FortiClient Endpoints always attempts Registration to one of two Management devices, either a FortiGate or an Enterprise Management Server (EMS).
What's the difference?
Endpoint Compliance - when enforced by a FortiGate, FortiClient Endpoints are barred from access the network if their settings do not match the Compliance rules specified in a FortiClient Compliance Profile.
Endpoint Control - implemented on FortiClient EMS. When FortiClient EMS is used, FortiGate should be using FortiOS is 5.4.1 or HIGHER.
To disable FortiTelemetry
1. Go to System/Feature Visibility/Security Features -> Set 'Endpoint Control' to ON position, click 'Apply'.
2. Go to Network/Interfaces -> Edit any Interface that shows 'FortiTelemetry' under the 'Access' column -> un-check 'FortiTelemetry', then save the settings.
VPN Tunnels
IPSec VPN tunnels use a sub-interface, and FortiTelemetry is enabled by default. Make sure to expand the sub-interface, edit and disable FortiTelemetry there as well.
- SSL VPN does not create a sub-interface listen on any that has been assigned.
- Go to VPN/SSL VPN Settings. Locate "Allow Endpoint Registration" and verify its disabled.
3. Go to Security Profiles/FortiClient Compliance Profiles -> Disable "System Compliance"
4. To discard all FortiClient Endpoint that may have Registered, open a Command Line to the FortiGate, then run the following command:diag endpoint registration deregister all <ent>
FortiGate will reply with the following...(select 'y' to proceed)
This operation will deregister all FortiClients!
Do you want to continue? (y/n)
Close the CLI window.
Supplementary references
__________________________________________________________________________________________________________
Security Fabric
Fortinet Security Fabric
FortiClient Compliance Guide
Security Fabric installation and audit
Cooperative Security Fabric
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.