forticlient host security user guide

www.fortinet.com

FortiClient Host SecurityVersion 2.0 MR1

U S E R G U I D E

FortiClient Host Security User Guide

Version 2.0 MR1

October 17, 2005

04-20001-0183-20051017

© Copyright 2005 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

ContentsIntroduction ........................................................................................ 5

About FortiClient Host Security ....................................................................... 5

Documentation................................................................................................... 5Fortinet Knowledge Center ........................................................................... 5Comments on Fortinet technical documentation........................................... 5

Customer service and technical support ........................................................ 6

Installation .......................................................................................... 7System requirements ........................................................................................ 7

Supported FortiGate models and FortiOS versions....................................... 7

Language Support ............................................................................................. 7

Installing FortiClient on a single PC ................................................................ 8

Installing customized FortiClient using Active Directory Server.................. 8Customizing the FortiClient installation package .......................................... 8Disabling VPN XAuth password saving ........................................................ 9Running remote installation........................................................................... 9

Configuration.................................................................................... 11General Settings .............................................................................................. 11

Entering a license key ................................................................................. 11Configuring proxy server settings................................................................ 12FortiClient status icons................................................................................ 12

VPN ................................................................................................................... 13Setting up a FortiClient-to-FortiGate VPN with manual configuration ......... 13Setting up a FortiClient-to-FortiGate VPN with automatic configuration ..... 17Testing the connection ................................................................................ 18Connecting to the remote FortiGate network .............................................. 20Configuring the advanced VPN settings ..................................................... 20Monitoring VPN connections....................................................................... 26Exporting and importing VPN policy files .................................................... 28Troubleshooting .......................................................................................... 28Starting up VPN before logging on to Windows .......................................... 29Managing digital certificates........................................................................ 29

Antivirus ........................................................................................................... 34Scanning for viruses.................................................................................... 34Configuring antivirus settings ...................................................................... 36Configuring real-time protection .................................................................. 39Configuring email scanning......................................................................... 40Managing quarantined files ......................................................................... 40Monitoring Windows startup list entries....................................................... 41

FortiClient Host Security Version 2.0 MR1 User Guide04-20001-0183-20051017 3

4

Contents

Firewall ............................................................................................................. 43Selecting a firewall mode ............................................................................ 43Selecting a firewall profile ........................................................................... 43Viewing traffic information........................................................................... 44Configuring application access permissions ............................................... 44Configuring network security zones ............................................................ 45Configuring intrusion detection ................................................................... 47Configuring advanced firewall rules ............................................................ 47

Web Filter ......................................................................................................... 49Setting the administration password ........................................................... 49Configuring the web filter settings............................................................... 49

Update .............................................................................................................. 51Updating FortiClient .................................................................................... 51

Logs.................................................................................................................. 52Configuring log settings .............................................................................. 52Managing log files ....................................................................................... 53

Using the FortiClient system tray icon menus ............................................. 53

Frequently asked questions ........................................................... 55

Index ................................................................................. 57

FortiClient Host Security Version 2.0 MR1 User Guide04-20001-0183-20051017

Introduction Fortinet Knowledge Center

IntroductionThis chapter introduces you to FortiClient Host Security software and the following topics:

• About FortiClient Host Security• Documentation• Customer service and technical support

About FortiClient Host SecurityThe FortiClient Host Security software is a secure remote access client for Windows computers. It integrates IPSec VPN, antivirus, Windows registry monitoring, firewall, and web browsing control into a single software package.

Using the FortiClient software, you can:

• create VPN connections to remote networks, • scan your computer for viruses, • configure real-time protection against viruses and unauthorized modification of

the Windows registry, • restrict access to your system and applications by setting up firewall policies. • restrict Internet access according the rules you specify.

DocumentationIn addition to this FortiClient Host Security User Guide, the FortiClient online help provides information and procedures for using and configuring the FortiClient software.

Information about FortiGate Antivirus Firewalls is available from the FortiGate online help and the FortiGate Administration Guide.

Fortinet Knowledge CenterThe most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.

Comments on Fortinet technical documentationYou can send information about errors or omissions in this document or any Fortinet technical documentation to [email protected].


6

Comments on Fortinet technical documentation Introduction

Customer service and technical supportFor antivirus and attack definition updates, firmware updates, updated product documentation, technical support information, and other resources, please visit the Fortinet technical support web site at http://support.fortinet.com.

Fortinet email support is available from the following addresses:

For information on Fortinet telephone support, see http://support.fortinet.com.

When requesting technical support, please provide the following information:

• Your name• Company name• Location• Email address• Telephone number• FortiClient version• Detailed description of the problem

[email protected] For customers in the United States, Canada, Mexico, Latin America and South America.

[email protected] For customers in Japan, Korea, China, Hong Kong, Singapore, Malaysia, all other Asian countries, and Australia.

[email protected] For customers in the United Kingdom, Scandinavia, Mainland Europe, Africa, and the Middle East.


Installation

InstallationYou can install the FortiClient software in two ways:

• For a single PC installation, you can install the software by running the installation file. See “Installing FortiClient on a single PC” on page 8.

• For a group installation, you can use the Active Directory Server to install the FortiClient package on multiple PCs. See “Installing customized FortiClient using Active Directory Server” on page 8.

System requirements• PC-compatible computer with Pentium processor or equivalent• Compatible operating systems and minimum RAM:

• Microsoft Windows 2000 : 64 MB• Microsoft Windows XP : 128 MB• Microsoft Windows Server 2003 : 128 MB

• 40 MB hard disk space• Native Microsoft TCP/IP communications protocol• Native Microsoft PPP dialer for dial-up connections• Ethernet for network connections• Microsoft Internet Explorer 5.0 or later

Supported FortiGate models and FortiOS versionsThe FortiClient software supports:

• all FortiGate models• FortiOS v2.36• FortiOS v2.50• FortiOS v2.80

Language SupportFortiClient Host Security is localized for English, Simplified Chinese, and Japanese. The user interface, manual and online help are provided in English, Simplified Chinese, or Japanese. If the installation detects a Simplified Chinese or Japanese code page, the Simplified Chinese or Japanese version is installed. In all other cases, the English version is installed.


8

Customizing the FortiClient installation package Installation

k

Installing FortiClient on a single PCThe software may not function properly with other VPN clients installed on the same computer. You should uninstall any other VPN clients such as SSH Sentinel before installing the FortiClient software.

If you have an older version of FortiClient software on you computer, it will be uninstalled automatically.

To install the FortiClient software, run the FortiClient install program and follow the instructions on the screen.

To complete the installation of the FortiClient software, you must reboot the computer and complete the following initial configuration.

To configure the FortiClient software after system reboot1 On the FortiClient Configuration Wizard, select Basic Setup if you are installing

FortiClient on a standalone computer, or select Advanced Setup if you are installing FortiClient on a computer in a network.

2 For Basic Setup, configure the update settings. For more update information, see “Update” on page 51.

3 For Advanced Setup, do the following:• Add IP addresses to FortiClient’s public, trusted, blocked zones. For more

information, see “Configuring network security zones” on page 45. • If you computer uses a proxy server, enter the proxy server information. See

“Configuring proxy server settings” on page 12. • Configure the update settings. See “Update” on page 51.

Installing customized FortiClient using Active Directory ServerThe FortiClient installer is based on MSI technology. You can customize the FortiClient installation package and use the Active Directory Server to install different customized installation packages on different PCs.

Customizing the FortiClient installation packageTo customize the FortiClient MSI installation package, use any MSI editor, such as InstallShield and Wise.

The MSI file should not be edited directly. The recommended solution is to create a transform file that contains the configuration changes you need. The transform file is applied to the original MSI file at runtime by msiexec.

Custom installations must conform to the following rules.

• No feature is to be deleted.• No feature is to be added.

Note: Configuration data from FortiClient v1.2 and v1.6 will be kept and reused by v2.0. Configuration data from v1.0 cannot be reused by v2.0.

Note: The FortiClient software installs a virtual network adapter. The FortiClient virtual networadapter is not displayed in the Windows list of network adapters.


Installation Disabling VPN XAuth password saving

• No feature is to be moved from one feature to another.• No component is to be deleted.• No component is to be added.• No component code (GUID) is to be modified.• No component is to be moved from one feature to another.• The shared state of a component must not be changed.

Registry settings are only to be added to the following components:

• REGISTRY_MST_FWSettings• REGISTRY_MST_AVSettings• REGISTRY_MST_VPNSettings• REGISTRY_MST_BHOSettings

Disabling VPN XAuth password savingThe ability for a user to “save” the VPN XAuth password can now be disabled through a registry setting in a custom installation.

To disable XAuth password saving1 Create a custom MSI transform file.

2 Edit the LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_IKE registry key.

3 Add the value DontRememberPassword under the key.

4 Set the value of DontRememberPassword to 1.

Running remote installationThe following is a general description of how to deploy the FortiClient software to remote computers using Active Directory Server. For more details, see the Active Directory manuals or online help.

To complete this procedure, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.

To deploy FortiClient using Active Directory Server1 Unzip the FortiClient MSI installation file to a share folder.

2 Open the Group Policy Object Editor.

3 Select Computer Configuration.

4 Select Software Settings.

5 Right-click Software Installation, select New, and then select Package.

6 Select the FortiClient MSI installation file and select Open.

7 In Deploy Software, select Assigned.

! Caution: If you modify the MSI installation package, you may not be able to upgrade the FortiClient installation with newer FortiClient releases.


10

Running remote installation Installation


Configuration Entering a license key

ConfigurationThis chapter describes the detailed FortiClient settings in the order of FortiClient GUI layout.

• General Settings• VPN• Antivirus• Firewall• Web Filter• Update• Logs• Using the FortiClient system tray icon menus

General SettingsUse the General Settings page to:

• set the FortiClient software to load automatically during startup,• enable or disable real-time antivirus protection,• enable or disable the Windows system startup list monitoring,• enter a product license key.• configure the proxy server settings.

You can also use the General Settings page to view:

• the current version and serial number of the FortiClient software,• the status of the VPN service,• the current version of the antivirus definition files,• the time of the last antivirus scan,• the status of the auto-update service.• the time of the last update.

Entering a license keyThe FortiClient software uses license keys to distinguish between evaluation software and fully licensed software. With the evaluation version, you can only use DES for encryption and MD5 for authentication when you configure a VPN connection.

After you register the software, you receive the license key from Fortinet.

To enter a license key1 On the General Settings page, select Enter License Key.

2 Enter the license key in the License Key field.

3 Select OK.


12

Configuring proxy server settings Configuration

Configuring proxy server settingsIf you use a proxy server for your LAN, you can specify the proxy server settings so that the FortiClient software can go through the proxy server to get antivirus signature updates and online SCEP.

FortiClient software supports HTTP, SOCKS v4, and SOCKS v5 proxy protocols.

To configure proxy server settings1 Go to General > Connection.

2 Select Enable proxy for updates and/or Enable proxy for Online SCEP.

3 For Proxy Type, select HTPP, SOCK V4, or SOCK V5.

4 Enter the proxy server’s IP address and port number.

5 Enter the user name and password.

6 Select Apply.

FortiClient status iconsThe FortiClient status bar on the lower right corner displays the FortiClient status icons.

Note: You can get the proxy server information from your network administrator.

The VPN service is running and there is an open connection.

The VPN service is stopped.

The antivirus scanning service is running.

The antivirus scanning service is stopped.

The update service is running.

The update service is stopped.

The real-time protection service is running.

The real-time protection service is stopped.

The firewall protection is enabled.

The firewall protection is disabled.


Configuration Setting up a FortiClient-to-FortiGate VPN with manual configuration

VPNBy entering basic connection information and using the default settings, you can quickly set up a VPN tunnel between your computer and a network behind a FortiGate gateway. See “Setting up a FortiClient-to-FortiGate VPN with manual configuration” on page 13.

If the FortiGate gateway runs as a VPN policy server that deploys the preconfigured VPN policies to FortiClient PCs, you can use the FortiClient automatic configuration feature. In this case, you only need to specify the FortiGate IP address to which the FortiClient software connects to download the VPN configuration. See “Setting up a FortiClient-to-FortiGate VPN with automatic configuration” on page 17.

If you are configuring a VPN to use either local digital certificates or smartcard/eToken certificate for authentication, see “Managing digital certificates” on page 29 before proceeding.

Digital certificates are not required for configuring FortiClient VPN connections. Digital certificates are an advanced feature provided for the convenience of system administrators. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation.

Setting up a FortiClient-to-FortiGate VPN with manual configurationThis VPN configuration example uses default FortiClient settings and preshared keys for VPN authentication. To customize the FortiClient VPN settings or to use digital certificates for VPN authentication, see “Configuring the advanced VPN settings” on page 20 and “Managing digital certificates” on page 29.

To set up a VPN connection, you must configure both the FortiClient and the FortiGate VPN settings.

Configuring FortiClient VPN settingsGo to VPN > Connections to add, delete, edit, or rename a VPN connection.

To add a FortiClient to FortiGate VPN, you need to:

• Set up the VPN tunnel from FortiClient to the remote FortiGate gateway. • Add the remote network IP addresses behind the remote gateway. • Get a virtual IP address that the FortiGate firewall administrator assigns to

your FortiClient PC, unless you use DHCP over IPSec.• Configure Internet browsing over IPSec if you want to access the Internet

through the VPN tunnel.

Note: FortiGate-to-FortiClient VPN policy deployment is a new feature of FortiOS v3.0. Contact Fortinet Technical Support for more details.


14

Setting up a FortiClient-to-FortiGate VPN with manual configuration Configuration

Figure 1: Creating a new VPN connection

To create a FortiClient VPN configuration1 Go to VPN > Connections.

2 Select Add.

3 Enter a descriptive name for the connection.

4 For Configuration, select Manual.

5 For Remote Gateway, enter the IP address or the fully qualified domain name (FQDN) of the remote gateway.

6 Enter the Remote Network information.

This is the IP address and netmask of the network behind the FortiGate gateway.

7 Enter the Preshared key.

The preshared key must be the same as the one used by the FortiGate VPN configuration.

8 Select OK.

To add a remote network you can access1 Go to VPN > Connections.

2 Select Add to add a new connection, or select Edit to edit a connection.

3 Select Advanced.

4 In the Advanced Settings dialog box, select Add.


Configuration Setting up a FortiClient-to-FortiGate VPN with manual configuration

5 In the Network Editor dialog box, enter the IP address and subnet mask of the remote network. You can enter multiple IP addresses behind the remote gateway. There are the IP addresses you can access through the VPN tunnel.

6 Select OK.

To set the virtual IP address1 Select a VPN and then select edit.

2 Select Advanced.

3 In the Advanced Settings dialog box, select Acquire Virtual IP Address and select Config.

4 In the Virtual IP Acquisition dialog box, select either DHCP over IPSec or manually set an IP. For details, see “Configuring Virtual IP address acquisition” on page 24.

5 Select OK.

To use Internet browsing over IPSec1 Select a VPN and then select edit.

2 Select Advanced.

3 In the Advanced Settings dialog box, select Add.

4 Enter 0.0.0.0./0.0.0.0 and select OK.

Configuring the FortiGate VPN settingsTo configure the FortiGate unit to accept FortiClient VPN connections, you need to:

• configure the FortiGate Phase 1 VPN settings,• configure the FortiGate Phase 2 VPN settings,• add a firewall encryption policy.

The default FortiGate phase 1 and 2 VPN settings match the default FortiClient VPN settings if you have a registered FortiClient version. You do not need to modify the default FortiGate VPN settings if you are using a FortiClient quick start configuration.

The following procedures are applicable to v2.50 FortiGate gateways. For v2.80 FortiGate gateways, the procedures vary slightly.

For detailed configuration information, see FortiGate VPN Guide.

To configure phase 1 settings1 Go to VPN > IPSEC > Phase 1.

2 Select Create New to create a new VPN gateway

Note: For the FortiClient PC to be able to use Internet browsing over IPSec, the remote FortiGate gateway must also be configured to allow such traffic.

Note: If you have the FortiClient evaluation version, you can only use DES for encryption and MD5 for authentication. Therefore, when you configure the FortiGateVPN settings, you must also select DES and MD5.


16

Setting up a FortiClient-to-FortiGate VPN with manual configuration Configuration

3 Enter the following information and select OK.

To configure phase 2 settings1 Go to VPN > IPSec > Phase 2.

2 Select Create New to create a new VPN tunnel.


To add a source address1 Go to Firewall > Address.

2 Select Create New.

3 Enter an address name.

4 Enter the individual address or the subnet address that you want the dialup users to access through VPN.

5 Select OK.

To add a destination address1 Go to Firewall > Address > External.2 Select New.

3 Enter an address name.

4 Enter the subnet IP address which will be used as the virtual IP addresses for the remote FortiClient PCs. This subnet should be different from the local FortiGate subnet.

5 Select OK.

To add a firewall policy1 Go to Firewall > Policy.

2 Select Create New.


Gateway Name Enter a name for the remote FortiClient user, such as FortiClient_User1.

Remote Gateway

Select Dialup User.

Mode Select Main Mode.

Authentication Method

Select Pre-shared Key.

Pre-shared Key Enter the pre-shared key.

Peer option Select Accept any peer ID.

Tunnel Name Enter a name for the VPN tunnel.

Remote Gateway

Select the gateway name you entered in phase 1 configuration.

Concentrator Select None.

Source Internal

Destination External

Source Address Name

Select the address name you added in “To add a source address” on page 16.


Configuration Setting up a FortiClient-to-FortiGate VPN with automatic configuration

4 Move the encryption policy above the non-encrypt firewall policies in the policy list.

Setting up a FortiClient-to-FortiGate VPN with automatic configurationIf the remote FortiGate gateway is configured as a VPN policy deployment server, you can configure the FortiClient software to download the VPN policies from the FortiGate gateway.

The policy server has a daemon running all the time for incoming policy download requests. This daemon communicates with the FortiClient PC to process user authentication, policy lookup, and delivery. After the policy is sent out, the daemon closes the SSL connection, and you can start up the VPN tunnel from the FortiClient side.

On the FortiClient side, you only need to create a VPN name and specify the IP address of the FortiGate gateway.

To add a VPN with automatic configuration on the FortiClient PC1 Go to VPN > Connections.

2 Select Add.

3 In the New Connection dialog box, enter a connection name.

4 For Configuration, select Automatic.

5 For Policy Server, enter the IP address or FQDN of the FortiGate gateway.

6 Select OK.

Configuring the FortiGate gatewayOn the FortiGate side, you must do the following to configure the FortiGate gateway to work as a VPN policy server:

1 Add the FortiClient users to a user group for authentication. When the FortiClient users try to connect to the FortiGate gateway to download the VPN policies, they are challenged for user names and passwords. See “Configuring FortiGate user authentication” on page 18.

2 Create a dialup VPN. See “Configuring the FortiGate VPN settings” on page 15.

Destination Address Name

Select the address name you added in “To add a destination address” on page 16.

Schedule Always

Service Any

Action Encrypt

VPN Tunnel Select the VPN tunnel you added in “To configure phase 2 settings” on page 16. Select Allow inbound and Allow outbound.

Protection Profile

Optional

Log Traffic Optional

Note: For VPNs with automatic configuration, only preshared keys are supported. Certificates are not supported.


18

Testing the connection Configuration

3 Create a firewall policy for the dialup VPN. See “To add a firewall policy” on page 16.

Configuring FortiGate user authenticationThe FortiGate units support user authentication to the FortiGate user database, a RADIUS server, and an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also use the RADIUS and LDAP servers to authenticate users.

To enable authentication, you must add user names to one or more user groups. You can also add RADIUS servers and LDAP servers to user groups. You can then select a user group when you require authentication. For more information, see the user authentication chapter of FortiGate Administration Guide.

To add a FortiClient user to the FortiGate local user database1 On the FortiGate web-based manager, go to User > Local.2 Select Create New.

3 Enter a user name and a password.

4 Select OK.

To add a user to a group1 Go to User > User Group.

2 Select Create New to add a new user group, or select the Edit icon to edit a configuration.

3 Enter a Group Name to identify the user group.

4 To add users to the user group, select a user from the Available Users list and select the right arrow to add the name to the Members list.

5 To add a RADIUS server to the user group, select a RADIUS server from the Available Users list and select the right arrow to add the RADIUS server to the Members list.

6 To add an LDAP server to the user group, select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list.

7 To remove users, RADIUS servers, or LDAP servers from the user group, select a user, RADIUS server, or LDAP server from the Members list and select the left arrow to remove the name, RADIUS server, or LDAP server from the group.

8 Select a protection profile from the Protection Profiles list.

9 Select OK.

Testing the connectionAfter you configure both the FortiClient and FortiGate sides, you can test the VPN connection from your FortiClient PC.

To test the connection1 Go to VPN > Connections.

2 Select the connection you want to test.


Configuration Testing the connection

3 Select Test.

A log window opens and begins to negotiate the VPN connection with the remote FortiGate unit.

If the test is successful, the last line of the log will read “IKE daemon stopped”.

If the last line of the log reads “Next_time = x sec”, where x is an integer, the test was not successful. The FortiClient software is continuing to try to negotiate the connection. See “Troubleshooting” on page 28.

4 Select Close.

Figure 2: A successful connection test

Note: For a VPN with automatic configuration, the FortiClient software downloads the VPN policy first. To test the VPN connection, the FortiClient software attempts to negotiate the VPN connection but does not actually open a VPN connection.


20

Connecting to the remote FortiGate network Configuration

Figure 3: A failed connection test

Connecting to the remote FortiGate networkAfter you set up a VPN connection, you can start or stop the connection as required.

To connect to a remote FortiGate gateway1 Go to VPN > Connections.

2 Select the connection you want to start.

3 Select Connect.

The FortiClient software opens a log window and begins to negotiate a VPN connection with the remote FortiGate firewall. If the negotiation is successful and the connection is established, the last line of the log will read “Negotiation Succeeded!”

4 Select OK or wait for the log window to close automatically.

If the last line of the log is “Negotiation failed! Please check log” and the log window does not close automatically, the connection attempt failed. Test the connection to verify the configuration. See “Setting up a FortiClient-to-FortiGate VPN with automatic configuration” on page 17.

5 To stop the connection, select Disconnect.

Configuring the advanced VPN settingsYou can configure the detailed IKE, IPSec parameters, and other advanced VPN settings.


Configuration Configuring the advanced VPN settings

Configuring IKE and IPSec policiesFortiClient has two preconfigured IKE and IPSec policies:

• Use the Legacy policy for a VPN to a FortiGate unit running FortiOS v2.36, and for any Cisco gateways that only support legacy settings.

• Use the Default policy for a VPN to a FortiGate unit running FortiOS v2.50 or higher.

To modify the Legacy or Default policy settings1 Go to VPN > Connections.


3 Select Advanced.

4 Under Policy, select Legacy or Default.

The policy settings appear in the IKE and IPSec boxes. You can use the Legacy or Default policies. If you want to configure the detailed settings, continue with next step.

5 Under Policy, select Config.

6 In the Connection Detailed Settings dialog box, configure the settings in the following table. Select OK to save the settings. You can also select Legacy or Default to go back to the original legacy or default settings.


22

Configuring the advanced VPN settings Configuration

Figure 4: Editing the detailed configuration settings



Table 1: FortiClient IKE settings correspond to FortiGate phase 1 settings

IKE Proposals Add or delete encryption and authentication algorithms.The proposal list is used in the IKE negotiation between the FortiClient software and the remote FortiGate unit. The FortiClient software will propose the algorithm combinations in order, starting at the top of the list.The remote FortiGate gateway must use the same proposals.

Mode Select either Main or Aggressive.Main mode provides an additional security feature called identity protection which hides the identities of the VPN peers so that they cannot be discovered by passive eavesdroppers. Main mode requires the exchange of more messages than Aggressive mode. It is also difficult to use efficiently when a VPN peer uses its identity as part of the authentication process. When using aggressive mode, the VPN peers exchange identifying information in the clear.

DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.• When the VPN peers have static IP addresses and use

aggressive mode, select a single matching DH group.

• When the VPN peers use aggressive mode in a dialup configuration, select up to three DH groups for the dialup server and select one DH group for the dialup user (client or gateway).

• When the VPN peers employ main mode, you can select multiple DH groups.

Key Life Enter the number in seconds.The keylife is the amount of time in seconds before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. P1 proposal keylife can be from 120 to 172,800 seconds.

Local ID If you are using peer IDs for authentication, enter the peer ID FortiClient will use to authenticate itself to the remote FortiGate gateway. If you are using certificates for authentication, you can enter the local ID, which is the distinguished name (DN) of the local certificate. Note there is no limit to how many FortiClient peers can use the same local ID.

Table 2: FortiClient IPSec settings correspond to FortiGate phase 2 settings

IPSec Proposals Add or delete encryption and authentication algorithms.The remote FortiGate gateway must use the same proposals.

DH Group Select one Diffie-Hellman group from DH group 1, 2, and 5. DH group 1 is least secure. DH group 5 is most secure. You cannot select multiple DH Groups. The remote FortiGate gateway must use the same DH Group settings.

Key Life Select either Seconds or KBytes for the keylife, or select both.The keylife causes the IPSec key to expire after a specified amount of time, after a specified number of kbytes of data have been processed by the VPN tunnel, or both. If you select both, the key does not expire until both the time has passed and the number of kbytes have been processed.When the key expires, a new key is generated without interrupting service. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 2147483648 kbytes.


24

Configuring the advanced VPN settings Configuration

Configuring Virtual IP address acquisitionThe FortiClient software supports two methods for virtual IP address acquisition: dynamic host configuration protocol (DHCP) over IPSec and manual entry.

Select the DHCP over IPSec option to allow the DHCP server in the remote network to dynamically assign an IP address to your FortiClient computer after the VPN connection is established.

Select the Manually Set option to manually specify a virtual IP address for your FortiClient computer. This virtual IP address must be an actual address in the remote network. You can specify the DNS and WINS server IP addresses of the remote network.

For information about how to configure the FortiGate gateway, see FortiGate Administration Guide and FortiGate VPN Guide.

Table 3: FortiClient advanced VPN settings

Replay Detection With replay detection, the FortiClient software checks the sequence number of every IPSec packet to see if it has been previously received. If the same packets exceed a specified sequence range, the FortiClient software discards them.

PFS Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires.

NAT Traversal Enable this option if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal has no effect.If you enable NAT traversal, you can set the keepalive frequency. NAT traversal is enabled by default.

Keepalive Frequency

If NAT Traversal is selected, enter the Keepalive Frequency in seconds.The keepalive frequency specifies how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until the IKE and IPSec keylife expires. The keepalive frequency can be from 0 to 900 seconds.

Autokey Keep Alive Enable this option to keep the VPN connection open even if no data is being transferred.

Dead Peer Detection

Enable this option to clean up dead VPN connections and establish new VPN connections.

Note: If you are connecting to a v2.50 FortiGate gateway, you cannot set the virtual IP address to be in the same subnet of the remote network, because the v2.50 FortiGate gateway does not support proxy ARP. If you are connecting to a v2.80 FortiGate gateway, consult your network administrator for a proper virtual IP address.



Figure 5: Configuring virtual IP address acquisition

To configure virtual IP address acquisition1 Go to VPN > Connections.

2 Select Add to add a new connection, or select Edit to edit an existing connection.

3 Select Advanced.

4 In the Advanced Settings dialog box, select Acquire virtual IP address.

5 Select Config.

6 Select Dynamic Host Configuration Protocol (DHCP) over IPSec or Manually Set.

The default is DHCP.

7 If you select Manually Set, enter the IP address and subnet mask. Optionally specify the DNS and WINS server IP addresses.

8 Select OK.

Configuring eXtended authentication (XAuth)If the remote FortiGate unit is configured as an XAuth server, it will require the FortiClient software to provide a user name and password when a VPN connection is attempted. The user name and password are defined by the XAuth server. They can be saved as part of an advanced VPN configuration, or they can be entered manually every time a connection is attempted.

For information about how to configure the XAuth server, see FortiGate Administration Guide and FortiGate VPN Guide.


26

Monitoring VPN connections Configuration

Figure 6: Configuring eXtended authentication

To configure XAuth1 Go to VPN > Connections.


3 Select Advanced.

4 In the Advanced Settings dialog box, select Config for eXtended Authentication.

5 In the Extended Authentication dialog box, do one of the following:• If you want to enter the login user name and password for each VPN

connection, select Prompt to login. When prompted to log in, you can select the password saving option so that you do not have to enter the password the next time you are prompted to log in.

• If you want to save the login user name and password, clear Prompt to login and enter the user name and password.

6 Select OK.

Monitoring VPN connectionsGo to VPN > Monitor to view current VPN connection and traffic information.


Configuration Monitoring VPN connections

Figure 7: VPN Monitor

For the current connection, you can view the following information.

For the incoming VPN traffic, you can view the following information.

For the outgoing VPN traffic, you can view the following information.

Name The name of the current VPN connection.

Local Gateway The IP address of the local gateway (the FortiClient computer).

Remote The IP address of the remote gateway (the FortiGate unit).

Time Out (sec) The remaining lifetime of the VPN connection.

Packets The number of packets received.

Bytes The number of bytes received.

Encryption The encryption algorithm and key.

Authentication The authentication algorithm and key.

Packets The number of packets sent.

Bytes The of number bytes sent.

Encryption The encryption algorithm and key.

Authentication The authentication algorithm and key.


28

Exporting and importing VPN policy files Configuration

Viewing the traffic summaryThe traffic summary displays a graph of the incoming and outgoing VPN traffic. The left column displays incoming traffic and the right column displays outgoing traffic. The total number of incoming and outgoing bytes transferred is also displayed.

Exporting and importing VPN policy filesYou can export a VPN policy file to your local or network computer as a backup of the VPN configuration settings. If required, you can import this file back to your local FortiClient PC or to other FortiClient PCs.

To export a VPN policy file1 Go to VPN > Connections.

2 Select the connection for which you want to export the VPN policy file.

3 Select Export.

4 Select a file folder and enter a file name.

5 Select Save.

To import a VPN policy file1 Select Import.

2 Locate the file and select Open.

TroubleshootingMost connection failures are due to a configuration mismatch between the remote FortiGate unit and the FortiClient software.

The following are some tips to troubleshoot a VPN connection failure:

• PING the remote FortiGate firewall from the FortiClient computer to verify you have a working route between the two.

• Check the FortiClient software configuration.Some common FortiClient software configuration errors are listed in Table 4.

• Check the FortiGate firewall configuration.Some common FortiGate Antivirus Firewall configuration errors are listed in Table 5.

Note: When traffic is transferred over an open VPN connection, the FortiClient system tray icon will change to a traffic summary graph. The red column indicates incoming traffic. The green column indicates outgoing traffic.

Note: If the imported file has the same file name as an existing connection, it will overwrite the existing one.


Configuration Starting up VPN before logging on to Windows

Starting up VPN before logging on to WindowsIf you need to log on to a Windows domain through a VPN when you start up your Windows workstation, select the Start VPN before logging on to Windows option on the VPN > Connections page. The VPN tunnel will start up prior to Windows logon, so that you can be authenticated by the domain through the VPN tunnel.

Managing digital certificatesTo use local or smartcard digital certificates, you need:

• a signed certificate,• the certificate authority (CA) certificates for any CAs you are using,• any applicable certificate revocation lists (CRLs).

Getting a signed smartcard certificate

Getting a signed local certificateIf you want to have a local certificate signed by the CA server and then import it into FortiClient, following the steps below.

The FortiClient software can use a manual, file based enrollment method or the simple certificate enrollment protocol (SCEP) to get certificates. SCEP is simpler, but can only be used if the CA supports SCEP.

Table 4: Common FortiClient software configuration errors

Configuration Error CorrectionWrong remote network information. Check the IP addresses of the remote

gateway and network.

Wrong preshared key. Reenter the preshared key.

Wrong Aggressive Mode peer ID. Reset to the correct Peer ID.

Mismatched IKE or IPSec proposal combination in the proposal lists.

Make sure both the FortiClient software and the remote FortiGate gateway use the same proposals.

Wrong or mismatched IKE or IPSec Diffie-Hellman group.

Make sure you select the correct DH group on both ends.

No Perfect Forward Secrecy (PFS) when it is required.

Enable PFS.

Table 5: Common FortiGate Antivirus Firewall configuration errors

Configuration Error CorrectionWrong direction of the encryption policy. For example, external-to-internal instead of internal-to-external.

Change the policy to internal-to-external.

Wrong firewall policy source and destination addresses.

Reenter the source and destination address.

Wrong order of the encryption policy in the firewall policy table.

The encryption policy must be placed above other non-encryption policies.

Note: To use the VPN tunnel before you log on to a domain, you must activate a virtual adapter. Therefore, you must also use the virtual IP acquisition feature. See “Configuring Virtual IP address acquisition” on page 24.


30

Managing digital certificates Configuration

File-based enrollment requires copying and pasting text files from the local computer to the CA, and from the CA to the local computer. SCEP automates this process but CRLs must still be manually copied and pasted between the CA and the local computer.

General steps to get a signed local certificate1 Generate the local certificate request. See “To generate a local certificate request”

on page 30.

2 Export the local certificate request to a .csr file. See “To export the local certificate request” on page 31.

3 Send the signed local certificate request to a CA. See “To send the certificate request to a CA” on page 32.

4 Retrieve the signed certificate from a CA. See “To retrieve the signed local certificate from the CA” on page 32.

5 Import the signed local certificate into FortiClient. You can also backup the certificate by exporting it. See “To import the signed local certificate” on page 32 and “To export the signed local certificate” on page 32.

Figure 8: Generating a local certificate request

To generate a local certificate request1 Go to VPN > My Certificates.

2 Select Generate.

3 Enter a Certificate Name.

Note: The digital certificates must comply with the X.509 standard.


Configuration Managing digital certificates

4 Under subject information, select the ID Type for the subject.

You can select from domain name, email address or IP address.

5 Enter the information for the ID type that you selected.

6 Optionally select Advanced and enter the advanced setting information.

7 Select OK. The FortiClient software generates 1024bit keys.

8 Select either File Based or Online SCEP as the enrollment method.

9 If you select file based enrollment, the private/public key pair is generated and the certificate request is displayed in the My Certificates list with the type of Request.

Continue with “To export the local certificate request”.

10 If you select Online SCEP as the enrollment method, select an issuer CA from the list provided or enter the URL of the CA server. If the FortiClient computer uses a proxy server, you must configure the proxy server settings before you can use online SCEP. See “Configuring proxy server settings” on page 12.

11 Select OK to generate the private and public key pair and the certificate request.

The FortiClient software:• submits the local certificate request,• retrieves and imports the signed local certificate,• retrieves and imports the CA certificate.

The signed local certificate is displayed on the Local Certificates list with the type of Certificate. The CA certificate is displayed on the CA Certificates list. The expiration dates of the certificates are listed in the Valid To column of each list.

Continue with “Getting a CRL” on page 34.

To export the local certificate request1 Go to VPN > My Certificates.

2 From the certificate list, select the local certificate to export.

3 Select Export.

Domain name If you selected domain name, enter the fully qualified domain name of the FortiClient computer being certified.

Email address If you selected email address, enter the email address of the owner of the FortiClient computer being certified.

IP address If you selected IP address, enter the IP address of the FortiClient computer being certified.

Email Enter a contact email address for the FortiClient computer user.

Department Enter a name that identifies the department or unit within the organization requesting the certificate for the FortiClient computer (such as Manufacturing or MF).

Company Enter the legal name of the organization requesting the certificate for the FortiClient computer.

City Enter the name of the city or town where the FortiClient Computer is located.

State/Province Enter the name of the state or province where the FortiClient computer is located.

Country Enter the name of the country where the FortiClient computer is located.


32

Managing digital certificates Configuration

4 Name the file and save it in a directory on the FortiClient computer.

After exporting the certificate request, you can submit it to the CA so that the CA can sign the certificate.

To send the certificate request to a CA1 On the FortiClient computer, open the local certificate request using a text editor.

2 Connect to the CA web server.

3 Follow the CA web server instructions to:• add a base64 encoded PKCS#10 certificate request to the CA web server,• paste the certificate request to the CA web server,• submit the certificate request to the CA web server.

To retrieve the signed local certificate from the CAAfter you receive notification from the CA that it has signed the certificate request, connect to the CA web server and download the signed local certificate to the FortiClient computer.

To import the signed local certificate 1 Go to VPN > My Certificates.

2 Select Import.

3 Enter the path or browse to locate the signed local certificate on the FortiClient computer.

4 Select OK.

The signed local certificate is displayed on the Local Certificates list with the type of Certificate showing in the certificate list. The expiration date of the certificate is listed in the Valid To column.

To export the signed local certificate1 Go to VPN > My Certificates.

2 Select the certificate and select Export.

3 In the Save As dialog box, select the folder where you want to save the file.

4 Enter a file name.

5 Select either PKCS7 or PKCS12. If you select PKCS12, you must enter a password.

6 Select Save.

Getting a signed smartcard certificateIf you are using a USB token (smartcard) certificate for authentication, you must also have the certificate signed by the CA server and install the signed certificate on you token.

The following procedures uses a Windows 2000 Advanced Server as an example.

Note: Current FortiClient releases support the Aladdin eToken PRO series USB tokens.


Configuration Managing digital certificates

General steps to get a signed smartcard certificate1 Send the certificate request to the CA server. See “To send a certificate request”

on page 33.

2 Install the signed certificate on the token. See “To install a certificate” on page 33.

To send a certificate request1 Log on to the CA server, for example, http://<CA_server>/certsrv.

2 Select Request a certificate, then select next.

3 Select Advanced request, then select next.

4 Select Submit a certificate request to this CA using a form.

5 In the request form:• Enter the identifying information.• For Intended Purpose, select Client Authentication Certificate.• For CSP, select eToken Base Cryptographic Provider.• Leave all other default settings.

6 Select Submit.

7 When prompted to enter the eToken password, enter the password. If you have not plugged the USB token into your computer’s USB port, you must do so now. Then the CA Web page displays that your certificate request has been received.

To install a certificate1 Log on to the CA Server if the certificate has been signed.

2 Select Checking on a pending certificate, then select Next.

3 Select the certificate request, then select Next.

4 Select Install this certificate to install the certificate to the USB token.

Getting a CA certificateFor the FortiClient software and the FortiGate gateway to authenticate themselves to each other, they must both have a CA certificate from the same CA.

The FortiClient computer obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer. The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from the FortiClient computer.

To retrieve the CA certificate1 Connect to the CA web server.

2 Follow the CA web server instructions to download the CA certificate.

To import the CA certificate1 Go to VPN > CA Certificates.

2 Select Import.

Note: The CA certificate must comply with the X.509 standard.


34

Scanning for viruses Configuration

3 Enter the path or browse to locate the CA certificate on the FortiClient computer.

4 Select OK.

The CA certificate is displayed on the CA Certificates list. The expiration date of the certificate is listed in the Valid To column.

Getting a CRLA CRL is a list of CA certificate subscribers paired with digital certificate status. The list contains the revoked certificates and the reason(s) for revocation. It also records the certificate issue dates and the CAs that issued them.

The FortiClient software uses the CRL to ensure that the certificates belonging to the CA and the remote VPN peer are valid.

To retrieve the CRL1 Connect to the CA web server.

2 Follow the CA web server instructions to download the CRL.

To import the CRL1 Go to VPN > CRL.

2 Select Import.

3 Enter the path or browse to locate the CRL on the FortiClient computer.

4 Select OK.

The CRL is displayed on the CRL list.

AntivirusUsing the FortiClient antivirus feature, you can protect your computer by regularly scanning the computer for viruses. The FortiClient software can also perform real-time virus protection and monitor Windows Registry changes.

Scanning for virusesYou can run a quick scan to detect the most malicious viruses and worms. You can also set up scan schedules and scan the files in a specified folder.


Configuration Scanning for viruses

Figure 9: Scanning for viruses

To run a quick scan1 Go to Antivirus > Scan.

2 Select Quick Scan.

The Antivirus Scanning dialog box opens, displaying the scanning process and results.

3 To stop the scanning process, select Stop.

4 To view the detailed summary of the scanning process after the scan is finished, select View Result.

The infected file list displays the names of any infected files.

Depending on the option you choose on the Antivirus Settings tab, the FortiClient software does one of the following when it finds any viruses:

• Displays a virus alert message.• Quarantines the virus-infected file.• Cleans the virus-infected file.

For information about how to configure what happens when the FortiClient software finds a virus, see “Configuring antivirus settings” on page 36.

To scan files in a specified directory1 Under File System Scan, select Browse to locate the directory to scan.

2 Select Scan Now.


36

Configuring antivirus settings Configuration

To manage scan schedules1 To add a schedule, select Add.

2 In the New Schedule dialog box, set up a new schedule.

You can set up daily, weekly, or one-time schedules. You can also specify which folder to scan.

3 To modify a schedule, select the schedule and then select Edit.

4 To delete a schedule, select the schedule, then select Delete.

Configuring antivirus settingsYou can specify what types of files to scan and what to do when a virus is detected. You can also specify an SMTP server to use when submitting a quarantined file to Fortinet for analysis. For information on how to submit a quarantined file, see “Managing quarantined files” on page 40.

Figure 10: Configuring antivirus settings


Configuration Configuring antivirus settings

The default antivirus settings are listed in Table 6.

To configure the antivirus settings1 Go to Antivirus > Settings.

2 Select the file types to be scanned.

3 Add or delete file types to be scanned for viruses. See “Selecting file types to scan or exclude” on page 38.

4 Select files, folders and file types to be excluded from virus scanning. • To exclude a file or folder, click the Select file and folders button, then select

Add to add the file or folder to the exemption list. • To exclude a file type, click the Select file types button, then add the file types.

For more information, see “Selecting file types to scan or exclude” on page 38.

5 Select what to do when a virus is found.

You can select Alert, Quarantine, or Clean. If you select Alert, a message is displayed if a virus is detected during real-time file system monitoring. If you select Quarantine, the FortiClient software moves the file to a quarantine directory. If you select Clean, the FortiClient software attempts to remove the virus from the infected file. Clean is selected by default.

6 Configure the settings to submit viruses. See “Specifying an SMTP server for virus submission” on page 39.

7 Select Integrate with Windows shell if you want to add a FortiClient antivirus scanning menu command to the shortcut menu in Windows Explorer. See “Integrating FortiClient antivirus scanning with Windows shell” on page 39.

8 Optionally select the Notify user the virus signature is out of date option.

9 Optional select Advanced Settings.

On the Advanced Settings dialog box, you can:• specify whether to scan the compressed files and the file size limit. The default

size limit is 0, which means no limit. • specify whether to scan grayware.

Table 6: Default antivirus settings

Configuration Option SettingFile types to scan All files

Scan files with no extension Enabled

What to do when a virus is found (manual scan) Clean

What to do when a virus is found (real-time protection)

Deny access

Integrate with Windows shell Enabled

Notify user the virus signature is out of date Enabled

Note: If FortiClient cannot clean an infected file, it quarantines the file automatically.


38

Configuring antivirus settings Configuration

• enable heuristic scanning. FortiClient software uses heuristic techniques to scan files to find the unknown viruses and threats that have not yet been cataloged with signatures. Heuristics looks at characteristics of a file, such as size or architecture, as well as behaviors of its code to determine the likelihood of an infection.

Selecting file types to scan or excludeIf you do not want the FortiClient software to scan all files for viruses, you can select file types from the default list of file types. You can add file types to or delete file types from the default file types list. You can create a list of file types to exclude from virus scanning. You can also reset the file types list to defaults.

Figure 11: Adding a new file extension

To add a new file type to the file types or exclusion list1 Go to Antivirus > Settings.

2 Under either File types to scan or Exclusion list, click Select file types.

3 Select New.

4 Type the file extension to add to the list. You can add file types with double extensions.

5 Select OK.

Note: The exclusion list takes priority over the inclusion list. For example, if you select a file extension to scan, and also add the same file extension to the exclusion list, the files with this extension will not be scanned.


Configuration Configuring real-time protection

Specifying an SMTP server for virus submissionInstead of using the default mail server, you can specify an SMTP server to use when submitting the quarantined files.

To specify an SMTP server1 Go to Antivirus > Settings.

2 Under Submit Virus, select Use this mail account to submit virus.

3 For SMTP server, enter the SMTP server that you use for outgoing email.

4 If the SMTP server needs authentication to log on, select Need authentication and enter the logon user name and password.

5 Select Apply.

Integrating FortiClient antivirus scanning with Windows shellBy integrating FortiClient antivirus scanning with Windows shell, you can use the FortiClient antivirus shortcut menu in Windows Explorer to scan the selected folders or files for viruses.

To integrate with Windows shell1 Go to Antivirus > Settings.

2 Select Integrate with Windows Shell.

3 Select Apply.

In Windows Explorer, after you right-click on a folder/folders or file/files, you can select Scan with FortiClient Antivirus from the shortcut menu to scan the selected folder/folders or file/files.

Configuring real-time protectionConfigure the real-time protection settings to specify what types of files to scan and exclude and what happens when a virus is detected during real-time system monitoring.

To configure real-time protection1 Go to Antivirus > Real-time Protection.

2 Select the file types to be scanned.

3 Add or delete file types to be scanned for viruses. See “Selecting file types to scan or exclude” on page 38.

4 Select files, folders and file types to be excluded from virus scanning. • To exclude a file or folder, click Select file and folders, then click Add to add the

file or folder to the exemption list. • To exclude a file type, see “Selecting file types to scan or exclude” on page 38.

5 Under What to do when a virus is found, select Deny Access, Quarantine or Clean.

Note: Scanning files with no extension is enabled by default.


40

Configuring email scanning Configuration

6 Select or clear the following two options:• Do not pop up alert message box in real-time scan.• Do not pop up alert message box in registry monitor.

7 Select Advanced Settings to specify compressed file and grayware scanning.

8 Select Apply.

Configuring email scanningFortiClient software can scan the incoming and outgoing emails and email attachments for virus and worms.

Scanning emails for virusesGo to Antivirus > Email to configure the FortiClient software to scan the incoming (POP3) and outgoing (SMTP) emails and attachments for viruses.

You can also enable email scanning for Microsoft Outlook client (MAPI) if Outlook connects to a Microsoft Exchange server.

Scanning emails for wormsTo prevent worms from spreading with emails, you can use FortiClient’s worm detection feature.

Go to Antivirus > Email to enable worm detection.

Using Heuristics scanningFortiClient software uses heuristic techniques to scan email attachments to find the unknown viruses and threats that have not yet been cataloged with signatures. Heuristics looks at characteristics of a file, such as size or architecture, as well as behaviors of its code to determine the likelihood of an infection.

Go to Antivirus > Email to enable heuristics scanning.

Managing quarantined filesQuarantined files will remain in the quarantine directory until you delete them or restore them to their original location.

Through the default mail server or the SMTP server you specify, you can submit the quarantined file to Fortinet for analysis. For information on how to specify an SMTP server, see “Specifying an SMTP server for virus submission” on page 39.

Deny Access You cannot open, run or modify the file until it is cleaned.

Quarantine The file is moved to a quarantine directory.

Clean The FortiClient agent attempts to remove the virus from the infected file. Clean is selected by default.

Note: If FortiClient cannot clean an infected file, it quarantines the file automatically.

! Caution: Quarantined files may still be infected. Check the status of a quarantined file before restoring.


Configuration Monitoring Windows startup list entries

To manage the quarantined files1 Go to Antivirus > Quarantine.

2 From the list, select the file(s). • Select Restore to restore the file to its original location. • Select Delete to delete the file. • Select Submit to send the file to Fortinet.

Monitoring Windows startup list entriesSome viruses can modify existing Windows registry entries or insert new entries to cause malicious code to be executed when you start or log on to Windows. The FortiClient software can monitor the Windows startup list and detect unauthorized changes to the registry. The FortiClient software assumes the following registry changes are unauthorized if the changes were not made by an authorized user:

• adding, removing or modifying an application installation,• changing an existing application’s configuration settings.

The startup list shows the Windows registry entries for any applications that are started as part of your Windows profile when you log on to Windows. The list includes applications that are displayed in the system tray. The list also includes any applications that are started transparently and are not displayed in the system tray.

Entries are displayed in three lists:

• The Rejected entries list displays new, unauthorized startup entries.• The Changed entries list displays previously existing entries that have

changed since the last Windows startup. • The Current startup list displays all current registry entries.

The startup list is checked when the FortiClient software starts.

Note: You can submit a maximum of three quarantined files a day.


42

Monitoring Windows startup list entries Configuration

Figure 12: Registry Monitor

To view Windows startup list entries1 Go to Antivirus > Registry Monitor.2 Under What to view, select Rejected entries, Changed entries or Current startup

list.

3 Optionally select Refresh to refresh the startup list entries to view recently added, changed or rejected registry entries.

Restoring changed or rejected startup list entriesChanged or rejected entries can be restored.

To restore a changed or rejected startup list entry1 Go to Antivirus > Registry Monitor.2 Under What to view, select Changed entries or Rejected entries.

3 Select the entry you want to restore.

4 Select restore.

!Caution: If you are unsure what application an entry is for, do not restore the startup list entry.


Configuration Selecting a firewall mode

FirewallUsing the FortiClient firewall feature, you can protect your computer by using the following FortiClient firewall features:

• Application level network access control. You can specify the applications that can access the network and be accessed by the network.

• Network security zone.The network is categorized into three zones: Public Zone, Trusted Zone, and Blocked Zone.

• Intrusion detection.FortiClient firewall can detect and block the common network attacks.

• Advanced firewall rules. You can create specific rules to control the traffic based on source addresses, destination addresses, protocols, or time frames.

For outbound traffic, only application level control rules are applied. The advanced firewall rules do not have effect.

For inbound traffic, the advanced firewall rules will be applied first, then the application control rules.

For the traffic related to system process, such as NetBIOS, the traffic is only accepted when it is allowed by both advanced rules and zone security settings.

Selecting a firewall modeBy default, FortiClient firewall runs in Normal mode to protect your system. You can go to Firewall > Status to select a different firewall mode (protection level).

FortiClient firewall has the following running modes:

Selecting a firewall profileIf you select the Normal firewall mode on Firewall > Status, you can select from the following firewall protection profiles:

Deny all Blocks all the incoming and outgoing traffic.

Normal You can select from the three protection profiles. See “Selecting a firewall profile” on page 43.

Pass all No firewall protection.

Basic home use Allows all outgoing traffic and denies all incoming traffic. Select this profile if your PC is a standalone home computer and not connected to other networks or PCs.

Basic business Allows all outgoing traffic, allows all incoming traffic from the trusted zone, and denies all incoming traffic from the public zone. For zone information, see “Configuring network security zones” on page 45.

Custom profile This is the default profile. The Custom profile allows you to configure the application level permissions, network zone permissions, and advanced firewall filtering rules. See “Configuring application access permissions” on page 44, “Configuring network security zones” on page 45, and “Configuring advanced firewall rules” on page 47.


44

Viewing traffic information Configuration

Viewing traffic informationYou can configure the FortiClient software to display the following network traffic information:

Figure 13: Firewall status

To view the traffic information1 Go to Firewall > Status.

2 Select the traffic type you want to view. The information displays in the graphical monitor.

3 Select View Connections to view the current active connections, listening ports, PID, and other detailed information.

4 By default, whenever FortiClient firewall blocks network traffic, a notification pops up at the FortiClient system tray icon area. To disable the blocked traffic notification, select the Disable taskbar notification for blocked network traffic option.

Configuring application access permissionsYou can specify the applications that can access the network and be accessed by the network. To do this, you assign the applications access permissions. Three levels of access permissions are available:

Inbound traffic Number of incoming network packets.

Outbound traffic Number of outgoing network packets.

Blocked network packets

Network packets that are blocked by the firewall.

Blocked application request

Number of blocked requests from outside to access your local applications and vice versa.

Current connections

Number of current connections between your system and the network.

Allow Allows application access request without asking.

Ask Prompts to ask your permission for the incoming or outgoing access requests.

Block Blocks all access requests.


Configuration Configuring network security zones

To add an application to the access control list1 Go to Firewall > Applications.

2 Select Add.

3 In the Add New Application dialog box, enter or browse to the application path.

4 Select permission levels for the public zone and trusted zone.

5 Select OK.

Configuring network security zonesFortiClient firewall protects your system by categorizing the network systems into three zones.

Figure 14: Network security zones

Note: Applications not listed in the access control list will be asked for network access attempts. By default, FortiClient allows the legitimate Windows system applications to access the network. These applications are displayed in the application control list. You can modify or delete the permission levels of these applications.

Note: Permission levels for the public zone can only be lower than or equal to those for the trusted zone.

Public Zone By default, FortiClient firewall treats IP addresses in the public zone with the highest security level. You can also customize the security levels. See “Customizing security settings” on page 46.


46

Configuring network security zones Configuration

FortiClient firewall prioritizes the zones in the order of blocked zone, trusted zone, and public zone. This means:

• If an IP address is listed in all of the three zones, it will be blocked. • If it is listed in both the trusted and public zones, it will be trusted. • If it is not listed in any of the three zones, it will be public.

Adding IP addresses to zonesYou can add a subnet, an IP range, or an individual IP address to the network zones. You can also edit or delete the existing IP entries.

To add IP addresses1 Go to Firewall > Network.

2 Select Add.

3 In the IP Address dialog box, select a zone and enter the IP addresses.

4 Optionally, enter a description.

5 Select OK.

Customizing security settingsFor the public and trusted zones, you can use the default high, medium, or low level security settings. You can also customize these default settings.

To customize the security settings1 Go to Firewall > Network.

2 For Public Zone Security Level or Trusted Zone Security Level, move the slider to High or Medium.

3 Select Settings.

Trusted Zone By default, FortiClient firewall treats IP addresses in the trusted zone with medium-level security settings. For information about security level settings, see “Customizing security settings” on page 46.

Blocked Zone All traffic to and from IP addresses in the blocked zone is not allowed.

High By default, incoming connections are allowed only if there are listening ports for these connections.

Medium By default, most of the connections are allowed unless you customize the settings. Note that the default medium security level settings for public and trusted zones are different:• For public zone, the incoming ICMP and NetBIOS packets are

blocked

• For trusted zone, these packets are allowed.

Low Packet level rule is disabled and application level control is on.

Note: The security level for the public zone can only be higher than or equal to that for the trusted zone.

Note: Low level security disables packet level rules and you cannot customize the Low level settings.


Configuration Configuring intrusion detection

4 If you select High level, modify the following settings and select OK.

5 If you select Medium level, modify the following settings and select OK.

Configuring intrusion detectionFortiClient software can detect and block some common network attacks using the hard-coded signatures. Because the signatures are hardcoded into the program, to get the latest signatures, you must install the latest FortiClient build.

Go to Firewall > Intrusion Detection to view the IP addresses where the detected attacks originate.

You can move the IP addresses to the blocked zone by selecting the Move to blocked zone button, so that the traffic from these IP addresses will be blocked.

If any of the IP addresses can be trusted, you can move the IP address to the trusted IP list by selecting the Trust this IP button, so that FortiClient will not detect traffic from this IP address any more.

You can also remove an IP from the Trusted IP list by selecting the Don’t trust this IP button.

Configuring advanced firewall rulesApart from application access control, network zone security, and intrusion detection, FortiClient firewall protects your computer with another layer of security: advanced firewall rules.

The firewall rules allow or block network traffic according to the following three types of filtering criteria you specify:

• Source and destination addresses can be your own computer, one of the two zones (Public Zone and Trusted Zone), a single IP address, a range of IP addresses, a subnet, or a address group. For information about adding an address group, see “Managing groups” on page 48.

• Network protocols can be TCP, UDP, or TCP/UDP. • Day and Time ranges can be applied to a rule to restrict access based on the

day of the week and the time of day.

Allow ICMP in Allows incoming ICMP (Internet Control Message Protocol) traffic. By default, this option is not selected.

Allow NetBIOS in Allows incoming NetBIOS traffic. By default, this option is not selected.

Allow NetBIOS out Allows outgoing NetBIOS traffic. By default, this option is not selected.

Allow other inbound traffic coming from this zone

This option is selected by default.

Block other inbound traffic coming from this zone

This option is not selected by default.

Block ICMP in Blocks incoming ICMP (Internet Control Message Protocol) traffic. By default, this option is not selected.

Block NetBIOS in Blocks incoming NetBIOS traffic. By default, this option is not selected.

Block NetBIOS out Blocks outgoing NetBIOS traffic. By default, this option is not selected.


48

Configuring advanced firewall rules Configuration

The advance firewall rules take precedence over the zone security settings. For example, if a rule blocks the traffic to the Trusted Zone, the traffic will be blocked.

To create a firewall rule1 Go to Firewall > Advanced.

2 Select Add.

3 In the Add Rule dialog box, enter the following information and select OK.

Managing groupsTo simplify management, you can combine the source addresses, destination address, protocols, and time schedules into groups and use the groups when creating rules.

To create a group1 Go to Firewall > Advanced.

2 Select Groups.

3 Select Address Group, Protocol Group, or Time Group.

4 Select Add.

5 Enter a name and description.

6 Select Add.

7 For an address group, enter the subnet, IP range, or IP address. For a protocol group, enter specify the protocol and port number. For a time group, specify the day and time range.

8 Select OK.

Name Enter a name for the rule.

Description Optionally, enter a short description.

State Either Enable or Disable the rule.

Action Either Allow or Block the traffic.

Source Apply the rule to the traffic that originates from the source address and terminates at your computer. Select Add to add the source address. For information about adding an address group, see “Managing groups” on page 48.

Destination Apply the rule to the traffic that originates from my computer and terminates at the destination address. Select Add to add the destination address. For information about adding an address group, see “Managing groups” on page 48.

Protocol Select Add to add a protocol to the rule. While specifying the protocol in the Add Protocol dialog box, you can also specify the destination and source ports.

Time Select add to add a day/time range when the rule should be executed. In the Add Time dialog box, specify a description, time range and one or more days. Time range is specified using a 24 hour clock.

Note: You can use any combination of the filtering criteria.


Configuration Setting the administration password

Web FilterYou can use the FortiClient web filtering feature to control web access according to the rules you specify. For instance, you can use the FortiClient predefined web access profile for children to prevent your children from accessing the unhealthy web sites.

FortiClient software uses the FortiGuard-web filtering service to help you control the web URL access.

FortiGuard-Web is a managed web filtering solution provided by Fortinet. FortiGuard-Web sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor. Your FortiClient PC accesses the nearest FortiGuard-Web Service Point server to determine the category of a requested web page. Then the FortiClient software decides either to allow or block the web page according to the categories you specify.

In addition to the control of web category access, FortiClient also allows you to specify URLs to block or bypass.

Setting the administration passwordYou must set a password to prevent users from modifying the web filter settings, shutting down the program, or uninstalling the program.

To set the password1 Go to WebFilter > WebFilter. 2 Select Change Password.

3 Enter a password and select OK.

Configuring the web filter settingsFortiGuard-Web includes over 60 million individual ratings of web sites applying to hundreds of millions of pages. Pages are sorted and rated into 56 categories and these categories are divided into eight larger groups for easy management.

FortiClient comes with three predefined profiles to allow or block different combinations of the web categories.

Default Default web filter settings, which are the same as those of the Child profile.

Child Blocks the categories that are not suitable for children.

Adult Only blocks the security violating web sites.


50

Configuring the web filter settings Configuration

Figure 15: Web filter settings

To configure the web filter settings1 Go to WebFilter > WebFilter.2 Select Modify Settings.

3 Enter the password if you already set one.

4 In the Web Filter Settings dialog box, select Enable webfilter.

5 Select a profile from the Current profile list.

6 You can modify the category list if required. To cancel the modifications and use the default settings instead, select Default Values.

7 Select OK.

Specifying URLs to block or bypassYou can specify the exact URLs to block. You can also specify the URLs to bypass the block category.

To specify URLs to block or bypass1 Go to WebFilter > WebFilter.2 Select Modify Settings.

3 In the WebFilter Settings dialog box, select Settings.

4 In the Block or bypass specific url dialog box, select Add.


Configuration Updating FortiClient

5 In the Set url permission dialog box, enter the URL.

In the URL box, you can enter:• wildcard characters (* and ?) in URLs, • complete URLs, • IP addresses, • partial URLs,• file types, such as *.jpg to block all jpeg files, and *.swf to block all flash

animations.

6 Select Block or Bypass.

7 Select OK.

UpdateYou can use the Update feature to update the AV definition and AV engine.

You can view the current AV definition and AV engine version information on the Update page.

Each copy of the FortiClient software has a unique identifier called UID. It is displayed at the up right corner of the Update page. Whenever FortiClient sends out an update request, it also sends out the ID number. If you encounter any update problem, Fortinet technical support can use this number to pinpoint the problem.

If the FortiClient computer uses a proxy server, you can specify the proxy server settings so that the FortiClient software can get updates through the proxy server. See “Configuring proxy server settings” on page 12.

Updating FortiClientUpdates can be run manually or scheduled to run automatically on a daily basis.

To initiate immediate updates1 Go to Update.

2 Select Update Now.

Under Update Status, you can view the update process and results.

To schedule updates 1 Under Update Schedule, select the check update option and enter the time.

2 Select Apply.

To manually update the software and antivirus signatures1 Download the FortiClient update package file (.pkg file) to the FortiClient

computer.

2 Go to Update and select Manual Update.

Note: The default update server is forticlient.fortinet.com. If you want to use a different server, select the Use this server to update option and enter the URL of the update server. You do not need to specify http:// or https:// as part of the URL.


52

Configuring log settings Configuration

3 In the Open dialog box, locate the update package file and select Open.

LogsUse the FortiClient logging feature to configure logging of different types of events for any or all of the FortiClient services.

Configuring log settingsYou can specify the log level, log type, log size, and log entry lifetime.

Figure 16: Configuring log file settings

To configure log settings1 Go to Logs > Settings.

2 Enter the Maximum Log Size.

The default is 5120 KB. Log entries are overwritten, starting with the oldest, when the maximum log file size is reached.

3 Enter the Maximum Life Time.

The default is 0 days. A maximum life time of 0 days means log entries are kept until the maximum log size is reached. These log file entries are deleted once they reach the specified maximum life time.

s

Note: If the log file reaches either the specified maximum file size or the specified maximum life time, whichever comes first, the oldest log entries will be deleted.


Configuration Managing log files

4 Select the Log Level.

You can select Error, Warning or Information. The default is Warning.

5 Select what to log.

You can select either All events or Check to select. If you choose Check to select, specify the types of events to log.

6 Select Apply.

Managing log filesThe log viewer can display logs of all events or only the events associated with a specific service. You can view, save, clear, or refresh the log entries.

To manage the log messages1 Go to Logs > Logview.

2 From the dropdown list, select the log entry type you want to view.

3 Use the log navigation buttons to move between log entries or to move to the top or bottom of the log file. The most recent log entries are displayed at the top of the list.

Optionally select a specific log entry from the log window to view the complete log entry information.

4 To save the log messages, select Export.

5 To delete all the log messages, select Clear All.

6 To display the most recent log messages, select Refresh.

Using the FortiClient system tray icon menusMany of the frequently used FortiClient features are available from the system tray icon menus.

Figure 17: FortiClient system tray icon menus


54

Managing log files Configuration

Open FortiClient Console Opens the management console so that you can configure the settings and use the services.

FortiClient Help Opens the online help.

VPN If you have already added VPN tunnels, you can start or stop the VPN connections by selecting or deselecting the connection names. See “Connecting to the remote FortiGate network” on page 20.

Enable/Disable Realtime AV Protection

For details, see “Configuring real-time protection” on page 39.

Enable/Disable Startup Registry Monitor

For details, see “Monitoring Windows startup list entries” on page 41.

Firewall You can select Deny All, Normal, or Pass All. See “Selecting a firewall mode” on page 43.

Enable/Disable WebFilter For details, see “Web Filter” on page 49.

Shutdown FortiClient Stops all FortiClient services and closes FortiClient console.


Frequently asked questions

Frequently asked questionsThis chapter lists some of the most frequently asked questions. For many questions, you can also find answers in other chapters of this user guide.

1 Is it possible to evaluate FortiClient?Yes. Please contact Fortinet Technical Support. See http://support.fortinet.com.

2 Does FortiClient support Windows XP SP2?FortiClient v1.2 MR1 and newer versions support it.

3 What languages does FortiClient support?English and simplified Chinese.

4 Does FortiClient support proxy server?Yes. Go to the General > Connection page to configure the settings.

5 Why is automatic update not available?You may be using an evaluation version. Otherwise, check the update settings and the network connection.

6 Does FortiClient support DHCP over IPSec?FortiClient supports this feature. Please note that the remote gateway should also be configured to support it.

7 When manually setting a virtual IP for FortiClient, can I use an IP address that is in the same subnet as the remote network?If FortiClient connects to a v2.50 FortiGate unit, the manually set IP address must be on a different subnet. For example, if the remote network is 192.168.1.0, you can use 192.168.2.1 as the virtual IP address for FortiClient.

If FortiClient connects to a v2.80 FortiGate unit, the IP address can either be on the same subnet as the remote network, or on a different subnet.

8 Does FortiClient support DDNS?FortiClient v1.2 and newer versions support Dynamic DNS names.

9 Does FortiClient work over any dialup Internet connection?FortiClient only supports the native Windows dialup client. If your ISP requires third-party dialup software, FortiClient may not support it.

10 Can I install FortiClient together with other antivirus software?No. Two antivirus programs may conflict with each other.

FortiClient tries to detect if there is any conflict. When conflict is detected, FortiClient turns off its realtime protection to avoid system lockup.


56

Frequently asked questions

11 Why does my computer’s performance become very slow when I open a folder with many ZIP files in it?FortiClient tries to open each zip file to scan for viruses. If you have a lot of zip files, you can turn off the compressed file scanning or lower the compressed file size limit to scan by selecting Advanced Settings on the Antivirus > Realtime Protection page.

12 Why am I unable to access other subnets after installing FortiClient?FortiClient firewall categorizes IP addresses into three zones:• Trusted Zone. By default, only your own subnet belongs to this zone. Network

sharing (NetBIOS) is allowed in this zone.• Public Zone. Network sharing is not allowed in this zone. • Blocked Zone. All traffic to and from this zone is blocked.

Therefore, you must add the networks you want to access to the Trusted Zone. To do this, go to the Firewall > Network page.

13 Can FortiClient firewall co-exist with other firewalls?If more than one firewall is installed and enabled on one PC, there may be some conflicts. Please use one firewall at a time.

14 Are all the applications blocked for outgoing and incoming connection requests by default?No. There is a predefined safe list that FortiClient does not block. For instance, the Windows system programs. You can configure the application permissions by going to the Firewall > Applications page.

15 Can the network attack signatures be updated?No. The attack signatures are hard-coded into the program. To get the latest signatures, you should install the latest FortiClient builds.


FortiClien04-20001

IndexAadvanced

configuration 11antivirus 34antivirus settings

configuring 36, 37authentication 27autokey keep alive 24

Bbytes

incoming VPN traffic 27outgoing VPN traffic 27

CCA certificate

getting a CA certificate 33importing 33retrieve 33

certificateeToken 32importing a CA certificate 33smartcard 32

citylocal certificate request 31

comments on Fortinet technical documentation 5company

local certificate request 31configuration

advanced 11error 29option 37

connectto a remote FortiGate gateway 20to the remote FortiGate network 20

connectiontesting 17, 18

countrylocal certificate request 31

CRLgetting a CRL 34importing 34retrieve 34

customer service and technical support 6

Ddead peer detection 24default policy settings

modifying 21department

local certificate request 31

DH grouppolicy setting 23

digital certificate managementcertificate management 29

domain namelocal certificate request 31

Eemail

local certificate request 31email address

local certificate request 31email scanning 40encryption


entering a license key 11error

configuration 29eToken certificate 32exclude

selecting the file types to exclude 38exclusion list

adding a new file extension 38exporting

local certificate request 31extended authorization (XAuth)

configuring 25

Ffile extension

add to the file types or exclusion list 38file types

adding a new file extension 38selecting the file types to scan or exclude 38

FortiClient softwaremanual update 51

FortiGate gatewayconnect to 20

FortiGate modelssupported by FortiClient 7

FortiGate networkconnect to 20

FortiGate unitconfiguring 15

FortiOS versionssupported by FortiClient 7

Ggeneral settings 11

t Host Security Version 2.0 MR1 User Guide-0183-20051017 57

58

Iicon

status 12IKE and IPSec policies

configuring 21IKE proposals 23import

CA certificate 33CRL 34signed local certificate 32

installation 7introduction 5, 55intrusion detection 47IP address

local certificate request 31IPSec policies

configuring 21IPSec proposals 23

Kkeepalive frequency 24key

entering a license key 11key life


Llegacy policy settings

modify 21license key

enter 11entering 11

local certificatecity 31company 31country 31department 31domain name 31email 31email address 31importing a signed local certificate 32IP address 31requesting 32retrieving an signed local certificate 32state/province 31

local gateway 27local id 23log file

configuring settings 52viewing 53

logs 52managing log files 53

Mmanage

log files 53quarantined files 40scan schedules 36

modepolicy setting 23

monitoring VPN connections 26name 27

Nname

monitoring VPN connections 27NAT traversal 24

Oobtaining a signed local certificate 29

Ppackets


PFSadvanced VPN setting 24

policiesconfiguring 21

policy settingsmodifying default 21modifying legacy 21

proposalIKE 23IPSec 23

protectionconfiguring real-time 39

Qquarantined files

managing 40quick scan

running 35quick start 9

Rreal-time protection

configuring 39remote

monitoring VPN connections 27remote FortiGate network

connect to 20replay detection 24request a signed local certificate 32restore

changed startup list entry 42quarantined file 41rejected startup list entry 42

retrieveCA certificate 33CRL 34signed local certificate 32

Sscan

files in a specified directory for viruses 35


FortiClien04-20001

for viruses 34selecting the file types to scan 38

settingsgeneral 11

signed local certificateimporting 32requesting 32

smartcard certificate 32startup list entries

viewing 42startup list entry

restoring a changed or rejected startup list entry 42state/province

local certificate request 31status icons 12

Ttest

connection 17, 18time out

monitoring VPN connections 27traffic summary

viewing 28troubleshooting 28

Uupdate

FortiClient software 51update schedule

setting 51URL

block or bypass 50

Vvirtual IP address acquisition

configuring 24, 25VPN 13

monitoring connections 26troubleshooting 28

VPN connections 28VPN settings

configuring 14

Wweb filter 49

configuring 49

XXAuth

configuring 26

t Host Security Version 2.0 MR1 User Guide-0183-20051017 59

60
FortiClient Host Security Version 2.0 MR1 User Guide
04-20001-0183-20051017

forticlient host security user guide

Documents

fortigate vpn

customized forticlient

trademarks of fortinet

advanced vpn settings

forticlient status icons

vpn policy files

vpn xauth password

monitoring vpn connections