DO NOT REPRINT © FORTINET FortiClient EMS Lab Guide for FortiClient EMS 6.2 DO NOT REPRINT © FORTINET Fortinet Training http://www.fortinet.com/training Fortinet Document Library http://docs.fortinet.com Fortinet Knowledge Base http://kb.fortinet.com Fortinet Forums https://forum.fortinet.com Fortinet Support https://support.fortinet.com FortiGuard Labs http://www.fortiguard.com Fortinet Network Security Expert Program (NSE) https://www.fortinet.com/support-and-training/training/network-security-expert-program.html Feedback Email: courseware@fortinet.com 12/17/2019 DO NOT REPRINT © FORTINET TABLE OF CONTENTS Virtual Lab Basics Network Topology Lab Environment Remote Access Test Logging In Disconnections and Timeouts Screen Resolution Sending Special Keys Student Tools Troubleshooting Tips Lab 1: FortiClient Installation and Configuration Exercise 1: Installing FortiClient Install FortiClient Using a Custom Installer File from EMS Exercise 2: Testing the FortiGuard Web Filter Verify FortiGuard Connectivity Identify Web Filter Categories Review a FortiGuard Category-Based Web Filter Test the Web Filter Verify a Web Filter Exclusion List Test the Web Exclusion List Exercise 3: Understanding Antivirus Protection and Vulnerability Scan 5 5 5 6 7 9 9 10 11 11 14 15 15 19 19 19 22 24 25 26 27 Verify Real-Time Protection on AntiVirus Protection Test the Antivirus Real-Time Configuration Run an On-Demand Vulnerability Scan 27 28 30 Exercise 4: Modifying the FortiClient XML File 31 Install FortiClient VPN only software Download the FortiClient Configuration File Modify the FortiClient XML File Upload the Modified XML File and Review the Changes to Remote Access Lab 2: FortiClient EMS Configuration Exercise 1: Accessing the GUI and Creating a FortiClient EMS Administrator Access the FortiClient EMS GUI Create a New FortiClient EMS Administrator 31 33 34 35 39 40 40 41 DO NOT REPRINT © FORTINET Exercise 2: Configuring FortiClient EMS System Settings Configure Server Settings Configure Log Settings Configure Login Banner Settings Exercise 3: Creating an Endpoint Group, Group Assignment Rule, and Running Scans Create an Endpoint Group for a Windows Workgroup Create a Group Assignment Rule for Windows Endpoints Run Antivirus and Vulnerability Scans on a Registered Endpoint Exercise 4: Enabling the Security Fabric to Trigger Automatic Quarantine Verify FortiClient Log Settings Enable the Security Fabric on the Root FortiGate 44 44 44 45 47 47 48 49 53 53 54 Lab 3: Deployment and Provisioning using FortiClient EMS 62 Exercise 1: Creating a Deployment Package and Gateway List for Deployment 63 Create an Installer Profile in Profile Components Create a Gateway List Exercise 2: Adding Endpoints to FortiClient EMS Add Endpoints Using an AD Domain Server Exercise 3: Creating and Assigning an Endpoint Profile for Deployment 63 65 66 66 68 Create an Endpoint Profile on FortiClient EMS 68 Create a Profile to Deploy FortiClient 68 Enable the Web Filter Feature in the Endpoint Profile 69 Provision a VPN in the Endpoint Profile 70 Create an Endpoint Policy to Assign the Endpoint Profile and Telemetry Gateway List to the Endpoints 71 Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic Groups and Policies Create a Compliance Verification Rule Connect to the Security Fabric for Compliance Create a User Group and a Policy on FortiGate Test the Compliance Policy 73 73 74 75 77 Lab 4: Diagnostics and Troubleshooting Exercise 1: Running Diagnostic Tools 79 80 Run the FortiClient Diagnostic Tool Run the FortiClient EMS Diagnostic Tool 80 83 DO Virtual NOT REPRINT Lab Basics © FORTINET Virtual Lab Basics Network Topology In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. If your trainer asks you to use a different lab, such as devices physically located in your classroom, then ignore this section. This section applies only to the virtual lab accessed through the Internet. If you do not know which lab to use, please ask your trainer. Network Topology Lab Environment Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their own training lab environment or point of deliveries (PoD). FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 5 DO Remote NOTAccess REPRINT Test © FORTINET Virtual Lab Basics Remote Access Test Before starting any course, check if your computer can connect to the remote data center successfully. The remote access test fully verifies if your network connection and your web browser can support a reliable connection to the virtual lab. You do not have to be logged in to the lab portal in order to run the remote access test. To run the remote access test 1. From a browser, access the following URL: https://use.cloudshare.com/test.mvc If your computer connects successfully to the virtual lab, you will see the message All tests passed!: 2. Inside the Speed Test box, click Run. The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If those estimations are not within the recommended values, you will get any error message: 6 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Virtual NOT REPRINT Lab Basics © FORTINET Logging In Logging In After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to log in. You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a link and a passphrase. To log in to the remote lab 1. Click the login link provided by your instructor over email. 2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login. 3. Enter your first and last name. 4. Click Register and Login. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 7 DO Logging NOTIn REPRINT © FORTINET Virtual Lab Basics Your system dashboard appears, listing the virtual machines (VMs) in your lab topology. 5. To open a VM from the dashboard, do one of the following: l From the top navigation bar, click a VM's tab. l From the box of the VM you want to open, click View VM. Follow the same procedure to access any of your VMs. When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a Fortinet VM. 8 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Virtual NOT REPRINT Lab Basics © FORTINET Disconnections and Timeouts For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM. From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab environment. Disconnections and Timeouts If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that contains the list of VMs for your session, and reopen the VM. If that fails, see Troubleshooting Tips on page 11. Screen Resolution The GUIs of some Fortinet devices require a minimum screen size. To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also change the color depth: FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 9 DO Sending NOTSpecial REPRINT Keys © FORTINET Virtual Lab Basics Sending Special Keys You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key: From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard: 10 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Virtual NOT REPRINT Lab Basics © FORTINET Student Tools Student Tools There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance: Troubleshooting Tips l l l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or highlatency connections. Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your computer is always on, and does not go to sleep or hibernate. For best performance, use a stable broadband connection, such as a LAN. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 11 DO Troubleshooting NOT REPRINT Tips © FORTINET l l l l Virtual Lab Basics You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and general performance: If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect, notify the instructor. If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset: If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action menu, and select Revert: Reverting to the VM's initial state will undo all of your work. Try other solutions first. 12 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Virtual NOT REPRINT Lab Basics © FORTINET l Troubleshooting Tips During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the following example appears: To expedite the response, enter the following command in the CLI: execute update-now FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 13 DO NOT REPRINT © FORTINET Lab 1: FortiClient Installation and Configuration In this lab, you will examine FortiClient manual installation and explore security features. Objectives l Install FortiClient on a Windows host l Test the FortiGuard category-based option for web filtering l Test real-time protection scanning l Run an on-demand vulnerability scan Time to Complete Estimated: 25 minutes Prerequisites Before beginning this lab, you must make sure that the installer file from the EMS deployment package is available on the desktop of the FortiClient-Laptop VM, in the Resources folder. 14 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 1: Installing FortiClient In this exercise, you will install FortiClient on the FortiClient-Laptop VM. In 6.2.0, FortiClient must be used with FortiClient EMS. FortiClient must connect to EMS to activate its license and become provisioned by the endpoint profile that the administrator configured in EMS. For this exercise, we have provided a deployment package file from EMS. You cannot use any FortiClient features until FortiClient is connected to EMS and licensed. After installation, FortiClient will be managed by EMS, and all security profiles have been configured to perform lab tasks. Install FortiClient Using a Custom Installer File from EMS In this section, you will install FortiClient using an installer file from EMS. To install FortiClient using the installer file from EMS 1. On the FortiClient-Laptop VM, on the desktop, open the Resources folder. 2. Run FortiClientSetup_6.2.1_x64.exe to start the FortiClient installation. 3. Accept the license agreement, and then click Next to start the installation. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 15 DO Install NOT REPRINT FortiClient Using a Custom Installer File from EMS © FORTINET Exercise 1: Installing FortiClient 4. By default, the FortiClient files will install in the C:\Program Files\Fortinet\FortiClient\ folder. 5. Click Next to continue. 6. Click Install. 16 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT1: Installing REPRINT FortiClient © FORTINET Install FortiClient Using a Custom Installer File from EMS The setup wizard starts installing FortiClient on the host machine. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 17 DO Install NOT REPRINT FortiClient Using a Custom Installer File from EMS © FORTINET Exercise 1: Installing FortiClient 7. Click Finish after the FortiClient installation is complete. Next, FortiClient downloads all the signature databases to get up-to-date. It may take some time before the download completes and FortiClient is available to configure other options. However, you can continue with the lab steps as the download process runs in the background. 8. On the FortiClient-Laptop VM, in the system tray, right-click the FortiClient icon. 9. In the list on the top, click Open FortiClient Console to open the FortiClient GUI. Allow some time to get all the FortiClient configuration from EMS. 18 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 2: Testing the FortiGuard Web Filter In this exercise, you will examine the FortiClient web filter based on FortiGuard categories, by making sure that FortiClient can contact the FortiGuard servers. Then, you will review a category-based web filter security profile on FortiClient, and inspect the HTTP traffic. Finally, you will test different actions taken by FortiClient, according to website categories. Verify FortiGuard Connectivity You will verify connectivity to FortiGuard distribution servers (FDS) from the FortiClient host machine. To verify FortiGuard connectivity 1. On the FortiClient-Laptop VM, open the CLI, and ping fgd1.fortigate.com. If FortiClient can contact FortiGuard, you should see the following output: Identify Web Filter Categories In order to understand web filter categories, you must first identify how specific websites are categorized by the FortiGuard service. To identify web filter categories 1. Continuing on the FortiClient-Laptop VM, open a new browser tab, and visit http://www.fortiguard.com/webfilter. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 19 DO Identify NOTWebREPRINT Filter Categories © FORTINET Exercise 2: Testing the FortiGuard Web Filter 2. Use the Web Filter Lookup tool to search for the following URL: http://www.youtube.com YouTube is listed in the Streaming Media and Download category. 3. Use the Web Filter Lookup tool again to find the web filter category for the following websites: 20 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Testing REPRINT the FortiGuard Web Filter © FORTINET l http://www.viber.com/ l http://www.ask.com/ l http://www.bing.com/ FortiClient 6.2 Lab Guide Fortinet Technologies Inc. Identify Web Filter Categories 21 DO Review NOT REPRINT a FortiGuard Category-Based Web Filter © FORTINET Exercise 2: Testing the FortiGuard Web Filter You will test your web filter using these websites as well. The following table shows the category assigned to each URL, as well as the action configured on FortiClient to take based on your web filter settings: Website Category Action http://www.dailymotion.com/ Streaming Media and Download Block http://www.viber.com/ Internet Telephony Warning http://www.bing.com/ Search Engines and Portals Allow http://mp3.com Streaming Media and Download Block Review a FortiGuard Category-Based Web Filter You will review the web filtering profile and configuration of the FortiGuard category-based filter. To review the web filter profile 1. On the FortiClient-Laptop VM, in the system tray, right-click the FortiClient icon. 2. To open the FortiClient GUI, click Open FortiClient Console. 22 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Testing REPRINT the FortiGuard Web Filter © FORTINET Review a FortiGuard Category-Based Web Filter 3. Verify that FortiGuard category based filter is enabled. 4. On the Web Filter tab, on the upper-right corner, click the settings icon . 5. Review the configured actions for each category: Category Action Potentially Liable Block Adult/Mature Content Allow: Sports Hunting and War Games, Sex Education, Lingerie and Swimsuit Block: all other sub-categories Tip: Expand or click Adult/Mature Content to view the subcategories. General Interest - Personal Allow General Interest - Business Allow Unrated Allow 6. To view the subcategories, click Bandwidth Consuming to expand it. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 23 DO Test NOT REPRINT the Web Filter © FORTINET Exercise 2: Testing the FortiGuard Web Filter 7. Verify that Streaming Media and Download is set to Block, and Internet Telephony is set to Warn. Test the Web Filter For the purposes of this lab, you will test the web filter security profile configured for each category. To test the web filter 1. Continuing on the FortiClient-Laptop VM, open a new web browser tab and visit http://www.dailymotion.com. The system displays a warning, according to the predefined action for this website category. 2. Open a new web browser tab and visit http://www.viber.com/. The system displays a warning, according to the predefined action for this website category. 24 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Testing REPRINT the FortiGuard Web Filter © FORTINET Verify a Web Filter Exclusion List 3. To accept the warning and access the website, click Proceed. 4. Open a new web browser tab and visit http://www.bing.com/. This website appears because it belongs to the Search Engines and Portals category, which is set to Allow. Verify a Web Filter Exclusion List In this procedure, you will verify that the URL www.mp3.com is included in the exclusion list. To verify a URL is included in the exclusion list 1. On the FortiClient-Laptop VM, open the FortiClient console, and then select WEB FILTER . 2. On the Web Filter tab, on the upper-right corner, click the settings icon 3. To expand Exclusion List, click the + sign FortiClient 6.2 Lab Guide Fortinet Technologies Inc. . . 25 DO Test NOT REPRINT the Web Exclusion List © FORTINET Exercise 2: Testing the FortiGuard Web Filter Test the Web Exclusion List You will test the web exclusion list you reviewed in the previous procedure. To test the web exclusion list 1. Continuing on the FortiClient-Laptop VM, open a new browser tab, and try to access the website www.mp3.com. The website is allowed and it matches an exclusion list to bypass the FortiGuard block category. If you try again to access www.dailymotion.com, FortiGuard will block it. 26 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 3: Understanding Antivirus Protection and Vulnerability Scan In this exercise, you will use antivirus to understand how FortiClient performs real-time protection. You will also learn how a vulnerability scan helps detect and patch application vulnerabilities that can be exploited by known and unknown threats. Verify Real-Time Protection on AntiVirus Protection You will verify AV settings on FortiClient. To view and verify current FortiClient AntiVirus Protection settings 1. On the pane on the left side of the window, click Malware Protection, and verify that real-time protection is enabled. 2. You can also click the settings icon my system checkbox is selected. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. , and verify that the Scan files as they are downloaded or copied to 27 DO Test NOT REPRINT the Antivirus Real-Time Configuration © FORTINET Exercise 3: Understanding Antivirus Protection and Vulnerability Scan Test the Antivirus Real-Time Configuration You will download the EICAR test file to your FortiClient-Laptop VM. The EICAR test file is an industry-standard virus used to test antivirus detection without causing damage. The file contains the following characters: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* To test the antivirus configuration 1. Continuing on the FortiClient-Laptop VM, open a new web browser tab, and visit the following website: http://eicar.org 2. On the EICAR website, on the upper-right corner of the page, click DOWNLOAD ANTI MALWARE TESTFILE. 3. On the left side of the page, click the Download link. 4. In the Download area using the standard protocol https section, download the sample file named eicar_ com.zip. FortiClient should quarantine the download attempt and insert a replacement message similar to the following example: 28 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT3: Understanding REPRINT Antivirus Protection and Vulnerability Scan © FORTINET Test the Antivirus Real-Time Configuration FortiClient shows the HTTP/HTTPS virus message when it blocks or quarantines infected files. 5. Click Close to close the alert window. 6. On the download window, click OK to save the file. 7. Change the download location to Desktop, and then click Save. You should see that the file you downloaded on the desktop shows the download error in the Firefox downloads dialog. Why did the download fail? FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 29 DO Run NOT REPRINT an On-Demand Vulnerability Scan © FORTINET Exercise 3: Understanding Antivirus Protection and Vulnerability Scan Stop and think! Because the file is quarantined, an EMS administrator must whitelist it and restore it to view the content. Run an On-Demand Vulnerability Scan In this section, you will test an on-demand vulnerability scan. To run an on-demand vulnerability scan 1. Continuing on the FortiClient console, on the pane on the left side of the window, select Vulnerability Scan to view the tab. 2. On the Vulnerabilities tab, click Scan Now to start an on-demand scan. 3. After the scan is finished, you will see the scan results under Vulnerabilities Detected. 4. To review the vulnerability details, click Critical, and then expand the third-party app. In this case, FortiClient cannot automatically install the software patch because the recommended action is Manual Install. You can manually download and install the latest version of vulnerable software to fix the vulnerability. 5. Close all open windows. 30 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 4: Modifying the FortiClient XML File In this exercise, you will modify the FortiClient XML file. For this exercise, you must install a free version of FortiClient VPN software. Install FortiClient VPN only software You will install a FortiClient VPN only software to use specifically for this exercise. To install FortiClient VPNonly software 1. On the AD Server VM, click Desktop > Resources, and then open the file FortiClientVPNSetup_ 6.2.1.0831_x64 to install FortiClient. 2. Click Next, and then click Install to start the installation. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 31 DO Install NOT REPRINT FortiClient VPN only software © FORTINET Exercise 4: Modifying the FortiClient XML File 3. Click Finish to complete the installation 4. On desktop, double click FortiClient VPN shortcut to launch application. 32 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT4: Modifying REPRINT the FortiClient XML File © FORTINET Download the FortiClient Configuration File Download the FortiClient Configuration File You will download the FortiClient XML backup file so you can understand the format and make changes. To download the FortiClient configuration file 1. On the AD Server VM, open the FortiClient GUI. 2. On the left side of the window, click the settings icon. 3. In the System section, click Backup. A new window opens. 4. Save the backup file as FortiClient-backup.conf on the desktop. 5. Click Save to save the file. After the file is successfully backed up, you will receive a confirmation from FortiClient. 6. Click OK to save the process. 7. Right-click the saved file and select Edit with Notepad++ to open the saved file in Notepad++, so you can review the XML configuration. You will see all of the default settings. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 33 DO Modify NOT REPRINT the FortiClient XML File © FORTINET Exercise 4: Modifying the FortiClient XML File Modify the FortiClient XML File Now, you will open the XML file in Notepad++ to review and modify it by applying the VPN settings from another XML file. Make sure you follow the XML design considerations discussed in the lesson, otherwise the configuration file will be invalid. To modify the FortiClient XML file 1. On the AD Server VM, click Desktop > Resources, and then open the Student-XML-config.conf file to review the VPN XML settings. 2. Open the FortiClient-backup.conf file. Press Ctrl+F, and search for the keyword "connections". Important: There are no <connections> syntax under <sslvpn> in the XML file. 3. Copy all of the XML file content from the <connections> section of the Student-XML-config.conf file, and then paste it in the FortiClient-backup.conf file to add the VPN profile. The XML configuration will appear in the <sslvpn> section under </options>. After making the changes, the XML configuration will appear as follows: You must override or change the connection close syntax from <connections/> to </connections> in the FortiClient-backup.conf file. Otherwise you will receive an invalid file error when you try to restore the configuration on FortiClient. There should be an opening <connections> and a closing section with </connections>. 34 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. the FortiClient XML DO Exercise NOT4: Modifying REPRINT File © FORTINET Upload the Modified XML File and Review the Changes to Remote Access 4. Click the Save icon to save the changes. Upload the Modified XML File and Review the Changes to Remote Access You will restore the modified XML file on FortiClient and review the VPN feature. You'll see that there is a VPN connection configured on FortiClient. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 35 the Modified XML File and Review the Changes to Remote DO Upload NOT REPRINT Access © FORTINET Exercise 4: Modifying the FortiClient XML File To upload the modified XML file and review the changes to remote access 1. Continuing on the AD Server VM, on the FortiClient GUI, in the pane on the left side of the window, click Unlock Settings > Settings. 2. Unlock system settings and then in the System section, click Restore. 3. Click Desktop > Resources, and then select the file FortiClient-backup.conf to restore the new settings to FortiClient. If the file is restored successfully, a message window will open. Otherwise, you will see the error "Failed to process the file". If you see a "Failed to process the file" error, check if the XML file is missing or has an incorrect XML hierarchy or syntax. 4. After the file is restored, FortiClient will inform you with a message. Click OK to proceed. 5. Click the Home icon. 6. Click to see the changes. There is a new SSL VPN profile named Student-SSL. 7. To review the connection details, click VPN > Settings. 36 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. the FortiClient XML DO Exercise NOT4: Modifying REPRINT File © FORTINET FortiClient 6.2 Lab Guide Fortinet Technologies Inc. Upload the Modified XML File and Review the Changes to Remote Access 37 the Modified XML File and Review the Changes to Remote DO Upload NOT REPRINT Access © FORTINET Exercise 4: Modifying the FortiClient XML File On the GUI, you can make and save further changes to the VPN settings. 8. Click the Windows icon, and open Control Panel > Uninstall a Program. 9. Find the FortiClient application in the installed programs list, and click it to select the application. 10. Click Uninstall to remove FortiClient application. 11. Once FortiClient is uninstalled, reboot the AD Server to complete the removal process. We will be using the AD Server to deploy another version of FortiClient later in the labs, therefore, it is important for you to remove the current FortiClient version. 38 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Lab 2: FortiClient EMS Configuration In this lab, you will examine the FortiClient EMS configuration. Objectives l Access the FortiClient EMS GUI l Explore the dashboard and view system information l Create an administrator l Configure system settings l Create an endpoint group l Run a vulnerability scan on an endpoint Time to Complete Estimated: 40 minutes Prerequisites Before beginning this lab, you must make sure that FortiClient EMS is installed on the AD Server. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 39 DO NOT REPRINT © FORTINET Exercise 1: Accessing the GUI and Creating a FortiClient EMS Administrator In this exercise, you will access the FortiClient EMS GUI, and create a new administrator account. Access the FortiClient EMS GUI You will access the FortiClient EMS GUI, by either launching the application or using a web browser. To access the FortiClient EMS GUI by launching the application 1. On the AD Server, click the Windows icon to open FortiClient Enterprise Management Server. 2. Click the FortiClient EMS icon to launch the application. 3. Log in to the FortiClient EMS GUI with the username admin and password Password123. 4. To confirm the software version, click Dashboard > FortiClient Status. 5. In the System Information widget, the Version field shows the software version. Write this down. To access the FortiClient EMS GUI using a web browser 1. Continuing on the AD Server, from the desktop, open Firefox. 2. In the address bar, type https://localhost to access the FortiClient EMS GUI. 40 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. the GUI and Creating a FortiClient EMS DO Exercise NOT1: Accessing REPRINT Administrator © FORTINET Create a New FortiClient EMS Administrator 3. To log in to the FortiClient EMS GUI, type the username admin and password Password123. 4. To confirm the FortiClient EMS serial number, click Dashboard > FortiClient Status. 5. In the System Information widget, the Serial Number field shows the serial number. Write this down. You can also access the FortiClient EMS web GUI using the server hostname https://<server_name>. Tip: You can get the <server_name> by running ipconfig /all on the server. Your Host Name appears under the Windows IP Configuration. If you cannot access the FortiClient EMS remotely, make sure that you can ping <server_ name>, by adding it to the DNS entry or the Windows host file. 6. Navigate to Profile Components, and you will see Manage CA Certificates. Here, you can upload and manage certificates that can be used for EMS HTTPS access. Create a New FortiClient EMS Administrator To log in to FortiClient EMS, you need a user administrator account. You will create both a super administrator and a limited access account. To create a new FortiClient EMS administrator account 1. On the FortiClient EMS server, log in with the username admin and password Password123. 2. On the pane on the left side of the screen, click Administration > Administrators. You will see an entry with the name admin, source Builtin, and role Super Administrator. 3. To create a Windows-based user administrator account, click +Add. A new window opens. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 41 a New FortiClient EMS DO Create NOT REPRINT Administrator © FORTINET Exercise 1: Accessing the GUI and Creating a FortiClient EMS Administrator 4. In the Add user window, in the User source section, select Choose from LDAP or Windows users, and click Next. 5. In the configuration window, configure the following settings: Field Value User EMSadmin Role Endpoint Administrator 6. To create a new administrator account, click Finish. 7. Click on the admin icon on the right side of the EMS GUI, and select Sign out. 42 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. the GUI and Creating a FortiClient EMS DO Exercise NOT1: Accessing REPRINT Administrator © FORTINET Create a New FortiClient EMS Administrator 8. Log back in with the username EMSadmin and the password password. Under Profile Components, you will see View CA Certificates instead of Manage CA Certificates. Stop and think! When you log in with the username EMSadmin, why do you only see View CA Certificates under Profile Components? This user account has limited permissions and is not allowed to access CA certificate management. The Endpoint Administrator role that this user account is assigned to, allows only read-only permissions to the Settings Permissions category. This is the category that allows access to Manage CA Certificates. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 43 DO NOT REPRINT © FORTINET Exercise 2: Configuring FortiClient EMS System Settings In this exercise, you will configure the following FortiClient EMS system settings: l Server settings l Log settings l Login banner settings Configure Server Settings In Server settings, you can configure settings, such as hostname, FQDN, and remote access. You will configure FQDN to access the FortiClient EMS server, using configured FQDN. To configure FQDN on FortiClient EMS 1. On the AD Server, log in to the FortiClient EMS GUI, with the username admin and password Password123. 2. Click System Settings > Server. 3. In the Shared Settings section, select the Use FQDN checkbox and, in the FQDN field, type myemsserver.com. 4. To allow remote access using FQDN, select the Remote HTTPS access checkbox, and type * in the Custom hostname field. 5. To apply the changes, click Save. 6. To access the FortiClient EMS server, on the FortiClient-Laptop, open Firefox, type the URL https://myemsserver.com, and then accept the self-signed certificate. The FortiClient-Laptop host file has been modified to make myemsserver.com accessible. Configure Log Settings In the Logs settings, you can configure the log level, and the number of days that you want to keep logs, events, and alerts, before they are cleared. You will change the Log level setting. 44 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Configuring REPRINT FortiClient EMS System Settings © FORTINET Configure Login Banner Settings To configure log settings 1. On the FortiClient EMS GUI, click System Settings > Logs. 2. In the Log level drop-down list, select Debug. 3. Click Save to apply the changes. 4. Click Administration > Logs to view the changes. You will see that Level changes to Debug, and that the logs are more detailed. Configure Login Banner Settings In Login Banner settings, you will configure a disclaimer message that appears before a user logs in to FortiClient EMS. To configure login banner settings 1. Continuing on the FortiClient EMS GUI, click System Settings > Login Banner. 2. Select the Enable login banner checkbox, and in the Message field, type Property of Fortinet lab. Unauthorized access is strictly prohibited.. 3. Click Save to apply the changes. 4. Log out as admin from the FortiClient EMS GUI, and close the application. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 45 DO Configure NOTLogin REPRINT Banner Settings © FORTINET Exercise 2: Configuring FortiClient EMS System Settings 5. Open the FortiClient EMS GUI again. A Disclaimer appears. 6. Click Accept to go to the login screen. 46 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 3: Creating an Endpoint Group, Group Assignment Rule, and Running Scans In this exercise, you will create an endpoint group, group assignment rule, and run antivirus and vulnerability scans on endpoints. Endpoint management enables FortiClient EMS to perform various actions and run scans. Create an Endpoint Group for a Windows Workgroup You will create individual groups for Windows workgroup endpoints on FortiClient EMS. To create a group for a Windows workgroup 1. On the AD Server, open the FortiClient EMS GUI, and click Endpoints > Workgroups. 2. In the Workgroups drop-down list, right-click All Groups, and then click Create group. 3. In the Create group field, type Windows Endpoints. 4. To create the group, click Confirm. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 47 a Group Assignment Rule for Windows DO Create NOT REPRINT Endpoints © FORTINET Exercise 3: Creating an Endpoint Group, Group Assignment Rule, and Running Scans Create a Group Assignment Rule for Windows Endpoints FortiClient EMS can use group assignment rules to automatically place endpoints into custom groups, based on the installer ID, IP address, OS, or AD group of the endpoints. You will create a group assignment rule based on OS. To create a group assignment rule 1. On the FortiClient EMS GUI, click Endpoints > Group Assignment Rules. 2. To create a new rule, on the pane on the right, click +Add. 3. In the pop-up window, configure the following settings: Field Value Type OS OS Windows Group Windows Endpoints Enable Rule (Enabled) 4. To add a new group assignment rule, click Save. 5. To add Windows endpoints to the new group, on the pane on the right, click Run Rules Now. FortiClient EMS automatically places endpoints that do not apply to a group assignment rule into the Other Endpoints group. 48 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 3: Creating an Endpoint Group, Group Assignment Rule, DO Exercise NOT and RunningREPRINT Scans © FORTINET Run Antivirus and Vulnerability Scans on a Registered Endpoint Run Antivirus and Vulnerability Scans on a Registered Endpoint FortiClient EMS endpoint management can run scans on managed clients. Before you can run a scan, you must change the endpoint policy on FortiClient EMS. To modify the endpoint policy and assign the default endpoint profile 1. On the FortiClient EMS GUI, click Endpoint Policy, and then select Student. 2. On the pane on the right, in the Endpoint profile field, select Default in the drop-down list. 3. To apply the changes, click Save. To run scans, FortiClient, which is installed on the FortiClient-Laptop VM, must connect to FortiClient EMS. Click FABRIC TELEMETRY, ensure that the FortiClient status is Connected, and then click the menu icon beside the Disconnect button, and ensure that it shows a FortiClient EMS IP address of 10.0.1.100. 4. On the FortiClient-Laptop VM, in the system tray, right-click the FortiClient icon. After applying the changes, wait until the FortiClient configuration update is received from FortiClient EMS. You will notice that the MALWARE PROTECTION tab is removed from FortiClient. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 49 Antivirus and Vulnerability Scans on a DO Run NOT REPRINT Registered Endpoint © FORTINET Exercise 3: Creating an Endpoint Group, Group Assignment Rule, and Running Scans Stop and think! Why did the MALWARE PROTECTION tab disappear after you assigned the Default endpoint profile? The Default endpoint profile doesn't have the malware protection feature enabled by default. To enable AV, click the AntiVirus Protection button. To enable antivirus protection for the default endpoint profile 1. On the AD Server, open the FortiClient EMS GUI, and click Endpoint Profiles > Local Profiles. 2. Select the Default profile. 3. Click Save to apply the setting. After the Default profile is synced, on the FortiClient-Laptop VM, MALWARE PROTECTION appears on the FortiClient GUI. To run antivirus and vulnerability scans on a registered endpoint 1. On the AD Server, continuing on the FortiClient EMS, on the pane on the left, click Endpoints > All Endpoints. You will see the registered client. 2. Beside the registered client, select the checkbox to highlight the registered client. The following options will appear: Scan, Patch, Move to, and Action. 3. Click Scan, and then click Quick AV Scan. The scan will start after the endpoint sends the next keepalive packet. 50 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 3: Creating an Endpoint Group, Group Assignment Rule, DO Exercise NOT and RunningREPRINT Scans © FORTINET Run Antivirus and Vulnerability Scans on a Registered Endpoint 4. To perform a vulnerability scan, click Scan > Vulnerability Scan. The scan will start, and it will finish after the endpoint re-syncs or sends the next keepalive packet. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 51 Antivirus and Vulnerability Scans on a DO Run NOT REPRINT Registered Endpoint © FORTINET Exercise 3: Creating an Endpoint Group, Group Assignment Rule, and Running Scans Vulnerability information will appear on the dashboard or client details page, similar to the following example: 52 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 4: Enabling the Security Fabric to Trigger Automatic Quarantine In this exercise, you will enable the Security Fabric to trigger automatic quarantine, based on indicators of compromise (IOC) on FortiAnalyzer. Verify FortiClient Log Settings To identify compromised hosts, FortiClient must send logs to FortiAnalyzer. You will verify the FortiClient log settings. To verify FortiClient log settings 1. On the AD Server VM, log in to the FortiClient EMS application. 2. Click Endpoint Profiles > Local Profiles > Profile name: Student, and then select System Settings. 3. In the Log section, ensure that Upload logs to FortiAnalyzer/FortiManager, Upload UTM Logs, Upload Vulnerability Logs, and Upload Event Logs are enabled. 4. Set IP Address/Hostname to 10.0.1.250, Upload Schedule to 1 minute, and Log Generation Timeout to 30 seconds. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 53 the Security Fabric on the Root DO Enable NOT REPRINT FortiGate © FORTINET Exercise 4: Enabling the Security Fabric to Trigger Automatic Quarantine If you are using a web browser to access FortiClient EMS, you must enable Advanced view settings. 5. Click Save to finish. To use the student profile in the endpoint policy 1. On the FortiClient EMS GUI, click Endpoint Policy, and then select Student. 2. On the pane on the right, in the Endpoint profile field, select Student in the drop-down list. 3. Click Save to apply the changes. Enable the Security Fabric on the Root FortiGate You will configure the Security Fabric and enable telemetry on the FortiGate internal interface. To configure the Security Fabric and enable telemetry on the root FortiGate 1. On the FortiClient-Laptop VM, open Firefox, type the FortiGate IP address 10.0.1.254, and log in with the username admin and password password. 2. On the FortiGate GUI, click Security Fabric > Settings. 3. Enable FortiGate Telemetry. 4. In the Security Fabric role field, click Serve as Fabric Root. 5. In the Fabric name field, type Fabric. 6. Leave Management IP/FQDN and Management Port at their default values. 7. In the Allow other FortiGates to join field, click the + sign, and add LAN (port3). 8. In the FortiAnalyzer Logging section, in the IP address field, type 10.0.1.250, and click Test Connectivity. You will see the following message: 54 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. the Security Fabric to Trigger Automatic DO Exercise NOT4: Enabling REPRINT Quarantine © FORTINET Enable the Security Fabric on the Root FortiGate Leave all other settings at their default values. 9. To authorize FortiGate on the FortiAnalyzer, open Firefox, type https://10.0.1.250, and log in with the username admin and password password. 10. On Device Manager, select the serial number of the FortiGate, and click Authorize. Once FortiGate is authorized on FortiAnalyzer, the FortiGate GUI will look similar to the following example: 11. Continuing on the FortiGate GUI, click Security Fabric > Settings, and in the FortiClient Endpoint Management System (EMS) section, type the following settings: Field Value Name EMSServer IP/Domain Name 10.0.1.100 Serial Number <Copy this from the FortiClient EMS dashboard> Admin User admin Password Password123 12. Click Apply to save the settings. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 55 the Security Fabric on the Root DO Enable NOT REPRINT FortiGate © FORTINET Exercise 4: Enabling the Security Fabric to Trigger Automatic Quarantine To enable Security Fabric automation and create a new stitch 1. Continuing on the FortiGate GUI, go to Security Fabric > Automation, and click Create New. 2. In the Name field, type Endpoint-Compromised. Leave the Status and FortiGate fields at their default values. 3. In the Trigger section, click Compromised Host, and in the Threat level threshold field, click Medium. 4. In the Action section, click Quarantine FortiClient via EMS, and leave the Minimum interval at the default value. 5. Click OK to save the settings. To configure firewall policies on FortiGate 1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy. 2. Click Create New, and configure the following policy settings to allow traffic to pass from LAN(port3) to port1: 56 Field Value Name IOC_Policy Incoming Interface LAN(port3) Outgoing Interface port1 Source FortiClient-Laptop Destination all FortiClient 6.2 Lab Guide Fortinet Technologies Inc. the Security Fabric to Trigger Automatic DO Exercise NOT4: Enabling REPRINT Quarantine © FORTINET Field Value Schedule always Service ALL Action ACCEPT NAT <enable> IP Pool Configuration Use Outgoing Interface Address Web Filter monitor-all SSL/SSH Inspection certificate-inspection Log Allowed Traffic All Sessions (greyed out) Enable the Security Fabric on the Root FortiGate 3. Click OK. 4. Drag and drop the IOC_Policy policy above the Full_Access policy. To run security rating on the FortiGate 1. Continuing on the Local-FortiGate GUI, click Security Fabric > Security Rating. 2. On the Security Rating page, click Run Now to update the ranking. To verify that the FortiAnalyzer license includes the IOC service 1. On the FortiClient-Laptop VM, open a browser, and type the IP address 10.0.1.250. 2. On the login page, type the username admin and the password password. 3. Click System Settings, and in the License Information widget, check the status of the FortiGuard Indicators of Compromise Service license. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 57 the Security Fabric on the Root DO Enable NOT REPRINT FortiGate © FORTINET Exercise 4: Enabling the Security Fabric to Trigger Automatic Quarantine To test automatic quarantine triggered by IOC detection 1. On the FortiClient-Laptop VM, open Firefox, and type the URL www.google.com. 2. Open a new browser tab, and type http://195.22.28.198. This IP address will be blocked by the FortiClient malicious websites category. 3. Continue on the FortiClient-Laptop VM, and log in to FortiAnalyzer. 4. Click SOC > FortiView > Compromised Hosts. The endpoint will appear in the window. 5. To see details, double-click the host. 58 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. the Security Fabric to Trigger Automatic DO Exercise NOT4: Enabling REPRINT Quarantine © FORTINET Enable the Security Fabric on the Root FortiGate 6. Continuing on the FortiClient-Laptop VM, log in to the FortiGate GUI. Click FortiView > Compromised Hosts. 7. Click Monitor > Quarantine Monitor. You will see that the endpoint has been quarantined. 8. To view logs, click Log & Report > Events > System Events. Since FortiClient is now quarantined, you will not be able to access FortiClient-Laptop using RDP. 9. Click the FortiClient-Laptop VM tab, and select CON under Remote Access Controls. 10. Click the icon to send a Ctrl+Alt+Delete key combination to Windows, so you can enter a password. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 59 the Security Fabric on the Root DO Enable NOT REPRINT FortiGate © FORTINET Exercise 4: Enabling the Security Fabric to Trigger Automatic Quarantine 11. Enter the password password to log in to Windows using the console connection. 12. FortiClient will show the quarantine screen. FortiClient is blocking all communication, except to the EMS. 13. On the FortiClient-Laptop VM, ping EMS and FortiGate, browse the Internet, and resolve the domain name www.google.com. The endpoint is blocked at the client network device level. To remove the client from the compromised hosts list, go to the FortiAnalyzer GUI, and click SOC > Fortiview. To clear the host, click Threats > Compromised Hosts, click ACK to acknowledge the host, and then write some text. This will also clear the host from FortiGate. 14. On the AD Server, log in to the FortiClient EMS GUI, and select Endpoints > All Endpoints. 15. In the right pane, select FortiClient-Laptop, and then click Action, and Unquarantine to allow Internet access to the endpoint. 60 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. the Security Fabric to Trigger Automatic DO Exercise NOT4: Enabling REPRINT Quarantine © FORTINET Enable the Security Fabric on the Root FortiGate 16. Go back to the FortiClient-Laptop, and change the Remote Access Control type to RDP. You will now be connected to the FortiClient-Laptop over RDP. 17. Try to ping FortiGate, EMS server, and Google.com. Your traffic should now be allowed. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 61 DO NOT REPRINT © FORTINET Lab 3: Deployment and Provisioning using FortiClient EMS In this lab, you will learn about the deployment and provisioning of FortiClient on endpoints, using FortiClient EMS. Objectives l Create and manage a deployment package l Create a gateway list l Add endpoints to FortiClient EMS from Windows AD l Create an endpoint profile l Configure a VPN tunnel l Assign a new endpoint profile to an AD domain or workgroup endpoints l Create and test a compliance verification rule Time to Complete Estimated: 45 minutes Prerequisites Before beginning this lab, you must make sure that the Windows server is configured as an AD domain controller. You must also enable FortiTelemetry on FortiGate interface port 3. 62 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 1: Creating a Deployment Package and Gateway List for Deployment In this exercise, you will create a deployment package and gateway list for endpoint profile deployment. Create an Installer Profile in Profile Components You will create an installer for deploying FortiClient on endpoints. To create an installer profile in profile components 1. On the AD Server, log in to the FortiClient EMS GUI. 2. In the pane on the left, click Manage Installers > Deployment Packages, and then click +Add to open a new window. 3. In the Version tab, keep the default settings for Installer Type, Release, and select 6.2.1 in the Patch field. Click Next. 4. In theGeneral tab, in the Name field, type FortiClient-Version-6.2. Click Next. 5. In the Features tab, keep Secure Access Architecture Components at the default setting, and under Additional Security Features, select AntiVirus, Web Filtering, and Application Firewall. Click Next. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 63 an Installer Profile in Profile DO Create NOT REPRINT Components © FORTINET Exercise 1: Creating a Deployment Package and Gateway List for Deployment 6. In the Advanced tab, select Enable desktop shortcut, and keep the default values for the other settings. Click Next. 7. In the Telemetry tab, notice that it shows that FortiClient will be managed by <EMS hostname and FQDN address>. 8. To add the deployment package to FortiClient EMS, click Finish. The installer appears on the Manage Installer > Deployment Packages pane. 64 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT1: Creating REPRINT a Deployment Package and Gateway List for Deployment © FORTINET Create a Gateway List FortiClient EMS automatically connects to the FortiGuard Distribution Network (FDN) to provide access to the FortiClient installers, which you can use with FortiClient EMS deployment packages. If a connection to FDN is not available, or you want a custom installer, you must manually download a FortiClient installer and upload it to add it to FortiClient EMS. Create a Gateway List You will create a gateway list to define the IP address of the FortiGate device that you want FortiClient to connect to for sending FortiClient telemetry. To create a gateway list 1. Continuing on the FortiClient EMS GUI, click Telemetry Gateway Lists > Manage Telemetry Gateway Lists. 2. To open the Gateway List window, click +Add. 3. On the Telemetry Gateway List window, configure the following settings: Field Value Name Corporate FortiGate Connect to local subnets only <select to enable> Notify FortiGate 10.0.1.254 4. To create the list, click Save. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 65 DO NOT REPRINT © FORTINET Exercise 2: Adding Endpoints to FortiClient EMS In this exercise, you will add endpoints to FortiClient EMS by importing endpoints from the Windows AD server. Endpoints are also added when endpoint users manually connect FortiClient Telemetry to FortiClient EMS. Add Endpoints Using an AD Domain Server You can manually import endpoints from an AD server. You can import and synchronize information about computer accounts with an LDAP or LDAPS service. You can add endpoints by identifying the endpoints that are part of an AD domain server. To add endpoints using an AD domain server 1. On the AD Server, log in to the FortiClient EMS GUI. 2. In the pane on the left, click Endpoints > Manage Domains, and then click +Add to open the Domain window. 3. In the IP address/Hostname field, type 10.0.1.100, and keep the default values for Port and Distinguished name. 4. In the Bind type section, select the Regular checkbox, and then configure the following settings: Field Value Username ADadmin Password password 5. To check the connectivity, click Test. 6. Perform one of the following tasks: 66 l If the test is successful, select Save to save the new domain. l If the test is not successful, correct the information, and then test the settings again. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT2: Adding REPRINT Endpoints to FortiClient EMS © FORTINET Add Endpoints Using an AD Domain Server You can add the entire domain or an organizational unit (OU) from the domain. After you import endpoints from an AD server, you can edit the endpoints. These changes are not synchronized back to the AD server. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 67 DO NOT REPRINT © FORTINET Exercise 3: Creating and Assigning an Endpoint Profile for Deployment In this exercise, you will create an endpoint profile and assign the profile to endpoints for FortiClient software deployment. You will also configure a security profile and provision a VPN. Create an Endpoint Profile on FortiClient EMS To push the configuration to FortiClient endpoints, you must create an endpoint profile. The endpoint profile has profile references that enable and disable FortiClient features and deployment. To create an endpoint profile on FortiClient EMS 1. On the FortiClient EMS GUI, click Endpoint Profile > Manage Profiles. 2. To open a new profile window, click +Add. 3. In the Profile Name field, type Fortinet-Training. 4. Click VPN . It is enabled by default. 5. Click Save to save the endpoint profile. Create a Profile to Deploy FortiClient You must add a FortiClient installer to the FortiClient EMS before you can select an endpoint profile. You will select the installer that you created in exercise 1. To create a profile to deploy FortiClient 1. Continuing on the FortiClient EMS GUI, click Manage Profiles > Local Profiles, and then select FortinetTraining. 2. On the Deployment tab, enable FortiClient Deployment. 3. In the Action section, keep Action as Install, and in the Deployment Package field, select FortiClientVersion-6.2. 68 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. and Assigning an Endpoint Profile for DO Exercise NOT3: Creating REPRINT Deployment © FORTINET Enable the Web Filter Feature in the Endpoint Profile 4. On the Schedule tab, specify the installation start time, which should be five minutes from the current time. 5. Continuing on the Schedule tab, disable Reboot when no users are logged in, and keep the default values for all other settings. 6. On the Credentials tab, in the Username field, type Administrator, and in the Password field, type password. 7. Click Save. Enable the Web Filter Feature in the Endpoint Profile You can enable and disable security features, such as web filter, antivirus, and application firewall in endpoint profiles. To enable the web filter feature in the endpoint profile 1. Continuing on the FortiClient EMS GUI, click Manage Profiles > Local Profiles, and then select FortinetTraining. 2. On the Web Filter tab, in the General section, enable Web Filter, and keep Client Web Filtering When OnNet. 3. On the Site Categories tab, beside Bandwidth Consuming, click + to expand the list. 4. In the list, beside Streaming Media and Download, select Block. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 69 DO Provision NOTa VPN REPRINT in the Endpoint Profile © FORTINET Exercise 3: Creating and Assigning an Endpoint Profile for Deployment 5. Click Save. Provision a VPN in the Endpoint Profile You will provision the VPN settings. The VPN profile will be applied to FortiClient when the profile installs on the endpoint. To provision a VPN in the endpoint profile 1. Continuing on the FortiClient EMS GUI, click Manage Profiles > Local Profiles, and select Fortinet-Training. 2. On the VPN tab, enable VPN , and disable all options in the General section. 3. On the SSL VPN tab, select the following settings: 4. On the VPN Tunnels tab, click Add Tunnel, and then type the following: 70 Field Value Name Student-SSL VPN Type SSL VPN Remote Gateway 10.0.1.254 Port 10443 Prompt for Username (Enable) FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 3: Creating and Assigning an Endpoint DO Exercise NOT REPRINT Profile for Deployment © FORTINET Create an Endpoint Policy to Assign the Endpoint Profile and Telemetry Gateway List to the Endpoints 5. To save the VPN profile, click Add Tunnel. 6. Click Save. Create an Endpoint Policy to Assign the Endpoint Profile and Telemetry Gateway List to the Endpoints After creating the profile, you must create an endpoint policy to assign the profile and gateway list to domains or workgroups. When you create an endpoint policy to assign the profile to domains or workgroups, the profile settings are automatically pushed to the endpoints in the domain or workgroup. If you do not assign a profile to a specific domain or workgroup, the default profile is automatically applied to the domain or workgroup. To create an endpoint policy 1. On the FortiClient EMS GUI, click Endpoints Policy > Manage Policies > +Add. 2. In the Endpoint Policy window, in the Endpoint Policy name field, type Training, and then in the Endpoint domains field, click Edit, and select trainingAD.training.lab. 3. In the Endpoint profile field, select Fortinet-Trainingfrom the local profiles list. 4. Enable Telemetry gateway list, and then select Corporate FortiGate. 5. Keep other settings at their default values, and click Save to add the endpoint policy. Make sure that the policy is enabled. The endpoint policy should have the following settings: FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 71 an Endpoint Policy to Assign the Endpoint Profile and DO Create NOT REPRINT Telemetry Gateway List to the Endpoints © FORTINET Exercise 3: Creating and Assigning an Endpoint Profile for Deployment The endpoint profile and gateway list are assigned to the endpoint policy. After FortiClient is deployed on the endpoints, and the endpoints are connected to the FortiClient EMS, you can update the endpoints by editing the associated profiles. 72 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic Groups and Policies In this exercise, you will create and test compliance rules. You will also configure FortiGate to create a dynamic policy for dynamic groups tagged on FortiClient EMS. Create a Compliance Verification Rule To enforce compliance, you must add a compliance verification rule. To create a compliance verification rule 1. On the FortiClient EMS GUI, click Compliance Verification > Compliance Verification Rules, and then click +Add to create a new rule. 2. In the Add New Rule window, configure the following settings: Field Value Name Running Process Status Enable Type Windows Rule Running Process Running Process calc.exe, click + Assign to All Tag endpoint as Type RunCalc and then select it 3. To add the rule, click Save. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 73 Security Fabric for DO Connect NOTto the REPRINT Compliance © FORTINET Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic Groups and Policies Connect to the Security Fabric for Compliance You must create an SSO/Identity connector on FortiGate to connect to the Security Fabric. To create an SSO/Identity connector 1. On the AD Server VM, open a browser and log in to FortiGate at 10.0.1.254, with the username admin and password password. 2. Click Security Fabric > Fabric Connectors. 3. To add the connector, click Create New, select FortiClientEMS in the SSO/Identity section, and configure the following settings: Field Value Name EMS-Server Primary Server IP 10.0.1.100 Password Password123 4. Click Apply and Refresh , and then click OK to save. 5. On the AD Server VM, launch PuTTY from the taskbar to SSH in to the FortiGate. 6. Click LOCAL-FORTIGATE in the list, and click Open to log in. 7. Log in with the login as admin and password password. 8. On the CLI console, type the following commands: 74 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 4: Configuring and Testing Compliance Rules to Create Dynamic DO Exercise NOT Groups andREPRINT Policies © FORTINET Create a User Group and a Policy on FortiGate 9. On the FortiGate GUI, click Security Fabric > Fabric Connectors, select EMS-Server, and click Edit to see the details. 10. Under Connector Settings, click View to see the RUNCALC configured tag. Create a User Group and a Policy on FortiGate You must create a dynamic user group and dynamic firewall policy to enforce compliance. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 75 a User Group and a Policy on DO Create NOT REPRINT FortiGate © FORTINET Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic Groups and Policies To create a user group and policy 1. On the FortiGate GUI, click User & Device > User Groups. 2. Click Create New. 3. In the Name field, type RunningCalcPCs. 4. In the Type field, select Fortinet Single Sign-On (FSSO). 5. In the Members field, click +, and select RUNCALC from the list. 6. To add the group, click OK. On the FortiClient-Laptop VM, make sure that you can reach the Internet by continuously pinging www.google.com. Do not close the continuous ping window. 7. On the FortiGate GUI, click Policy & Objects > IPv4 Policy. 8. Select the Full_Access policy, click Edit. 9. In the Source field, click +, browse to User, select RunningCalcPCs from the USER GROUP list, and then click Close. Leave the remaining settings as they are. 10. To save the settings, click OK. 76 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. and Testing Compliance Rules to Create Dynamic Groups and DO Exercise NOT4: Configuring REPRINT Policies © FORTINET Test the Compliance Policy Test the Compliance Policy You will test the compliance policy. To test the compliance policy 1. On the FortiClient-Laptop VM, ping IP 8.8.8.8 to check connectivity to the Internet. It must be denied. 2. On the FortiClient EMS GUI, click Compliance Verification > Host Tag Monitor. There should be no endpoints with tags. 3. On the FortiClient-Laptop VM, run the calculator while there is no ping. Ping should start after a few more failures. 4. On the FortiClient EMS GUI, click Compliance Verification > Host Tag Monitor, and locate FortiClientLaptop. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 77 the Compliance and DO Test NOT REPRINT Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic Groups Policy Policies © FORTINET 5. On the FortiClient-Laptop VM, close the calculator. The ping should stop. 6. On the FortiClient EMS GUI, click Compliance Verification > Host Tag Monitor. There is no endpoint. Revert the Full_Access policy on FortiGate, and remove RunningCalcPCs from the source. 78 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET Lab 4: Diagnostics and Troubleshooting In this lab, you will examine the files that are created by running the diagnostic tools of FortiClient and FortiClient EMS. Objectives l Run FortiClient and FortiClient EMS diagnostic tools Time to Complete Estimated: 20 minutes Prerequisites Before beginning this lab, you must make sure that FortiClient and FortiClient EMS are installed with diagnostic tools. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 79 DO NOT REPRINT © FORTINET Exercise 1: Running Diagnostic Tools In this exercise, you will run FortiClient and FortiClient EMS diagnostic tools on the FortiClient-Laptop and AD server. Run the FortiClient Diagnostic Tool You will run the diagnostic tool on FortiClient endpoints to gather system information. Before running the diagnostic tool, you must change the FortiClient log level to DEBUG. On the FortiClient EMS GUI, click Endpoint Profiles > Local Profiles > Student, click the System Settings tab, and under Log, change the log level to Debug. To run the FortiClient diagnostic tool from the FortiClient console 1. On the FortiClient-Laptop, open the FortiClient console. 2. Click About, and then click Diagnostic Tool to open the tool window. 3. On the console, click Run Tool. 80 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT1: Running REPRINT Diagnostic Tools © FORTINET Run the FortiClient Diagnostic Tool A command line window opens and the diagnostic tool runs tasks to collect system data. 4. After all tasks are completed, the tool opens the C:\Users\Administrator\AppData\Local\Temp\1\Diagnostic_Result link to show the Diagnostic_Result.cab file, click Close to close diagnostic tool. 5. Click the Diagnostic_Result.cab file, and search for the SystemInfo.txt and ipconfig.txt files. 6. To review the file content, click these files. When you click a file, a window opens and extracts the file to a destination. Select Desktop for the destination. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 81 DO Run NOT REPRINT the FortiClient Diagnostic Tool © FORTINET Exercise 1: Running Diagnostic Tools Log files are compressed, so to read them, you must extract the files. To run the FortiClient diagnostic tool from FortiClient EMS 1. On the AD-Server VM, log in to FortiClient EMS GUI. 2. Click Endpoints > All Endpoints, and select endpoint IP 10.0.1.10. 3. Click Action, and select Request Diagnostic Results to run the tool on the selected endpoint. The tool starts to run in the background. The file should be available after three keepalive cycles. The default is 60 seconds for each cycle. 4. Continuing on the FortiClient EMS GUI, click Action, and select Download Available Diagnostics Results to download the results file. 82 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO Exercise NOT1: Running REPRINT Diagnostic Tools © FORTINET Run the FortiClient EMS Diagnostic Tool 5. Click Download again to download the file to the FortiClient EMS server download folder. Run the FortiClient EMS Diagnostic Tool You will run the FortiClient EMS diagnostic tool on the AD server to gather information. Before running the tool, you must change the FortiClient EMS log level to DEBUG. To run the FortiClient EMS diagnostic tool 1. On the AD server, go to the FortiClient EMS installation folder at the following location: C:\Program Files (x86)\Fortinet\FortiClientEMS. 2. Search for the EMSDiagnosticTool file, and then double-click the file to run the tool. A command line window opens and the diagnostic tool runs tasks to collect system data. 3. After all tasks are completed, the tool opens the C:\Users\Administrator\AppData\Local\Temp\1 link to show the forticlientems_diagnostic.cab file. FortiClient 6.2 Lab Guide Fortinet Technologies Inc. 83 DO Run NOT REPRINT the FortiClient EMS Diagnostic Tool © FORTINET Exercise 1: Running Diagnostic Tools 4. Click the forticlientems_6.2.1.0780_diagnostic.cab file, and search for the SystemInfo.txt, events, and debug_xx-xx-xxxx files. 5. To review the file content, click these files. When you click a file, a window opens and extracts the file to a destination. Select Desktop for the destination. Log files are compressed, so to read them, you must extract the files. 84 FortiClient 6.2 Lab Guide Fortinet Technologies Inc. DO NOT REPRINT © FORTINET No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.