FortiClient EMS 6.2 Lab Guide-Online

DO NOT REPRINT
© FORTINET
FortiClient EMS Lab

Guide
for FortiClient EMS 6.2
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
12/17/2019
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
Virtual Lab Basics 5

Network Topology 5
Lab Environment 5
Remote Access Test 6
Logging In 7
Disconnections and Timeouts 9
Screen Resolution 9
Sending Special Keys 10
Student Tools 11
Troubleshooting Tips 11
Lab 1: FortiClient Installation and Configuration 14
Exercise 1: Installing FortiClient 15
Install FortiClient Using a Custom Installer File from EMS 15
Exercise 2: Testing the FortiGuard Web Filter 19
Verify FortiGuard Connectivity 19
Identify Web Filter Categories 19
Review a FortiGuard Category-Based Web Filter 22
Test the Web Filter 24
Verify a Web Filter Exclusion List 25
Test the Web Exclusion List 26
Exercise 3: Understanding Antivirus Protection and Vulnerability Scan 27
Verify Real-Time Protection on AntiVirus Protection 27
Test the Antivirus Real-Time Configuration 28
Run an On-Demand Vulnerability Scan 30
Exercise 4: Modifying the FortiClient XML File 31
Install FortiClient VPN only software 31
Download the FortiClient Configuration File 33
Modify the FortiClient XML File 34
Upload the Modified XML File and Review the Changes to Remote Access 35
Lab 2: FortiClient EMS Configuration 39
Exercise 1: Accessing the GUI and Creating a FortiClient EMS Administrator 40
Access the FortiClient EMS GUI 40
Create a New FortiClient EMS Administrator 41
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring FortiClient EMS System Settings 44
Configure Server Settings 44
Configure Log Settings 44
Configure Login Banner Settings 45
Exercise 3: Creating an Endpoint Group, Group Assignment Rule, and
Running Scans 47
Create an Endpoint Group for a Windows Workgroup 47
Create a Group Assignment Rule for Windows Endpoints 48
Run Antivirus and Vulnerability Scans on a Registered Endpoint 49
Exercise 4: Enabling the Security Fabric to Trigger Automatic Quarantine 53
Verify FortiClient Log Settings 53
Enable the Security Fabric on the Root FortiGate 54
Lab 3: Deployment and Provisioning using FortiClient EMS 62
Exercise 1: Creating a Deployment Package and Gateway List for Deployment 63
Create an Installer Profile in Profile Components 63
Create a Gateway List 65
Exercise 2: Adding Endpoints to FortiClient EMS 66
Add Endpoints Using an AD Domain Server 66
Exercise 3: Creating and Assigning an Endpoint Profile for Deployment 68
Create an Endpoint Profile on FortiClient EMS 68
Create a Profile to Deploy FortiClient 68
Enable the Web Filter Feature in the Endpoint Profile 69
Provision a VPN in the Endpoint Profile 70
Create an Endpoint Policy to Assign the Endpoint Profile and Telemetry Gateway List to the
Endpoints 71
Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic
Groups and Policies 73
Create a Compliance Verification Rule 73
Connect to the Security Fabric for Compliance 74
Create a User Group and a Policy on FortiGate 75
Test the Compliance Policy 77
Lab 4: Diagnostics and Troubleshooting 79
Exercise 1: Running Diagnostic Tools 80
Run the FortiClient Diagnostic Tool 80
Run the FortiClient EMS Diagnostic Tool 83
DO Virtual
NOT REPRINT
Lab Basics Network Topology
© FORTINET
Virtual Lab Basics
In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab
and its virtual machines. It also shows the topology of the virtual machines in the lab.
If your trainer asks you to use a different lab, such as devices physically located in your
classroom, then ignore this section. This section applies only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your
trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their
own training lab environment or point of deliveries (PoD).
FortiClient 6.2 Lab Guide 5

Fortinet Technologies Inc.
DO Remote
NOTAccess
REPRINT
Test Virtual Lab Basics
© FORTINET
Remote Access Test
Before starting any course, check if your computer can connect to the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote access test.
To run the remote access test

1. From a browser, access the following URL:
https://use.cloudshare.com/test.mvc
If your computer connects successfully to the virtual lab, you will see the message All tests passed!:
2. Inside the Speed Test box, click Run.

The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If those
estimations are not within the recommended values, you will get any error message:
6 FortiClient 6.2 Lab Guide

DO Virtual
NOT REPRINT
Lab Basics Logging In
© FORTINET
Logging In
After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a
link and a passphrase.
To log in to the remote lab

1. Click the login link provided by your instructor over email.
2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login.
3. Enter your first and last name.

4. Click Register and Login.

DO Logging
NOTIn REPRINT Virtual Lab Basics
© FORTINET
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
5. To open a VM from the dashboard, do one of the following:

l From the top navigation bar, click a VM's tab.
l From the box of the VM you want to open, click View VM.
Follow the same procedure to access any of your VMs.
When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a
Fortinet VM.

DO Virtual
NOT REPRINT
Lab Basics Disconnections and Timeouts
© FORTINET
For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.
From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab
environment.
Disconnections and Timeouts
If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that
contains the list of VMs for your session, and reopen the VM.
If that fails, see Troubleshooting Tips on page 11.
Screen Resolution
The GUIs of some Fortinet devices require a minimum screen size.
To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also
change the color depth:

DO Sending
NOTSpecial
REPRINT
Keys Virtual Lab Basics
© FORTINET
Sending Special Keys
You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:

DO Virtual
NOT REPRINT
Lab Basics Student Tools
© FORTINET
Student Tools
There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:
Troubleshooting Tips
l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your
computer is always on, and does not go to sleep or hibernate.
l For best performance, use a stable broadband connection, such as a LAN.

DO Troubleshooting
NOT REPRINT Tips Virtual Lab Basics
© FORTINET
l You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and
general performance:
l If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.

DO Virtual
NOT REPRINT
Lab Basics Troubleshooting Tips
© FORTINET
l During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the
following example appears:
To expedite the response, enter the following command in the CLI:

execute update-now

DO NOT REPRINT
© FORTINET
Lab 1: FortiClient Installation and Configuration
In this lab, you will examine FortiClient manual installation and explore security features.
Objectives
l Install FortiClient on a Windows host
l Test the FortiGuard category-based option for web filtering
l Test real-time protection scanning
l Run an on-demand vulnerability scan
Time to Complete
Estimated: 25 minutes
Prerequisites
Before beginning this lab, you must make sure that the installer file from the EMS deployment package is
available on the desktop of the FortiClient-Laptop VM, in the Resources folder.

DO NOT REPRINT
© FORTINET
Exercise 1: Installing FortiClient
In this exercise, you will install FortiClient on the FortiClient-Laptop VM.
In 6.2.0, FortiClient must be used with FortiClient EMS. FortiClient must connect to
EMS to activate its license and become provisioned by the endpoint profile that the
administrator configured in EMS. For this exercise, we have provided a deployment
package file from EMS. You cannot use any FortiClient features until FortiClient is
connected to EMS and licensed.
After installation, FortiClient will be managed by EMS, and all security profiles have
been configured to perform lab tasks.
Install FortiClient Using a Custom Installer File from EMS
In this section, you will install FortiClient using an installer file from EMS.
To install FortiClient using the installer file from EMS

1. On the FortiClient-Laptop VM, on the desktop, open the Resources folder.
2. Run FortiClientSetup_6.2.1_x64.exe to start the FortiClient installation.
3. Accept the license agreement, and then click Next to start the installation.

DO Install
NOT REPRINT
FortiClient Using a Custom Installer File from EMS Exercise 1: Installing FortiClient
© FORTINET
4. By default, the FortiClient files will install in the C:\Program Files\Fortinet\FortiClient\ folder.
5. Click Next to continue.
6. Click Install.

DO Exercise
NOT1: Installing
REPRINT FortiClient Install FortiClient Using a Custom Installer File from EMS
© FORTINET
The setup wizard starts installing FortiClient on the host machine.

DO Install
NOT REPRINT
FortiClient Using a Custom Installer File from EMS Exercise 1: Installing FortiClient
© FORTINET
7. Click Finish after the FortiClient installation is complete.
Next, FortiClient downloads all the signature databases to get up-to-date. It may take some time before the
download completes and FortiClient is available to configure other options. However, you can continue with
the lab steps as the download process runs in the background.
8. On the FortiClient-Laptop VM, in the system tray, right-click the FortiClient icon.
9. In the list on the top, click Open FortiClient Console to open the FortiClient GUI.
Allow some time to get all the FortiClient configuration from EMS.

DO NOT REPRINT
© FORTINET
Exercise 2: Testing the FortiGuard Web Filter
In this exercise, you will examine the FortiClient web filter based on FortiGuard categories, by making sure that
FortiClient can contact the FortiGuard servers.
Then, you will review a category-based web filter security profile on FortiClient, and inspect the HTTP traffic.
Finally, you will test different actions taken by FortiClient, according to website categories.
Verify FortiGuard Connectivity
You will verify connectivity to FortiGuard distribution servers (FDS) from the FortiClient host machine.
To verify FortiGuard connectivity

1. On the FortiClient-Laptop VM, open the CLI, and ping fgd1.fortigate.com.
If FortiClient can contact FortiGuard, you should see the following output:
Identify Web Filter Categories
In order to understand web filter categories, you must first identify how specific websites are categorized by the
FortiGuard service.
To identify web filter categories

1. Continuing on the FortiClient-Laptop VM, open a new browser tab, and visit http://www.fortiguard.com/webfilter.

DO Identify
NOTWebREPRINT
Filter Categories Exercise 2: Testing the FortiGuard Web Filter
© FORTINET
2. Use the Web Filter Lookup tool to search for the following URL:
http://www.youtube.com
YouTube is listed in the Streaming Media and Download category.
3. Use the Web Filter Lookup tool again to find the web filter category for the following websites:

DO Exercise
NOT2: Testing
REPRINT
the FortiGuard Web Filter Identify Web Filter Categories
© FORTINET
l http://www.viber.com/
l http://www.ask.com/
l http://www.bing.com/

DO Review
NOT REPRINT
a FortiGuard Category-Based Web Filter Exercise 2: Testing the FortiGuard Web Filter
© FORTINET
You will test your web filter using these websites as well.
The following table shows the category assigned to each URL, as well as the action configured on FortiClient
to take based on your web filter settings:
Website Category Action
http://www.dailymotion.com/ Streaming Media and Download Block
http://www.viber.com/ Internet Telephony Warning
http://www.bing.com/ Search Engines and Portals Allow
http://mp3.com Streaming Media and Download Block
Review a FortiGuard Category-Based Web Filter
You will review the web filtering profile and configuration of the FortiGuard category-based filter.
To review the web filter profile

2. To open the FortiClient GUI, click Open FortiClient Console.

DO Exercise
NOT2: Testing
REPRINT
the FortiGuard Web Filter Review a FortiGuard Category-Based Web Filter
© FORTINET
3. Verify that FortiGuard category based filter is enabled.
4. On the Web Filter tab, on the upper-right corner, click the settings icon .
5. Review the configured actions for each category:
Category Action
Potentially Liable Block
Adult/Mature Content Allow: Sports Hunting and War Games, Sex Education, Lingerie
and Swimsuit
Block: all other sub-categories
Tip: Expand or click Adult/Mature Content to view the subcategories.
General Interest - Personal Allow
General Interest - Business Allow
Unrated Allow
6. To view the subcategories, click Bandwidth Consuming to expand it.

DO Test
NOT REPRINT
the Web Filter Exercise 2: Testing the FortiGuard Web Filter
© FORTINET
7. Verify that Streaming Media and Download is set to Block, and Internet Telephony is set to Warn.
Test the Web Filter
For the purposes of this lab, you will test the web filter security profile configured for each category.
To test the web filter

1. Continuing on the FortiClient-Laptop VM, open a new web browser tab and visit
http://www.dailymotion.com.
The system displays a warning, according to the predefined action for this website category.
2. Open a new web browser tab and visit http://www.viber.com/.

The system displays a warning, according to the predefined action for this website category.

DO Exercise
NOT2: Testing
REPRINT
the FortiGuard Web Filter Verify a Web Filter Exclusion List
© FORTINET
3. To accept the warning and access the website, click Proceed.

4. Open a new web browser tab and visit http://www.bing.com/.
This website appears because it belongs to the Search Engines and Portals category, which is set to
Allow.
Verify a Web Filter Exclusion List
In this procedure, you will verify that the URL www.mp3.com is included in the exclusion list.
To verify a URL is included in the exclusion list

1. On the FortiClient-Laptop VM, open the FortiClient console, and then select WEB FILTER .
2. On the Web Filter tab, on the upper-right corner, click the settings icon .
3. To expand Exclusion List, click the + sign .

DO Test
NOT REPRINT
the Web Exclusion List Exercise 2: Testing the FortiGuard Web Filter
© FORTINET
Test the Web Exclusion List
You will test the web exclusion list you reviewed in the previous procedure.
To test the web exclusion list

1. Continuing on the FortiClient-Laptop VM, open a new browser tab, and try to access the website www.mp3.com.
The website is allowed and it matches an exclusion list to bypass the FortiGuard block category. If you try
again to access www.dailymotion.com, FortiGuard will block it.

DO NOT REPRINT
© FORTINET
Exercise 3: Understanding Antivirus Protection and
Vulnerability Scan
In this exercise, you will use antivirus to understand how FortiClient performs real-time protection. You will also
learn how a vulnerability scan helps detect and patch application vulnerabilities that can be exploited by known
and unknown threats.
Verify Real-Time Protection on AntiVirus Protection
You will verify AV settings on FortiClient.
To view and verify current FortiClient AntiVirus Protection settings

1. On the pane on the left side of the window, click Malware Protection, and verify that real-time protection is
enabled.
2. You can also click the settings icon , and verify that the Scan files as they are downloaded or copied to
my system checkbox is selected.

DO Test
NOT REPRINT
the Antivirus Real-Time Configuration Exercise 3: Understanding Antivirus Protection and Vulnerability Scan
© FORTINET
Test the Antivirus Real-Time Configuration
You will download the EICAR test file to your FortiClient-Laptop VM. The EICAR test file is an industry-standard
virus used to test antivirus detection without causing damage. The file contains the following characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
To test the antivirus configuration

1. Continuing on the FortiClient-Laptop VM, open a new web browser tab, and visit the following website:
http://eicar.org
2. On the EICAR website, on the upper-right corner of the page, click DOWNLOAD ANTI MALWARE TESTFILE.
3. On the left side of the page, click the Download link.
4. In the Download area using the standard protocol https section, download the sample file named eicar_
com.zip.
FortiClient should quarantine the download attempt and insert a replacement message similar to the
following example:

DO Exercise
NOT3: Understanding
REPRINT Antivirus Protection and Vulnerability Scan Test the Antivirus Real-Time Configuration
© FORTINET
FortiClient shows the HTTP/HTTPS virus message when it blocks or quarantines infected files.
5. Click Close to close the alert window.

6. On the download window, click OK to save the file.
7. Change the download location to Desktop, and then click Save.
You should see that the file you downloaded on the desktop shows the download error in the Firefox
downloads dialog.
Why did the download fail?

DO Run
NOT REPRINT
an On-Demand Vulnerability Scan Exercise 3: Understanding Antivirus Protection and Vulnerability Scan
© FORTINET
Stop and think!
Because the file is quarantined, an EMS administrator must whitelist it and restore it to view the content.
Run an On-Demand Vulnerability Scan
In this section, you will test an on-demand vulnerability scan.
To run an on-demand vulnerability scan

1. Continuing on the FortiClient console, on the pane on the left side of the window, select Vulnerability Scan to
view the tab.
2. On the Vulnerabilities tab, click Scan Now to start an on-demand scan.
3. After the scan is finished, you will see the scan results under Vulnerabilities Detected.
4. To review the vulnerability details, click Critical, and then expand the third-party app.
In this case, FortiClient cannot automatically install the software patch because the recommended action is
Manual Install. You can manually download and install the latest version of vulnerable software to fix the
vulnerability.
5. Close all open windows.

DO NOT REPRINT
© FORTINET
Exercise 4: Modifying the FortiClient XML File
In this exercise, you will modify the FortiClient XML file. For this exercise, you must install a free version of
FortiClient VPN software.
Install FortiClient VPN only software
You will install a FortiClient VPN only software to use specifically for this exercise.
To install FortiClient VPNonly software

1. On the AD Server VM, click Desktop > Resources, and then open the file FortiClientVPNSetup_
6.2.1.0831_x64 to install FortiClient.
2. Click Next, and then click Install to start the installation.

DO Install
NOT REPRINT
FortiClient VPN only software Exercise 4: Modifying the FortiClient XML File
© FORTINET
3. Click Finish to complete the installation

4. On desktop, double click FortiClient VPN shortcut to launch application.

DO Exercise
NOT4: Modifying
REPRINTthe FortiClient XML File Download the FortiClient Configuration File
© FORTINET
Download the FortiClient Configuration File
You will download the FortiClient XML backup file so you can understand the format and make changes.
To download the FortiClient configuration file

1. On the AD Server VM, open the FortiClient GUI.
2. On the left side of the window, click the settings icon.
3. In the System section, click Backup.
A new window opens.
4. Save the backup file as FortiClient-backup.conf on the desktop.

5. Click Save to save the file.
After the file is successfully backed up, you will receive a confirmation from FortiClient.
6. Click OK to save the process.

7. Right-click the saved file and select Edit with Notepad++ to open the saved file in Notepad++, so you can review
the XML configuration.
You will see all of the default settings.

DO Modify
NOT REPRINT
the FortiClient XML File Exercise 4: Modifying the FortiClient XML File
© FORTINET
Modify the FortiClient XML File
Now, you will open the XML file in Notepad++ to review and modify it by applying the VPN settings from another
XML file. Make sure you follow the XML design considerations discussed in the lesson, otherwise the
configuration file will be invalid.
To modify the FortiClient XML file

1. On the AD Server VM, click Desktop > Resources, and then open the Student-XML-config.conf file to
review the VPN XML settings.
2. Open the FortiClient-backup.conf file. Press Ctrl+F, and search for the keyword "connections".
Important: There are no <connections> syntax under <sslvpn> in the XML file.
3. Copy all of the XML file content from the <connections> section of the Student-XML-config.conf file,
and then paste it in the FortiClient-backup.conf file to add the VPN profile.
The XML configuration will appear in the <sslvpn> section under </options>.
After making the changes, the XML configuration will appear as follows:
You must override or change the connection close syntax from <connections/> to
</connections> in the FortiClient-backup.conf file. Otherwise you will receive an
invalid file error when you try to restore the configuration on FortiClient. There should
be an opening <connections> and a closing section with </connections>.

DO Exercise
NOT4: Modifying
File REPRINTthe FortiClient XML Upload the Modified XML File and Review the Changes to Remote
Access
© FORTINET
4. Click the Save icon to save the changes.
Upload the Modified XML File and Review the Changes to Remote Access
You will restore the modified XML file on FortiClient and review the VPN feature. You'll see that there is a VPN
connection configured on FortiClient.

DO Upload
NOT
Access
the Modified XML File and Review the Changes to Remote
REPRINT Exercise 4: Modifying the FortiClient XML
File
© FORTINET
To upload the modified XML file and review the changes to remote access
1. Continuing on the AD Server VM, on the FortiClient GUI, in the pane on the left side of the window, click Unlock
Settings > Settings.
2. Unlock system settings and then in the System section, click Restore.
3. Click Desktop > Resources, and then select the file FortiClient-backup.conf to restore the new settings
to FortiClient.
If the file is restored successfully, a message window will open. Otherwise, you will see the error "Failed to
process the file".
If you see a "Failed to process the file" error, check if the XML file is missing or has an
incorrect XML hierarchy or syntax.
4. After the file is restored, FortiClient will inform you with a message. Click OK to proceed.
5. Click the Home icon.
6. Click to see the changes.

There is a new SSL VPN profile named Student-SSL.
7. To review the connection details, click VPN > Settings.

DO Exercise
NOT4: Modifying
File REPRINTthe FortiClient XML Upload the Modified XML File and Review the Changes to Remote
Access
© FORTINET

DO Upload
NOT
Access
the Modified XML File and Review the Changes to Remote
REPRINT Exercise 4: Modifying the FortiClient XML
File
© FORTINET
On the GUI, you can make and save further changes to the VPN settings.
8. Click the Windows icon, and open Control Panel > Uninstall a Program.
9. Find the FortiClient application in the installed programs list, and click it to select the application.
10. Click Uninstall to remove FortiClient application.
11. Once FortiClient is uninstalled, reboot the AD Server to complete the removal process.
We will be using the AD Server to deploy another version of FortiClient later in the
labs, therefore, it is important for you to remove the current FortiClient version.

DO NOT REPRINT
© FORTINET
Lab 2: FortiClient EMS Configuration
In this lab, you will examine the FortiClient EMS configuration.
Objectives
l Access the FortiClient EMS GUI
l Explore the dashboard and view system information
l Create an administrator
l Configure system settings
l Create an endpoint group
l Run a vulnerability scan on an endpoint
Time to Complete
Prerequisites
Before beginning this lab, you must make sure that FortiClient EMS is installed on the AD Server.

DO NOT REPRINT
© FORTINET
Exercise 1: Accessing the GUI and Creating a FortiClient
EMS Administrator
In this exercise, you will access the FortiClient EMS GUI, and create a new administrator account.
Access the FortiClient EMS GUI
You will access the FortiClient EMS GUI, by either launching the application or using a web browser.
To access the FortiClient EMS GUI by launching the application

1. On the AD Server, click the Windows icon to open FortiClient Enterprise Management Server.
2. Click the FortiClient EMS icon to launch the application.
3. Log in to the FortiClient EMS GUI with the username admin and password Password123.
4. To confirm the software version, click Dashboard > FortiClient Status.

5. In the System Information widget, the Version field shows the software version. Write this down.
To access the FortiClient EMS GUI using a web browser

1. Continuing on the AD Server, from the desktop, open Firefox.
2. In the address bar, type https://localhost to access the FortiClient EMS GUI.

DO Exercise
NOT1: Accessing the GUI and Creating a FortiClient EMS
REPRINT
Administrator
Create a New FortiClient EMS
Administrator
© FORTINET
3. To log in to the FortiClient EMS GUI, type the username admin and password Password123.
4. To confirm the FortiClient EMS serial number, click Dashboard > FortiClient Status.
5. In the System Information widget, the Serial Number field shows the serial number. Write this down.
You can also access the FortiClient EMS web GUI using the server hostname
https://<server_name>.
Tip: You can get the <server_name> by running ipconfig /all on the server.
Your Host Name appears under the Windows IP Configuration. If you
cannot access the FortiClient EMS remotely, make sure that you can ping <server_
name>, by adding it to the DNS entry or the Windows host file.
6. Navigate to Profile Components, and you will see Manage CA Certificates. Here, you can upload and
manage certificates that can be used for EMS HTTPS access.
Create a New FortiClient EMS Administrator
To log in to FortiClient EMS, you need a user administrator account. You will create both a super administrator
and a limited access account.
To create a new FortiClient EMS administrator account

1. On the FortiClient EMS server, log in with the username admin and password Password123.
2. On the pane on the left side of the screen, click Administration > Administrators.
You will see an entry with the name admin, source Builtin, and role Super Administrator.
3. To create a Windows-based user administrator account, click +Add.

A new window opens.

DO Create
NOT a New FortiClient EMS
REPRINT
Administrator
Exercise 1: Accessing the GUI and Creating a FortiClient EMS
Administrator
© FORTINET
4. In the Add user window, in the User source section, select Choose from LDAP or Windows users, and
click Next.
5. In the configuration window, configure the following settings:
Field Value
User EMSadmin
Role Endpoint Administrator
6. To create a new administrator account, click Finish.
7. Click on the admin icon on the right side of the EMS GUI, and select Sign out.

DO Exercise
NOT1: Accessing the GUI and Creating a FortiClient EMS
REPRINT
Administrator
Create a New FortiClient EMS
Administrator
© FORTINET
8. Log back in with the username EMSadmin and the password password.
Under Profile Components, you will see View CA Certificates instead of Manage CA Certificates.
Stop and think!

When you log in with the username EMSadmin, why do you only see View CA Certificates under Profile
Components?
This user account has limited permissions and is not allowed to access CA certificate management. The
Endpoint Administrator role that this user account is assigned to, allows only read-only permissions to
the Settings Permissions category. This is the category that allows access to Manage CA Certificates.

DO NOT REPRINT
© FORTINET
Exercise 2: Configuring FortiClient EMS System Settings
In this exercise, you will configure the following FortiClient EMS system settings:
l Server settings
l Log settings
l Login banner settings
Configure Server Settings
In Server settings, you can configure settings, such as hostname, FQDN, and remote access. You will configure
FQDN to access the FortiClient EMS server, using configured FQDN.
To configure FQDN on FortiClient EMS

1. On the AD Server, log in to the FortiClient EMS GUI, with the username admin and password Password123.
2. Click System Settings > Server.
3. In the Shared Settings section, select the Use FQDN checkbox and, in the FQDN field, type
myemsserver.com.
4. To allow remote access using FQDN, select the Remote HTTPS access checkbox, and type * in the Custom
hostname field.
5. To apply the changes, click Save.
6. To access the FortiClient EMS server, on the FortiClient-Laptop, open Firefox, type the URL
https://myemsserver.com, and then accept the self-signed certificate.
The FortiClient-Laptop host file has been modified to make myemsserver.com

accessible.
Configure Log Settings
In the Logs settings, you can configure the log level, and the number of days that you want to keep logs, events,
and alerts, before they are cleared. You will change the Log level setting.

DO Exercise
NOT2: Configuring
REPRINT FortiClient EMS System Settings Configure Login Banner Settings
© FORTINET
To configure log settings
1. On the FortiClient EMS GUI, click System Settings > Logs.
2. In the Log level drop-down list, select Debug.
3. Click Save to apply the changes.

4. Click Administration > Logs to view the changes.
You will see that Level changes to Debug, and that the logs are more detailed.
Configure Login Banner Settings
In Login Banner settings, you will configure a disclaimer message that appears before a user logs in to
FortiClient EMS.
To configure login banner settings

1. Continuing on the FortiClient EMS GUI, click System Settings > Login Banner.
2. Select the Enable login banner checkbox, and in the Message field, type Property of Fortinet lab.
Unauthorized access is strictly prohibited..

4. Log out as admin from the FortiClient EMS GUI, and close the application.

DO Configure
NOTLogin REPRINT
Banner Settings Exercise 2: Configuring FortiClient EMS System Settings
© FORTINET
5. Open the FortiClient EMS GUI again.
A Disclaimer appears.
6. Click Accept to go to the login screen.

DO NOT REPRINT
© FORTINET
Exercise 3: Creating an Endpoint Group, Group
Assignment Rule, and Running Scans
In this exercise, you will create an endpoint group, group assignment rule, and run antivirus and vulnerability
scans on endpoints. Endpoint management enables FortiClient EMS to perform various actions and run scans.
Create an Endpoint Group for a Windows Workgroup
You will create individual groups for Windows workgroup endpoints on FortiClient EMS.
To create a group for a Windows workgroup

1. On the AD Server, open the FortiClient EMS GUI, and click Endpoints > Workgroups.
2. In the Workgroups drop-down list, right-click All Groups, and then click Create group.
3. In the Create group field, type Windows Endpoints.
4. To create the group, click Confirm.

DO Create
NOT a Group Assignment Rule for Windows
Endpoints REPRINT Exercise 3: Creating an Endpoint Group, Group Assignment Rule, and
Running Scans
© FORTINET
Create a Group Assignment Rule for Windows Endpoints
FortiClient EMS can use group assignment rules to automatically place endpoints into custom groups, based on
the installer ID, IP address, OS, or AD group of the endpoints. You will create a group assignment rule based on
OS.
To create a group assignment rule

1. On the FortiClient EMS GUI, click Endpoints > Group Assignment Rules.
2. To create a new rule, on the pane on the right, click +Add.
3. In the pop-up window, configure the following settings:
Field Value
Type OS
OS Windows
Group Windows Endpoints
Enable Rule (Enabled)
4. To add a new group assignment rule, click Save.
5. To add Windows endpoints to the new group, on the pane on the right, click Run Rules Now.
FortiClient EMS automatically places endpoints that do not apply to a group

assignment rule into the Other Endpoints group.

DO Exercise
NOT
and
3: Creating an Endpoint Group, Group Assignment Rule,
RunningREPRINT
Scans
Run Antivirus and Vulnerability Scans on a
Registered Endpoint
© FORTINET
Run Antivirus and Vulnerability Scans on a Registered Endpoint
FortiClient EMS endpoint management can run scans on managed clients. Before you can run a scan, you must
change the endpoint policy on FortiClient EMS.
To modify the endpoint policy and assign the default endpoint profile
1. On the FortiClient EMS GUI, click Endpoint Policy, and then select Student.
2. On the pane on the right, in the Endpoint profile field, select Default in the drop-down list.
3. To apply the changes, click Save.
To run scans, FortiClient, which is installed on the FortiClient-Laptop VM, must

connect to FortiClient EMS. Click FABRIC TELEMETRY, ensure that the
FortiClient status is Connected, and then click the menu icon beside the
Disconnect button, and ensure that it shows a FortiClient EMS IP address of
10.0.1.100.
After applying the changes, wait until the FortiClient configuration update is received from FortiClient EMS.
You will notice that the MALWARE PROTECTION tab is removed from FortiClient.

DO Run
NOT Antivirus and Vulnerability Scans on a
Registered REPRINT
Endpoint
Exercise 3: Creating an Endpoint Group, Group Assignment Rule,
and Running Scans
© FORTINET
Stop and think!
Why did the MALWARE PROTECTION tab disappear after you assigned the Default endpoint profile?
The Default endpoint profile doesn't have the malware protection feature enabled by default. To enable
AV, click the AntiVirus Protection button.
To enable antivirus protection for the default endpoint profile

1. On the AD Server, open the FortiClient EMS GUI, and click Endpoint Profiles > Local Profiles.
2. Select the Default profile.
3. Click Save to apply the setting.
After the Default profile is synced, on the FortiClient-Laptop VM, MALWARE PROTECTION appears on
the FortiClient GUI.
To run antivirus and vulnerability scans on a registered endpoint

1. On the AD Server, continuing on the FortiClient EMS, on the pane on the left, click Endpoints > All Endpoints.
You will see the registered client.
2. Beside the registered client, select the checkbox to highlight the registered client.
The following options will appear: Scan, Patch, Move to, and Action.
3. Click Scan, and then click Quick AV Scan.

The scan will start after the endpoint sends the next keepalive packet.

DO Exercise
NOT
and
3: Creating an Endpoint Group, Group Assignment Rule,
RunningREPRINT
Scans
Run Antivirus and Vulnerability Scans on a
Registered Endpoint
© FORTINET
4. To perform a vulnerability scan, click Scan > Vulnerability Scan.
The scan will start, and it will finish after the endpoint re-syncs or sends the next keepalive packet.

DO Run
NOT Antivirus and Vulnerability Scans on a
Registered REPRINT
Endpoint
Exercise 3: Creating an Endpoint Group, Group Assignment Rule,
and Running Scans
© FORTINET
Vulnerability information will appear on the dashboard or client details page, similar to the following example:

DO NOT REPRINT
© FORTINET
Exercise 4: Enabling the Security Fabric to Trigger
Automatic Quarantine
In this exercise, you will enable the Security Fabric to trigger automatic quarantine, based on indicators of
compromise (IOC) on FortiAnalyzer.
Verify FortiClient Log Settings
To identify compromised hosts, FortiClient must send logs to FortiAnalyzer. You will verify the FortiClient log
settings.
To verify FortiClient log settings

1. On the AD Server VM, log in to the FortiClient EMS application.
2. Click Endpoint Profiles > Local Profiles > Profile name: Student, and then select System Settings.
3. In the Log section, ensure that Upload logs to FortiAnalyzer/FortiManager, Upload UTM Logs, Upload
Vulnerability Logs, and Upload Event Logs are enabled.
4. Set IP Address/Hostname to 10.0.1.250, Upload Schedule to 1 minute, and Log Generation Timeout to
30 seconds.

DO Enable
NOT the Security Fabric on the Root
FortiGate REPRINT Exercise 4: Enabling the Security Fabric to Trigger Automatic
Quarantine
© FORTINET
If you are using a web browser to access FortiClient EMS, you must enable Advanced
view settings.
5. Click Save to finish.
To use the student profile in the endpoint policy

1. On the FortiClient EMS GUI, click Endpoint Policy, and then select Student.
2. On the pane on the right, in the Endpoint profile field, select Student in the drop-down list.
Enable the Security Fabric on the Root FortiGate
You will configure the Security Fabric and enable telemetry on the FortiGate internal interface.
To configure the Security Fabric and enable telemetry on the root FortiGate
1. On the FortiClient-Laptop VM, open Firefox, type the FortiGate IP address 10.0.1.254, and log in with the
username admin and password password.
2. On the FortiGate GUI, click Security Fabric > Settings.
3. Enable FortiGate Telemetry.
4. In the Security Fabric role field, click Serve as Fabric Root.
5. In the Fabric name field, type Fabric.
6. Leave Management IP/FQDN and Management Port at their default values.
7. In the Allow other FortiGates to join field, click the + sign, and add LAN (port3).
8. In the FortiAnalyzer Logging section, in the IP address field, type 10.0.1.250, and click Test
Connectivity. You will see the following message:

DO Exercise
NOT4: Enabling
Quarantine
the Security Fabric to Trigger Automatic
REPRINT Enable the Security Fabric on the Root
FortiGate
© FORTINET
Leave all other settings at their default values.
9. To authorize FortiGate on the FortiAnalyzer, open Firefox, type https://10.0.1.250, and log in with the
username admin and password password.
10. On Device Manager, select the serial number of the FortiGate, and click Authorize.
Once FortiGate is authorized on FortiAnalyzer, the FortiGate GUI will look similar to the following example:
11. Continuing on the FortiGate GUI, click Security Fabric > Settings, and in the FortiClient Endpoint
Management System (EMS) section, type the following settings:
Field Value
Name EMSServer
IP/Domain Name 10.0.1.100
Serial Number <Copy this from the FortiClient EMS dashboard>
Admin User admin
Password Password123
12. Click Apply to save the settings.

DO Enable
Quarantine
© FORTINET
To enable Security Fabric automation and create a new stitch
1. Continuing on the FortiGate GUI, go to Security Fabric > Automation, and click Create New.
2. In the Name field, type Endpoint-Compromised. Leave the Status and FortiGate fields at their default
values.
3. In the Trigger section, click Compromised Host, and in the Threat level threshold field, click Medium.
4. In the Action section, click Quarantine FortiClient via EMS, and leave the Minimum interval at the default
value.
5. Click OK to save the settings.
To configure firewall policies on FortiGate

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > IPv4 Policy.
2. Click Create New, and configure the following policy settings to allow traffic to pass from LAN(port3) to port1:
Field Value
Name IOC_Policy
Incoming Interface LAN(port3)
Outgoing Interface port1
Source FortiClient-Laptop
Destination all

DO Exercise
NOT4: Enabling
Quarantine
FortiGate
© FORTINET
Field Value
Schedule always
Service ALL
Action ACCEPT
NAT <enable>
IP Pool Configuration Use Outgoing Interface Address
Web Filter monitor-all
SSL/SSH Inspection certificate-inspection
Log Allowed Traffic All Sessions (greyed out)
3. Click OK.
4. Drag and drop the IOC_Policy policy above the Full_Access policy.
To run security rating on the FortiGate

1. Continuing on the Local-FortiGate GUI, click Security Fabric > Security Rating.
2. On the Security Rating page, click Run Now to update the ranking.
To verify that the FortiAnalyzer license includes the IOC service

1. On the FortiClient-Laptop VM, open a browser, and type the IP address 10.0.1.250.
2. On the login page, type the username admin and the password password.
3. Click System Settings, and in the License Information widget, check the status of the FortiGuard Indicators
of Compromise Service license.

DO Enable
Quarantine
© FORTINET
To test automatic quarantine triggered by IOC detection

1. On the FortiClient-Laptop VM, open Firefox, and type the URL www.google.com.
2. Open a new browser tab, and type http://195.22.28.198.
This IP address will be blocked by the FortiClient malicious websites category.
3. Continue on the FortiClient-Laptop VM, and log in to FortiAnalyzer.

4. Click SOC > FortiView > Compromised Hosts.
The endpoint will appear in the window.
5. To see details, double-click the host.

DO Exercise
NOT4: Enabling
Quarantine
FortiGate
© FORTINET
6. Continuing on the FortiClient-Laptop VM, log in to the FortiGate GUI. Click FortiView > Compromised Hosts.
7. Click Monitor > Quarantine Monitor.

You will see that the endpoint has been quarantined.
8. To view logs, click Log & Report > Events > System Events.
Since FortiClient is now quarantined, you will not be able to access FortiClient-Laptop using RDP.
9. Click the FortiClient-Laptop VM tab, and select CON under Remote Access Controls.
10. Click the icon to send a Ctrl+Alt+Delete key combination to Windows, so you can enter a password.

DO Enable
Quarantine
© FORTINET
11. Enter the password password to log in to Windows using the console connection.
12. FortiClient will show the quarantine screen. FortiClient is blocking all communication, except to the EMS.
13. On the FortiClient-Laptop VM, ping EMS and FortiGate, browse the Internet, and resolve the domain name
www.google.com. The endpoint is blocked at the client network device level.
To remove the client from the compromised hosts list, go to the FortiAnalyzer GUI,
and click SOC > Fortiview. To clear the host, click Threats > Compromised Hosts,
click ACK to acknowledge the host, and then write some text. This will also clear the
host from FortiGate.
14. On the AD Server, log in to the FortiClient EMS GUI, and select Endpoints > All Endpoints.
15. In the right pane, select FortiClient-Laptop, and then click Action, and Unquarantine to allow Internet
access to the endpoint.

DO Exercise
NOT4: Enabling
Quarantine
FortiGate
© FORTINET
16. Go back to the FortiClient-Laptop, and change the Remote Access Control type to RDP.
You will now be connected to the FortiClient-Laptop over RDP.
17. Try to ping FortiGate, EMS server, and Google.com.

Your traffic should now be allowed.

DO NOT REPRINT
© FORTINET
Lab 3: Deployment and Provisioning using FortiClient
EMS
In this lab, you will learn about the deployment and provisioning of FortiClient on endpoints, using FortiClient
EMS.
Objectives
l Create and manage a deployment package
l Create a gateway list
l Add endpoints to FortiClient EMS from Windows AD
l Create an endpoint profile
l Configure a VPN tunnel
l Assign a new endpoint profile to an AD domain or workgroup endpoints
l Create and test a compliance verification rule
Time to Complete
Prerequisites
Before beginning this lab, you must make sure that the Windows server is configured as an AD domain controller.
You must also enable FortiTelemetry on FortiGate interface port 3.

DO NOT REPRINT
© FORTINET
Exercise 1: Creating a Deployment Package and Gateway
List for Deployment
In this exercise, you will create a deployment package and gateway list for endpoint profile deployment.
Create an Installer Profile in Profile Components
You will create an installer for deploying FortiClient on endpoints.
To create an installer profile in profile components

1. On the AD Server, log in to the FortiClient EMS GUI.
2. In the pane on the left, click Manage Installers > Deployment Packages, and then click +Add to open a new
window.
3. In the Version tab, keep the default settings for Installer Type, Release, and select 6.2.1 in the Patch field.
Click Next.
4. In theGeneral tab, in the Name field, type FortiClient-Version-6.2. Click Next.

5. In the Features tab, keep Secure Access Architecture Components at the default setting, and under
Additional Security Features, select AntiVirus, Web Filtering, and Application Firewall. Click Next.

DO Create
NOT an Installer Profile in Profile
Components REPRINT Exercise 1: Creating a Deployment Package and Gateway List for
Deployment
© FORTINET
6. In the Advanced tab, select Enable desktop shortcut, and keep the default values for the other settings. Click
Next.
7. In the Telemetry tab, notice that it shows that FortiClient will be managed by <EMS hostname and FQDN
address>.
8. To add the deployment package to FortiClient EMS, click Finish.
The installer appears on the Manage Installer > Deployment Packages pane.

DO Exercise
NOT1: Creating
REPRINT
a Deployment Package and Gateway List for Deployment Create a Gateway List
© FORTINET
FortiClient EMS automatically connects to the FortiGuard Distribution Network (FDN)
to provide access to the FortiClient installers, which you can use with FortiClient EMS
deployment packages. If a connection to FDN is not available, or you want a custom
installer, you must manually download a FortiClient installer and upload it to add it to
FortiClient EMS.
Create a Gateway List
You will create a gateway list to define the IP address of the FortiGate device that you want FortiClient to connect
to for sending FortiClient telemetry.
To create a gateway list

1. Continuing on the FortiClient EMS GUI, click Telemetry Gateway Lists > Manage Telemetry Gateway Lists.
2. To open the Gateway List window, click +Add.
3. On the Telemetry Gateway List window, configure the following settings:
Field Value
Name Corporate FortiGate
Connect to local subnets only <select to enable>
Notify FortiGate 10.0.1.254
4. To create the list, click Save.

DO NOT REPRINT
© FORTINET
Exercise 2: Adding Endpoints to FortiClient EMS
In this exercise, you will add endpoints to FortiClient EMS by importing endpoints from the Windows AD server.
Endpoints are also added when endpoint users manually connect FortiClient Telemetry to FortiClient EMS.
Add Endpoints Using an AD Domain Server
You can manually import endpoints from an AD server. You can import and synchronize information about
computer accounts with an LDAP or LDAPS service. You can add endpoints by identifying the endpoints that are
part of an AD domain server.
To add endpoints using an AD domain server

1. On the AD Server, log in to the FortiClient EMS GUI.
2. In the pane on the left, click Endpoints > Manage Domains, and then click +Add to open the Domain window.
3. In the IP address/Hostname field, type 10.0.1.100, and keep the default values for Port and Distinguished
name.
4. In the Bind type section, select the Regular checkbox, and then configure the following settings:
Field Value
Username ADadmin
Password password
5. To check the connectivity, click Test.
6. Perform one of the following tasks:

l If the test is successful, select Save to save the new domain.
l If the test is not successful, correct the information, and then test the settings again.

DO Exercise
NOT2: Adding
REPRINT
Endpoints to FortiClient EMS Add Endpoints Using an AD Domain Server
© FORTINET
You can add the entire domain or an organizational unit (OU) from the domain. After
you import endpoints from an AD server, you can edit the endpoints. These changes
are not synchronized back to the AD server.

DO NOT REPRINT
© FORTINET
Exercise 3: Creating and Assigning an Endpoint Profile for
Deployment
In this exercise, you will create an endpoint profile and assign the profile to endpoints for FortiClient software
deployment. You will also configure a security profile and provision a VPN.
Create an Endpoint Profile on FortiClient EMS
To push the configuration to FortiClient endpoints, you must create an endpoint profile. The endpoint profile has
profile references that enable and disable FortiClient features and deployment.
To create an endpoint profile on FortiClient EMS

1. On the FortiClient EMS GUI, click Endpoint Profile > Manage Profiles.
2. To open a new profile window, click +Add.
3. In the Profile Name field, type Fortinet-Training.
4. Click VPN . It is enabled by default.
5. Click Save to save the endpoint profile.
Create a Profile to Deploy FortiClient
You must add a FortiClient installer to the FortiClient EMS before you can select an endpoint profile. You will
select the installer that you created in exercise 1.
To create a profile to deploy FortiClient

1. Continuing on the FortiClient EMS GUI, click Manage Profiles > Local Profiles, and then select Fortinet-
Training.
2. On the Deployment tab, enable FortiClient Deployment.
3. In the Action section, keep Action as Install, and in the Deployment Package field, select FortiClient-
Version-6.2.

DO Exercise
NOT3: Creating and Assigning an Endpoint Profile for
REPRINT
Deployment
Enable the Web Filter Feature in the Endpoint
Profile
© FORTINET
4. On the Schedule tab, specify the installation start time, which should be five minutes from the current time.
5. Continuing on the Schedule tab, disable Reboot when no users are logged in, and keep the default values
for all other settings.
6. On the Credentials tab, in the Username field, type Administrator, and in the Password field, type
password.
7. Click Save.
Enable the Web Filter Feature in the Endpoint Profile
You can enable and disable security features, such as web filter, antivirus, and application firewall in endpoint
profiles.
To enable the web filter feature in the endpoint profile

1. Continuing on the FortiClient EMS GUI, click Manage Profiles > Local Profiles, and then select Fortinet-
Training.
2. On the Web Filter tab, in the General section, enable Web Filter, and keep Client Web Filtering When On-
Net.
3. On the Site Categories tab, beside Bandwidth Consuming, click + to expand the list.
4. In the list, beside Streaming Media and Download, select Block.

DO Provision
NOTa VPN REPRINT
in the Endpoint Profile Exercise 3: Creating and Assigning an Endpoint Profile for Deployment
© FORTINET
5. Click Save.
Provision a VPN in the Endpoint Profile
You will provision the VPN settings. The VPN profile will be applied to FortiClient when the profile installs on the
endpoint.
To provision a VPN in the endpoint profile

1. Continuing on the FortiClient EMS GUI, click Manage Profiles > Local Profiles, and select Fortinet-Training.
2. On the VPN tab, enable VPN , and disable all options in the General section.
3. On the SSL VPN tab, select the following settings:
4. On the VPN Tunnels tab, click Add Tunnel, and then type the following:
Field Value
Name Student-SSL VPN
Type SSL VPN
Remote Gateway 10.0.1.254
Port 10443
Prompt for Username (Enable)

DO Exercise
NOT
Profile
3: Creating and Assigning an Endpoint
REPRINT
for Deployment
Create an Endpoint Policy to Assign the Endpoint Profile and
Telemetry Gateway List to the Endpoints
© FORTINET
5. To save the VPN profile, click Add Tunnel.

6. Click Save.
Create an Endpoint Policy to Assign the Endpoint Profile and Telemetry

Gateway List to the Endpoints
After creating the profile, you must create an endpoint policy to assign the profile and gateway list to domains or
workgroups. When you create an endpoint policy to assign the profile to domains or workgroups, the profile
settings are automatically pushed to the endpoints in the domain or workgroup.
If you do not assign a profile to a specific domain or workgroup, the default profile is automatically applied to the
domain or workgroup.
To create an endpoint policy

1. On the FortiClient EMS GUI, click Endpoints Policy > Manage Policies > +Add.
2. In the Endpoint Policy window, in the Endpoint Policy name field, type Training, and then in the
Endpoint domains field, click Edit, and select trainingAD.training.lab.
3. In the Endpoint profile field, select Fortinet-Trainingfrom the local profiles list.
4. Enable Telemetry gateway list, and then select Corporate FortiGate.
5. Keep other settings at their default values, and click Save to add the endpoint policy. Make sure that the policy is
enabled.
The endpoint policy should have the following settings:

DO Create
NOT an Endpoint Policy to Assign the Endpoint Profile and
Telemetry REPRINT
Gateway List to the Endpoints
Exercise 3: Creating and Assigning an Endpoint
Profile for Deployment
© FORTINET
The endpoint profile and gateway list are assigned to the endpoint policy. After FortiClient is deployed on the
endpoints, and the endpoints are connected to the FortiClient EMS, you can update the endpoints by editing
the associated profiles.

DO NOT REPRINT
© FORTINET
Exercise 4: Configuring and Testing Compliance Rules to
Create Dynamic Groups and Policies
In this exercise, you will create and test compliance rules. You will also configure FortiGate to create a dynamic
policy for dynamic groups tagged on FortiClient EMS.
Create a Compliance Verification Rule
To enforce compliance, you must add a compliance verification rule.
To create a compliance verification rule

1. On the FortiClient EMS GUI, click Compliance Verification > Compliance Verification Rules, and then click
+Add to create a new rule.
2. In the Add New Rule window, configure the following settings:
Field Value
Name Running Process
Status Enable
Type Windows
Rule Running Process
Running Process calc.exe, click +
Assign to All
Tag endpoint as Type RunCalc and then select it
3. To add the rule, click Save.

DO Connect
NOTto the
Compliance
Security Fabric for
REPRINT Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic
Groups and Policies
© FORTINET
Connect to the Security Fabric for Compliance
You must create an SSO/Identity connector on FortiGate to connect to the Security Fabric.
To create an SSO/Identity connector

1. On the AD Server VM, open a browser and log in to FortiGate at 10.0.1.254, with the username admin and
password password.
2. Click Security Fabric > Fabric Connectors.
3. To add the connector, click Create New, select FortiClientEMS in the SSO/Identity section, and configure the
following settings:
Field Value
Name EMS-Server
Primary Server IP 10.0.1.100
Password Password123
4. Click Apply and Refresh , and then click OK to save.

5. On the AD Server VM, launch PuTTY from the taskbar to SSH in to the FortiGate.
6. Click LOCAL-FORTIGATE in the list, and click Open to log in.
7. Log in with the login as admin and password password.
8. On the CLI console, type the following commands:

DO Exercise
NOT
Groups
4: Configuring and Testing Compliance Rules to Create Dynamic
andREPRINT
Policies
Create a User Group and a Policy on
FortiGate
© FORTINET
9. On the FortiGate GUI, click Security Fabric > Fabric Connectors, select EMS-Server, and click Edit to see
the details.
10. Under Connector Settings, click View to see the RUNCALC configured tag.
Create a User Group and a Policy on FortiGate
You must create a dynamic user group and dynamic firewall policy to enforce compliance.

DO Create
NOT a User Group and a Policy on
FortiGate REPRINT Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic
Groups and Policies
© FORTINET
To create a user group and policy
1. On the FortiGate GUI, click User & Device > User Groups.
2. Click Create New.
3. In the Name field, type RunningCalcPCs.
4. In the Type field, select Fortinet Single Sign-On (FSSO).
5. In the Members field, click +, and select RUNCALC from the list.
6. To add the group, click OK.
On the FortiClient-Laptop VM, make sure that you can reach the Internet by
continuously pinging www.google.com. Do not close the continuous ping window.
7. On the FortiGate GUI, click Policy & Objects > IPv4 Policy.
8. Select the Full_Access policy, click Edit.
9. In the Source field, click +, browse to User, select RunningCalcPCs from the USER GROUP list, and then
click Close.
Leave the remaining settings as they are.
10. To save the settings, click OK.

DO Exercise
NOT4: Configuring
Policies REPRINT and Testing Compliance Rules to Create Dynamic Groups and Test the Compliance
Policy
© FORTINET
Test the Compliance Policy
You will test the compliance policy.
To test the compliance policy

1. On the FortiClient-Laptop VM, ping IP 8.8.8.8 to check connectivity to the Internet. It must be denied.
2. On the FortiClient EMS GUI, click Compliance Verification > Host Tag Monitor. There should be no
endpoints with tags.
3. On the FortiClient-Laptop VM, run the calculator while there is no ping. Ping should start after a few more failures.
4. On the FortiClient EMS GUI, click Compliance Verification > Host Tag Monitor, and locate FortiClient-
Laptop.

DO Test
NOT the Compliance
Policy REPRINT Exercise 4: Configuring and Testing Compliance Rules to Create Dynamic Groups and
Policies
© FORTINET
5. On the FortiClient-Laptop VM, close the calculator. The ping should stop.
6. On the FortiClient EMS GUI, click Compliance Verification > Host Tag Monitor. There is no endpoint.
Revert the Full_Access policy on FortiGate, and remove RunningCalcPCs from

the source.

DO NOT REPRINT
© FORTINET
Lab 4: Diagnostics and Troubleshooting
In this lab, you will examine the files that are created by running the diagnostic tools of FortiClient and FortiClient
EMS.
Objectives
l Run FortiClient and FortiClient EMS diagnostic tools
Time to Complete
Prerequisites
Before beginning this lab, you must make sure that FortiClient and FortiClient EMS are installed with diagnostic
tools.

DO NOT REPRINT
© FORTINET
Exercise 1: Running Diagnostic Tools
In this exercise, you will run FortiClient and FortiClient EMS diagnostic tools on the FortiClient-Laptop and AD
server.
Run the FortiClient Diagnostic Tool
You will run the diagnostic tool on FortiClient endpoints to gather system information.
Before running the diagnostic tool, you must change the FortiClient log level to
DEBUG. On the FortiClient EMS GUI, click Endpoint Profiles > Local Profiles >
Student, click the System Settings tab, and under Log, change the log level to
Debug.
To run the FortiClient diagnostic tool from the FortiClient console

1. On the FortiClient-Laptop, open the FortiClient console.
2. Click About, and then click Diagnostic Tool to open the tool window.
3. On the console, click Run Tool.

DO Exercise
NOT1: Running
REPRINT
Diagnostic Tools Run the FortiClient Diagnostic Tool
© FORTINET
A command line window opens and the diagnostic tool runs tasks to collect system data.
4. After all tasks are completed, the tool opens the

C:\Users\Administrator\AppData\Local\Temp\1\Diagnostic_Result link to show the
Diagnostic_Result.cab file, click Close to close diagnostic tool.
5. Click the Diagnostic_Result.cab file, and search for the SystemInfo.txt and ipconfig.txt files.
6. To review the file content, click these files. When you click a file, a window opens and extracts the file to a
destination. Select Desktop for the destination.

DO Run
NOT REPRINT
the FortiClient Diagnostic Tool Exercise 1: Running Diagnostic Tools
© FORTINET
Log files are compressed, so to read them, you must extract the files.
To run the FortiClient diagnostic tool from FortiClient EMS

1. On the AD-Server VM, log in to FortiClient EMS GUI.
2. Click Endpoints > All Endpoints, and select endpoint IP 10.0.1.10.
3. Click Action, and select Request Diagnostic Results to run the tool on the selected endpoint.
The tool starts to run in the background. The file should be available after three keepalive cycles. The default
is 60 seconds for each cycle.
4. Continuing on the FortiClient EMS GUI, click Action, and select Download Available Diagnostics Results to
download the results file.

DO Exercise
NOT1: Running
REPRINT
Diagnostic Tools Run the FortiClient EMS Diagnostic Tool
© FORTINET
5. Click Download again to download the file to the FortiClient EMS server download folder.
Run the FortiClient EMS Diagnostic Tool
You will run the FortiClient EMS diagnostic tool on the AD server to gather information. Before running the tool,
you must change the FortiClient EMS log level to DEBUG.
To run the FortiClient EMS diagnostic tool

1. On the AD server, go to the FortiClient EMS installation folder at the following location: C:\Program Files
(x86)\Fortinet\FortiClientEMS.
2. Search for the EMSDiagnosticTool file, and then double-click the file to run the tool.
A command line window opens and the diagnostic tool runs tasks to collect system data.
3. After all tasks are completed, the tool opens the C:\Users\Administrator\AppData\Local\Temp\1
link to show the forticlientems_diagnostic.cab file.

DO Run
NOT REPRINT
the FortiClient EMS Diagnostic Tool Exercise 1: Running Diagnostic Tools
© FORTINET
4. Click the forticlientems_6.2.1.0780_diagnostic.cab file, and search for the SystemInfo.txt, events, and
debug_xx-xx-xxxx files.
5. To review the file content, click these files. When you click a file, a window opens and extracts the file to a
destination. Select Desktop for the destination.
Log files are compressed, so to read them, you must extract the files.

DO NOT REPRINT
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiClient EMS 6.2 Lab Guide-Online

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiClient EMS 6.2 Lab Guide-Online

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT

FortiClient EMS Lab

Fortinet Network Security Expert Program (NSE)

Virtual Lab Basics 5

FortiClient 6.2 Lab Guide 5

Remote Access Test

To run the remote access test

2. Inside the Speed Test box, click Run.

6 FortiClient 6.2 Lab Guide

To log in to the remote lab

3. Enter your first and last name.

FortiClient 6.2 Lab Guide 7

5. To open a VM from the dashboard, do one of the following:

Follow the same procedure to access any of your VMs.

8 FortiClient 6.2 Lab Guide

Disconnections and Timeouts

If that fails, see Troubleshooting Tips on page 11.

The GUIs of some Fortinet devices require a minimum screen size.

FortiClient 6.2 Lab Guide 9

Sending Special Keys

10 FortiClient 6.2 Lab Guide

FortiClient 6.2 Lab Guide 11

12 FortiClient 6.2 Lab Guide

To expedite the response, enter the following command in the CLI:

FortiClient 6.2 Lab Guide 13

14 FortiClient 6.2 Lab Guide

In this exercise, you will install FortiClient on the FortiClient-Laptop VM.

Install FortiClient Using a Custom Installer File from EMS

To install FortiClient using the installer file from EMS

FortiClient 6.2 Lab Guide 15

16 FortiClient 6.2 Lab Guide

The setup wizard starts installing FortiClient on the host machine.

FortiClient 6.2 Lab Guide 17

18 FortiClient 6.2 Lab Guide

Verify FortiGuard Connectivity

To verify FortiGuard connectivity

Identify Web Filter Categories

To identify web filter categories

FortiClient 6.2 Lab Guide 19

YouTube is listed in the Streaming Media and Download category.

20 FortiClient 6.2 Lab Guide

FortiClient 6.2 Lab Guide 21

Website Category Action

http://www.dailymotion.com/ Streaming Media and Download Block

http://www.viber.com/ Internet Telephony Warning

http://www.bing.com/ Search Engines and Portals Allow

http://mp3.com Streaming Media and Download Block

Review a FortiGuard Category-Based Web Filter

To review the web filter profile

22 FortiClient 6.2 Lab Guide

3. Verify that FortiGuard category based filter is enabled.

Potentially Liable Block

Tip: Expand or click Adult/Mature Content to view the subcategories.

General Interest - Personal Allow

General Interest - Business Allow

6. To view the subcategories, click Bandwidth Consuming to expand it.

FortiClient 6.2 Lab Guide 23

Test the Web Filter

To test the web filter

2. Open a new web browser tab and visit http://www.viber.com/.

24 FortiClient 6.2 Lab Guide

3. To accept the warning and access the website, click Proceed.

Verify a Web Filter Exclusion List

To verify a URL is included in the exclusion list