Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
mforbes
Staff
Staff

Created on ‎06-13-2017 02:00 PM

Article Id 195045

How to Disable Endpoint Compliance Enforcement on FortiGate

Description
Introduced in FortiOS 5.4.1, network "Compliance"  restricts access to the physical environment when enforced on a FortiGate.

For FortiClient in managed mode, an administrator enables and disables endpoint compliance by using FortiGate. When endpoint compliance is enabledFortiClient must be installed on endpoint devices, and FortiClient Telemetry must be connected to FortiGate. When FortiClient Telemetry is connected, the FortiClient endpoint receives a profile from FortiGate that contains the compliance rules and optionally some FortiClient configuration information.



Scope
How to Disable Endpoint Compliance Enforcement on FortiGate when FortiGate is on FortiOS 5.4.1 or higher.

FortiClient Messages:  
"Compliance enforcement feature requires FortiClient Telemetry connection to a FortiGate device".
"This computer is Not-Compliant with FGXXXXXXXXXXXX (IP_Address) Click to Disconnect".
"This computer is in compliance with  FGXXXXXXXXXXXX (IP_Address) Click to Disconnect".


Solution
Log in to the FortiGate and disable the following:


Network Interfaces
======================================================
Go to System/Feature Select -> Enable "Endpoint Control" view.
Go to System/Interface -> Edit client-facing Interfaces (LAN, Internal). 
Disable "FortiTelemetry" from under the Administrative Access section.
Disable "Enforce FortiClient Compliance Check", located under "Admission Control/Security Mode" section (FortiOS 5.6.X).


SSL VPN
======================================================
Edit SSL VPN settings.
Disable "Allow Endpoint Registration".


Telemetry Data (FortiOS 5.6.x)
======================================================
Go to Security Profiles/FortiClient Profiles
Edit "default" Profile, set the following options:
- Non-compliance action ->leave as "Warning".
- Disable "Endpoint Vulnerability Scan on Client".
- Disable "System Compliance".
- Disable "Security Posture Check".


FortiClient Endpoint Compliance (FortiOS 5.4.x)
======================================================
Go to Security Profiles/FortiClient Profiles
Edit "default" Profile, set the following options:
- Non-compliance action -> set to "Warning".
- Disable "Endpoint Vulnerability Scan on Client".
- Disable "System Compliance".
- Disable "AntiVirus".
- Disable "Web Filter".
- Disable "Application Firewall".



Removing Quarantined Devices
======================================================
To remove any devices that might have been quarantined because of Endpoint Compliance,
Go to Monitor/FortiClient Monitor.
Switch from "By Interface" to "By Compliance Status". (top-right)
Expand "Noncompliant" section.
Select any/all devices, right-click, in menu select "Exempt this device"  or "Exempt all devices of this type". (FortiOS 5.4.X)
Select any/all devices, right-click, in menu select "Unregister".

Alternatively, from CLI:
- diag endpoint registration deregister all (select 'y' at the prompt)



Additional:
- All "Licensed/Registered" FortiGates come with 10 licenses. 
- FortiGates running FortiOS 5.4.1 or HIGHER can be used to enforce Endpoint Compliance.  (Network Access) 
- FortiGates running FortiOS 5.4.0 or LOWER can be used to enforce Endpoint Control.  (Internet Access)

12652
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.