Network Interfaces
======================================================
Go to System/Feature Select -> Enable "Endpoint Control" view.
Go to System/Interface -> Edit client-facing Interfaces (LAN, Internal).
Disable "FortiTelemetry" from under the Administrative Access section.
Disable "Enforce FortiClient Compliance Check", located under "Admission Control/Security Mode" section (FortiOS 5.6.X).
SSL VPN
======================================================
Edit SSL VPN settings.
Disable "Allow Endpoint Registration".
Telemetry Data (FortiOS 5.6.x)
======================================================
Go to Security Profiles/FortiClient Profiles
Edit "default" Profile, set the following options:
- Non-compliance action ->leave as "Warning".
- Disable "Endpoint Vulnerability Scan on Client".
- Disable "System Compliance".
- Disable "Security Posture Check".
FortiClient Endpoint Compliance (FortiOS 5.4.x)
======================================================
Go to Security Profiles/FortiClient Profiles
Edit "default" Profile, set the following options:
- Non-compliance action -> set to "Warning".
- Disable "Endpoint Vulnerability Scan on Client".
- Disable "System Compliance".
- Disable "AntiVirus".
- Disable "Web Filter".
- Disable "Application Firewall".
Removing Quarantined Devices
======================================================
To remove any devices that might have been quarantined because of Endpoint Compliance,
Go to Monitor/FortiClient Monitor.
Switch from "By Interface" to "By Compliance Status". (top-right)
Expand "Noncompliant" section.
Select any/all devices, right-click, in menu select "Exempt this device" or "Exempt all devices of this type". (FortiOS 5.4.X)
Select any/all devices, right-click, in menu select "Unregister".
Alternatively, from CLI:
- diag endpoint registration deregister all (select 'y' at the prompt)
Additional:
- All "Licensed/Registered" FortiGates come with 10 licenses.
- FortiGates running FortiOS 5.4.1 or HIGHER can be used to enforce Endpoint Compliance. (Network Access)
- FortiGates running FortiOS 5.4.0 or LOWER can be used to enforce Endpoint Control. (Internet Access)