setting as they are and click Next.
Fig : 13
Click Install and the client will be installed onto your device.
Fig : 14
Click on the Finish button to complete the installation.
You should now see the FortiClient green shield icon in the taskbar to confirm that the software has been installed. You may need to expand your taskbar by clicking on the red arrow as shown below. Right click on the green shield icon and then select Open FortiClient Console. You can also double click on the desktop icon that was created.
Fig : 15
On the following screen click on Configure VPN.
Fig : 16
Fill out the fields as in the following screenshot.
Fig : 17
Click Apply to create and save the VPN Profile and click Close. This will launch the following screen.
Fig : 18
Enter your ID # for the Username and your network Password and click Connect. In the taskbar you will see a lock icon on the FortiClient icon and confirm that you are now connected to the VPN service.  
Fig : 19
To disconnect from the VPN, right click on the green shield and click Disconnect “VPN”.

Some of the connectivity issue in the forticlient client:

*  Unable to logon to the server. your username or password may not be configured properly for the connection. (-12).
Fig : 20
* I’ve to reset the password for the user - and are 100% sure that we have a correct username and password. this issue happened after we have upgraded to 5.4 ... I can’t downgrade for just a single user. my current solution is to reinstall windows 10.
* "Unable to establish the VPN connection. The VPN server may be unreachable. (-5)" is obtained in FortiClient trying to connect to the SSL VPN and it is stuck at 40% after upgrading to 5.4.x from 5.2. or earlier.
Fig : 21
This error may occur because the default settings for encryption have changed in FortiOS v5.4.
1. On the FortiClient (Windows) workstation, go to Internet Explorer > Options > Advanced.
2. Change the TLS settings to match those settings on the FortiGate.
For example, if TLS 1.1 and TLS 1.2 are enabled on the FortiGate, enable them in Internet Explorer as well.
Fig : 22

* Permission Denied: When the User enters Username and Password for the forticlient if it’s will gives a Permission denied (-455) error that means user is entering the invalid credentials.
Fig : 23


Thanks,
Keerthi Kumar.

Comments

  1. Well done keerthikumar Gud Information u have given to all of us It is helpful Thank you

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. It's is very helpful, thank you Keerthi Kumar Netula

    ReplyDelete
  4. Great work keerthi Kumar... Keep it up

    ReplyDelete
  5. Great stuff Keerthi. Very useful info.. Thanks you for sharing the details.

    ReplyDelete
  6. Very use ful blog thank you for sharing info...

    ReplyDelete
  7. Forticlient simplified!!!
    Great work..Very useful info shared...Thanks Keerthi Kumar for this...

    ReplyDelete
  8. Nice information TQ for sharing...

    ReplyDelete
  9. Excellent job.... Keerthi keep going!!!

    ReplyDelete
  10. Permission denied (-455) coming when i m trying to login from my laptop by from mobile i am able to access.Also my credentials are also correct.

    ReplyDelete
  11. Enter your username and password correctly... if it's correct check the Remote gateway.
    Permission Denied(-455) I can surely say that it's a password issue.

    ReplyDelete
  12. Interesting and interesting information can be found on this topic here profile worth to see it. Hire a tech expert to back up or recover data

    ReplyDelete
  13. It is very helpfull for everyone.. thanks foe sharing this information Kalyx transcanding connections

    ReplyDelete
  14. It is very helpfull for everyone.. thanks foe sharing this information Kalyx transcanding connections

    ReplyDelete
  15. Hola les agradeceria si me pueden ayudar, tengo problemas con mis VPN LDAP, pude vincular bien los grupos que cree en el forti con los grupos de acrtive directory, luego al crear el portal VPN asocie al portal los grupos correspondientes, pero cuando me quiero loguear con un usuario de AD a la VPN me dice permiso denegado, ahora si lo hago con un usuairo de caja local si me puedo conectar.Desde ya agradezco la ayuda saludos

    ReplyDelete
  16. If the useraccount is flagged in AD to change password at next logon, then you will not be able to authenticate for VPN connection.

    ReplyDelete
  17. Please help.

    I receive the "Permission Denied" error after enter the fort token code.

    The user name and passwords are correct. It is connecting succesfully when two factor authentication disabled.

    But once enabled it shows "Permission Denied" error after enter the token code.

    Re-Installing VPN client, Reinstalling forti token app, Re-adding new tokens didnt work.

    ReplyDelete
    Replies
    1. Hi, do you resolved the issue "permission denied -455" ? Please let me know what did you do.

      Delete
  18. Hi, This is a great article. Loved your efforts on it buddy. Thanks for sharing this with us. MD-101T02: Managing Modern Desktops and Devices

    ReplyDelete

Post a Comment