FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
smitha
Staff
Staff
Article Id 191271

Description

When deploying an FortiClient with an instant clone, there must be no UID - article explains how you can deploy and instant clone with a FortiClient using FortiClient and EMS versions 6.0.3 or higher.  
 
*** Please note that most of this article is described in the FortiClient Administration Guide under the section: Provisioning > Installing FortiClient as part of a cloned disk images.  As well, this article may not apply to every scenario - Fortinet, provides basic guidelines as to how to implement a cloned image with a FortiClient installed on it***


Solution

 

Part A - VMware Instant Clones:

 

 

 

(1)    Create master VM image and make sure it is added to the domain.

 

 

 

 

 

(2)    Install and configure the FortiClient to suit your requirements.  You can use a standard or customized installation package.

 

 

 

 

 

(3)    To create the master VM instant clone template, the UID must be removed from the FortiClient.

 

 

 

 

 

a.       Ensure that the FortiClient is not connected to EMS (you will need to de-register it if it is or click on the ‘Disconnect’ button)

 

 

Part A - Step 3a - i.png

 

 

 

 

 

 

Part A - Step 3a - ii.png

 

 

 

b.       Right-click the FortiClient icon in the system tray and select ‘Shutdown FortiClient’

 

 

Part A - Step 3b.png

 

 

 

c.       Obtain the FortiClientTools.zip file from https://support.fortinet.com and the tool called RemoveFCTID.exe is included with that. 

 

 

 

 

 

d.       Place the RemoveFCTID.exe in a folder on the master image.

 

 

 

 

 

e.       Run the RemoveFCTID.exe from the master VM image.  You will need to run this tool with administrative privilege (right-click and run as an administrator or run from an elevated command prompt).  You can also place this tool on a shared drive as well (in needed)

 

 

IMPORTANT:

 

 

One thing to make sure is that after you remove the UID, do not reboot the VM device before you create the image/template.  The new UID is created when you reboot (before logon).  The FortiClient image should not have a UID.  Also, do not use the RemoveFCTID.exe as part of a logon script.

 

 

 

 

 

 

 

 

 

 

 

(4)    Delete the expanded folder with the FortiClientTools.zip as part of the cleanup on the master VM image.   If it was ran from a shared drive, no need to delete. 

 

 

 

 

 

(5)    Shutdown Image / Power off Master Image (Do not reboot master image). Create a snapshot.  Master image should never be powered on.

 

 

 

 

 

(6)    This template will become the master to generate instant clones.  If you modify this template  by bringing it online, you must repeat the above steps to remove the UID and create a new master template again.

 

 

 

 

 

(7)    Create a VM pool and generate new instant clones that are part of your Active Directory Domain OU structure (very important)

 

 

 

 

 

They should automatic populate into EMS (if you are syncing your Active Directory to EMS)

 

 

 

 

 

Once the clones show in ESM, you must follow the process below to allow each new clone to have its own unique UID.  This must be completed each time new clones are added.  If the pool size increases, then you must complete these clean up steps again.

 

 

 

 

 

For example: 

 

 

If you have 30 clones and you need to add 10 more (for a total of 40) to the group, you must complete the steps below each time.  Once you have your pool set, you will only need to run through the below steps once. (but repeat if additional ones are added)

 

 

 

 

 

Part B - EMS configurations for Instant Clones:

 

 

(1)    Go to EMS > Administration > Logs and click on ‘Clear Filters’

 

 

 

 

 

(2)    Click on the funnel icon just to the left of the work ‘Occurrences’ and type in UID and press enter.  You should see log entries like this:

 

 

The FortiClient with UID BE2807AB9E2D44818B806B20C6E32249's changed from <HOST A> <IP A> to <HOST B> <IP B> The network might have multiple FortiClients with duplicated UIDs

 

 

 

 

 

Part B - Step 2.png

 

 

 

(3)    Go to Gateway Lists > Manage Gateway Lists and click on ‘+Add’

 

 

 

 

 

Part B - Step 3.png

 

 

 

(4)    Give gateway list a name, put in the IP or FQDN of your EMS sever in the ‘IP addresses/hostnames’ field (make sure it is the same as what is showing in the ‘Managed By EMS’ field) and click on ‘Save’

 

 

 

 

 

(5)    Then assign the gateway list you created to all your domains and workgroups by going to Endpoints > domains and right-click on your domain and choose the name of your gateway list from the ‘Assign Gateway’ list option.   Recommended to do the same for your workgroups (if any) by going to Endpoints > Workgroups > All Groups.   In the case for the VM’s make sure the VM group you create has the gateway list added and sync’d. .   You will need to wait about 10 minutes (depending on how big your organization is) for this to sync to all your FortiClients.

 

 

 

 

 

(6)     Once you have assigned your gateway lists, verify that it has sync’ed by going to your VM group and you will see a green circle beside the gateway list name on the hosts

 

 

 

 

 

Part B - Step 6.png

 

 

 

 

(7)    Then go to System Settings > Logs and on the ‘Clear Logs every’ option click the ‘Clear now’ button.  This is so you can verify that no further duplicate UID’s come in after you complete the next step.

 

 

 

 

 

Part B - Step 7.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(8)    Then go to System Settings > Endpoints and tick the box next to ‘Allow Duplicate FortiClient Registrations’ and click on ‘OK’ and then ‘save’.  This will result in EMS sending a command to all the registered FortiClients to re-register with a new UID (so each UID in EMS’s database is unique).

 

 

Part B - Step 8.png

 

 

 

 

 

 

(9)    Go to Administration Logs and verify that you are no longer seeing duplicate UID’s come in as the endpoints re-register back to EMS.  If you go to Dashboard > FortiClient Status, you’ll notice that under ‘Licenses Used’ it will go to 0, and as you refresh it, the count slowly gets higher until all endpoints are registered again.

 

 

 

 

 

Important:

 

 

If you add additional Instant Clones after you complete this process, you must complete steps 7 through 9 again.  And on step 8, you must untick the box that says ‘Allow Duplicate FortiClient Registrations’ , click ‘Save’, wait about 3-4 minutes, re-tick the ‘Allow Duplicate FortiClient Registrations’ and click on ‘OK’ and then ‘Save’

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contributors