Endpoint Network Access Control; Overview; Enforcing Use Of Forticlient Software - Fortinet Version 4.0 MR1 Administration Manual

Endpoint Network Access Control

Endpoint Network Access Control

Overview

Enforcing use of FortiClient software

FortiClient Endpoint Security Version 4.0 MR1 Administration Guide
04-40001-99556-20090626
http://docs.fortinet.com/ • Feedback
This chapter describes how to enforce the use of FortiClient by using a FortiGate unit's
Endpoint NAC feature.
This chapter contains the following sections:
• Overview
• Enforcing use of FortiClient software
• Configuring FortiGuard Services
• Setting the FortiClient version
• Enabling Endpoint Control
FortiGate units prevent viruses and other threats on the Internet from passing through the
firewall to your private network. However, a computer, especially a portable computer,
might become infected from media or unprotected connection to another network. This
infection could spread on your internal network. FortiClient Endpoint Control protects the
computer on which it is installed.
Endpoint NAC (Network Access Control) enforces the use of FortiClient endpoint security
in your network. The compliance check ensures that the endpoint is running the most
recent version of the FortiClient software, checks that the antivirus signatures are up-to-
date, and are not using any blocked applications (application detection).
You enable endpoint control in a FortiGate firewall policy. When traffic attempts to pass
through the firewall policy, the FortiGate unit runs compliance checks on the originating
host on the source interface. Non-compliant endpoints are blocked. If web browsing, they
receive a message telling them that they are non-compliant, or they are redirected to a
web portal where they can download the FortiClient application installer.
Endpoint control requires that all hosts using the firewall policy have FortiClient Endpoint
Security software installed. Make sure that all hosts affected by this policy are able to
install this software. Currently, FortiClient Endpoint Security is available for Microsoft
Windows 2000 and later only.
To set up endpoint control on your FortiGate unit, you need to
• Enable FortiGuard. This is required if you will use FortiGuard Services to update
FortiClient software or antivirus signatures. You do not need to enter account
information. See "Configuring FortiGuard Services" on page
• Set the minimum required version of FortiClient and configure the source of FortiClient
installer downloads for non-compliant endpoints. See
on page 30.
• Enable endpoint control in the appropriate FortiGate firewall policies. See
Endpoint Control" on page 32.
30.
"Setting the FortiClient version"
"Enabling
Overview
29