You are on page 1of 60

USER GUIDE

FortiClient Host Security Version 2.0 MR1

www.fortinet.com

FortiClient Host Security User Guide Version 2.0 MR1 October 17, 2005 04-20001-0183-20051017 © Copyright 2005 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks ABACAS, APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents
Introduction ........................................................................................ 5
About FortiClient Host Security ....................................................................... 5 Documentation................................................................................................... 5 Fortinet Knowledge Center ........................................................................... 5 Comments on Fortinet technical documentation ........................................... 5 Customer service and technical support ........................................................ 6

Installation .......................................................................................... 7
System requirements ........................................................................................ 7 Supported FortiGate models and FortiOS versions....................................... 7 Language Support ............................................................................................. 7 Installing FortiClient on a single PC ................................................................ 8 Installing customized FortiClient using Active Directory Server.................. 8 Customizing the FortiClient installation package .......................................... 8 Disabling VPN XAuth password saving ........................................................ 9 Running remote installation........................................................................... 9

Configuration.................................................................................... 11
General Settings .............................................................................................. 11 Entering a license key ................................................................................. 11 Configuring proxy server settings................................................................ 12 FortiClient status icons ................................................................................ 12 VPN ................................................................................................................... 13 Setting up a FortiClient-to-FortiGate VPN with manual configuration ......... Setting up a FortiClient-to-FortiGate VPN with automatic configuration ..... Testing the connection ................................................................................ Connecting to the remote FortiGate network .............................................. Configuring the advanced VPN settings ..................................................... Monitoring VPN connections ....................................................................... Exporting and importing VPN policy files .................................................... Troubleshooting .......................................................................................... Starting up VPN before logging on to Windows .......................................... Managing digital certificates ........................................................................ Scanning for viruses.................................................................................... Configuring antivirus settings ...................................................................... Configuring real-time protection .................................................................. Configuring email scanning ......................................................................... Managing quarantined files ......................................................................... Monitoring Windows startup list entries....................................................... 13 17 18 20 20 26 28 28 29 29 34 36 39 40 40 41

Antivirus ........................................................................................................... 34

FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017

3

................................................................................................................................................. 52 Configuring log settings .......... 53 Using the FortiClient system tray icon menus .....................................................................................................................................................0 MR1 User Guide 04-20001-0183-20051017 .............. 49 Update ............................................................................................................. 55 Index ... Configuring advanced firewall rules ........................................................................................................... Selecting a firewall profile ..................................................... Configuring network security zones ...... Configuring application access permissions ..................................................................................................................... 52 Managing log files .............................................................................................................................. 57 4 FortiClient Host Security Version 2........................................................ 53 Frequently asked questions ........ 51 Logs ...................................................................................................................................................................................................Contents Firewall . 43 Selecting a firewall mode ......... Configuring intrusion detection .............................. Viewing traffic information ................................................................ 49 Configuring the web filter settings..................... 49 Setting the administration password ...................................................................... 51 Updating FortiClient ....................................................................... 43 43 44 44 45 47 47 Web Filter ............................................................................................

antivirus. Comments on Fortinet technical documentation You can send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet. Using the FortiClient software. Windows registry monitoring.com. Fortinet Knowledge Center The most recent Fortinet technical documentation is available from the Fortinet Knowledge Center. FortiClient Host Security Version 2. product and feature guides. The knowledge center contains short how-to articles.forticare. It integrates IPSec VPN.0 MR1 User Guide 04-20001-0183-20051017 5 . and much more. Information about FortiGate Antivirus Firewalls is available from the FortiGate online help and the FortiGate Administration Guide. Visit the Fortinet Knowledge Center at http://kc. Documentation In addition to this FortiClient Host Security User Guide. configure real-time protection against viruses and unauthorized modification of the Windows registry. technical notes. FAQs. scan your computer for viruses. restrict access to your system and applications by setting up firewall policies. firewall. and web browsing control into a single software package. the FortiClient online help provides information and procedures for using and configuring the FortiClient software. you can: • • • • • create VPN connections to remote networks. restrict Internet access according the rules you specify.com.Introduction Fortinet Knowledge Center Introduction This chapter introduces you to FortiClient Host Security software and the following topics: • • • About FortiClient Host Security Documentation Customer service and technical support About FortiClient Host Security The FortiClient Host Security software is a secure remote access client for Windows computers.

Scandinavia. and Australia.com. China.0 MR1 User Guide 04-20001-0183-20051017 . Africa. eu_support@fortinet.fortinet.com For customers in the United Kingdom.Comments on Fortinet technical documentation Introduction Customer service and technical support For antivirus and attack definition updates. Mexico.com. Canada.com For customers in Japan. Singapore. technical support information. updated product documentation. please visit the Fortinet technical support web site at http://support. When requesting technical support. Mainland Europe.com For customers in the United States. apac_support@fortinet. Malaysia.fortinet. all other Asian countries. and the Middle East. For information on Fortinet telephone support. see http://support. please provide the following information: • • • • • • • Your name Company name Location Email address Telephone number FortiClient version Detailed description of the problem 6 FortiClient Host Security Version 2. Latin America and South America. Hong Kong. Fortinet email support is available from the following addresses: amer_support@fortinet. firmware updates. and other resources. Korea.

See “Installing FortiClient on a single PC” on page 8. The user interface. If the installation detects a Simplified Chinese or Japanese code page.0 or later Supported FortiGate models and FortiOS versions The FortiClient software supports: • • • • all FortiGate models FortiOS v2. you can install the software by running the installation file. or Japanese. you can use the Active Directory Server to install the FortiClient package on multiple PCs. See “Installing customized FortiClient using Active Directory Server” on page 8. and Japanese. In all other cases.36 FortiOS v2. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 7 . System requirements • • PC-compatible computer with Pentium processor or equivalent Compatible operating systems and minimum RAM: • • • • • • • • Microsoft Windows 2000 : 64 MB Microsoft Windows XP : 128 MB Microsoft Windows Server 2003 : 128 MB 40 MB hard disk space Native Microsoft TCP/IP communications protocol Native Microsoft PPP dialer for dial-up connections Ethernet for network connections Microsoft Internet Explorer 5.Installation Installation You can install the FortiClient software in two ways: • • For a single PC installation. the Simplified Chinese or Japanese version is installed. For a group installation. the English version is installed.50 FortiOS v2. Simplified Chinese. Simplified Chinese.80 Language Support FortiClient Host Security is localized for English. manual and online help are provided in English.

see “Configuring network security zones” on page 45. such as InstallShield and Wise.0 MR1 User Guide 04-20001-0183-20051017 8 . No feature is to be added. Note: Configuration data from FortiClient v1. You can customize the FortiClient installation package and use the Active Directory Server to install different customized installation packages on different PCs. To complete the installation of the FortiClient software.0 cannot be reused by v2.0. see “Update” on page 51. Note: The FortiClient software installs a virtual network adapter. For Advanced Setup.Customizing the FortiClient installation package Installation Installing FortiClient on a single PC The software may not function properly with other VPN clients installed on the same computer. • • No feature is to be deleted. You should uninstall any other VPN clients such as SSH Sentinel before installing the FortiClient software. do the following: • • • Add IP addresses to FortiClient’s public. See “Configuring proxy server settings” on page 12. If you computer uses a proxy server.2 and v1. enter the proxy server information. Configuration data from v1. For Basic Setup. The MSI file should not be edited directly. To configure the FortiClient software after system reboot 1 On the FortiClient Configuration Wizard. The recommended solution is to create a transform file that contains the configuration changes you need. it will be uninstalled automatically. The FortiClient virtual network adapter is not displayed in the Windows list of network adapters.0. Custom installations must conform to the following rules. Configure the update settings. Customizing the FortiClient installation package To customize the FortiClient MSI installation package. FortiClient Host Security Version 2. To install the FortiClient software. See “Update” on page 51.6 will be kept and reused by v2. blocked zones. you must reboot the computer and complete the following initial configuration. trusted. run the FortiClient install program and follow the instructions on the screen. or select Advanced Setup if you are installing FortiClient on a computer in a network. For more update information. 2 3 Installing customized FortiClient using Active Directory Server The FortiClient installer is based on MSI technology. For more information. If you have an older version of FortiClient software on you computer. select Basic Setup if you are installing FortiClient on a standalone computer. The transform file is applied to the original MSI file at runtime by msiexec. configure the update settings. use any MSI editor.

No component is to be moved from one feature to another. you must log on as a member of the Domain Administrators security group. No component is to be deleted. To disable XAuth password saving 1 2 3 4 Create a custom MSI transform file. Select the FortiClient MSI installation file and select Open. Open the Group Policy Object Editor. To deploy FortiClient using Active Directory Server 1 2 3 4 5 6 7 Unzip the FortiClient MSI installation file to a share folder. No component code (GUID) is to be modified. For more details. and then select Package. FortiClient Host Security Version 2. In Deploy Software. The shared state of a component must not be changed. Edit the LOCAL_MACHINE\Software\Fortinet\FortiClient\FA_IKE registry key. select Assigned. Select Software Settings.0 MR1 User Guide 04-20001-0183-20051017 9 . Right-click Software Installation. the Enterprise Administrators security group. Disabling VPN XAuth password saving The ability for a user to “save” the VPN XAuth password can now be disabled through a registry setting in a custom installation. Add the value DontRememberPassword under the key. To complete this procedure.Installation Disabling VPN XAuth password saving • • • • • • • • • • No feature is to be moved from one feature to another. you may not be able to upgrade the FortiClient installation with newer FortiClient releases. select New. see the Active Directory manuals or online help. Running remote installation The following is a general description of how to deploy the FortiClient software to remote computers using Active Directory Server. or the Group Policy Creator Owners security group. REGISTRY_MST_FWSettings REGISTRY_MST_AVSettings REGISTRY_MST_VPNSettings REGISTRY_MST_BHOSettings Registry settings are only to be added to the following components: ! Caution: If you modify the MSI installation package. Set the value of DontRememberPassword to 1. No component is to be added. Select Computer Configuration.

0 MR1 User Guide 04-20001-0183-20051017 .Running remote installation Installation 10 FortiClient Host Security Version 2.

enable or disable real-time antivirus protection. the time of the last update. To enter a license key 1 2 3 On the General Settings page. the status of the auto-update service. • • • • • • • • General Settings VPN Antivirus Firewall Web Filter Update Logs Using the FortiClient system tray icon menus General Settings Use the General Settings page to: • • • • • • • • • • • set the FortiClient software to load automatically during startup. With the evaluation version. the time of the last antivirus scan.0 MR1 User Guide 04-20001-0183-20051017 11 . select Enter License Key. Select OK. You can also use the General Settings page to view: Entering a license key The FortiClient software uses license keys to distinguish between evaluation software and fully licensed software. After you register the software.Configuration Entering a license key Configuration This chapter describes the detailed FortiClient settings in the order of FortiClient GUI layout. Enter the license key in the License Key field. you can only use DES for encryption and MD5 for authentication when you configure a VPN connection. the status of the VPN service. the current version and serial number of the FortiClient software. you receive the license key from Fortinet. the current version of the antivirus definition files. enable or disable the Windows system startup list monitoring. enter a product license key. FortiClient Host Security Version 2. configure the proxy server settings.

Configuring proxy server settings Configuration Configuring proxy server settings If you use a proxy server for your LAN. Enter the user name and password. The update service is running. For Proxy Type. you can specify the proxy server settings so that the FortiClient software can go through the proxy server to get antivirus signature updates and online SCEP. Enter the proxy server’s IP address and port number. The firewall protection is disabled. FortiClient software supports HTTP. To configure proxy server settings 1 2 3 4 5 6 Go to General > Connection.0 MR1 User Guide 04-20001-0183-20051017 . The firewall protection is enabled. The real-time protection service is stopped. SOCK V4. The real-time protection service is running. Note: You can get the proxy server information from your network administrator. SOCKS v4. or SOCK V5. The VPN service is stopped. FortiClient status icons The FortiClient status bar on the lower right corner displays the FortiClient status icons. The VPN service is running and there is an open connection. Select Apply. Select Enable proxy for updates and/or Enable proxy for Online SCEP. and SOCKS v5 proxy protocols. 12 FortiClient Host Security Version 2. The antivirus scanning service is stopped. The antivirus scanning service is running. The update service is stopped. select HTPP.

you only need to specify the FortiGate IP address to which the FortiClient software connects to download the VPN configuration. If the FortiGate gateway runs as a VPN policy server that deploys the preconfigured VPN policies to FortiClient PCs. you must configure both the FortiClient and the FortiGate VPN settings. you need to: • • • • Set up the VPN tunnel from FortiClient to the remote FortiGate gateway. Setting up a FortiClient-to-FortiGate VPN with manual configuration This VPN configuration example uses default FortiClient settings and preshared keys for VPN authentication. Digital certificates are an advanced feature provided for the convenience of system administrators. or rename a VPN connection. To customize the FortiClient VPN settings or to use digital certificates for VPN authentication.0 MR1 User Guide 04-20001-0183-20051017 13 .Configuration Setting up a FortiClient-to-FortiGate VPN with manual configuration VPN By entering basic connection information and using the default settings.0. unless you use DHCP over IPSec. If you are configuring a VPN to use either local digital certificates or smartcard/eToken certificate for authentication. To add a FortiClient to FortiGate VPN. see “Configuring the advanced VPN settings” on page 20 and “Managing digital certificates” on page 29. In this case. Configuring FortiClient VPN settings Go to VPN > Connections to add. see “Managing digital certificates” on page 29 before proceeding. edit. FortiClient Host Security Version 2. Digital certificates are not required for configuring FortiClient VPN connections. delete. Get a virtual IP address that the FortiGate firewall administrator assigns to your FortiClient PC. you can use the FortiClient automatic configuration feature. Configure Internet browsing over IPSec if you want to access the Internet through the VPN tunnel. Contact Fortinet Technical Support for more details. you can quickly set up a VPN tunnel between your computer and a network behind a FortiGate gateway. This manual assumes the user has prior knowledge of how to configure digital certificates for their implementation. To set up a VPN connection. See “Setting up a FortiClient-to-FortiGate VPN with manual configuration” on page 13. Add the remote network IP addresses behind the remote gateway. See “Setting up a FortiClient-to-FortiGate VPN with automatic configuration” on page 17. Note: FortiGate-to-FortiClient VPN policy deployment is a new feature of FortiOS v3.

enter the IP address or the fully qualified domain name (FQDN) of the remote gateway. 14 FortiClient Host Security Version 2. Select Add to add a new connection. The preshared key must be the same as the one used by the FortiGate VPN configuration. Select Add. To add a remote network you can access 1 2 3 4 Go to VPN > Connections. or select Edit to edit a connection. Select Advanced. 8 Select OK. For Remote Gateway. Enter the Remote Network information.Setting up a FortiClient-to-FortiGate VPN with manual configuration Configuration Figure 1: Creating a new VPN connection To create a FortiClient VPN configuration 1 2 3 4 5 6 7 Go to VPN > Connections. select Manual. For Configuration. Enter a descriptive name for the connection. This is the IP address and netmask of the network behind the FortiGate gateway. In the Advanced Settings dialog box. Enter the Preshared key.0 MR1 User Guide 04-20001-0183-20051017 . select Add.

To set the virtual IP address 6 1 2 3 4 Select a VPN and then select edit. Select OK. configure the FortiGate Phase 2 VPN settings.80 FortiGate gateways. In the Advanced Settings dialog box. For details. you need to: • • • configure the FortiGate Phase 1 VPN settings.0. Select Create New to create a new VPN gateway FortiClient Host Security Version 2. select Add.0 MR1 User Guide 04-20001-0183-20051017 15 . the remote FortiGate gateway must also be configured to allow such traffic. Select OK. There are the IP addresses you can access through the VPN tunnel. You do not need to modify the default FortiGate VPN settings if you are using a FortiClient quick start configuration. For v2.50 FortiGate gateways. Select Advanced. You can enter multiple IP addresses behind the remote gateway. Select Advanced. the procedures vary slightly. see FortiGate VPN Guide. To configure phase 1 settings 1 2 Go to VPN > IPSEC > Phase 1. see “Configuring Virtual IP address acquisition” on page 24.0.Configuration Setting up a FortiClient-to-FortiGate VPN with manual configuration 5 In the Network Editor dialog box. Note: For the FortiClient PC to be able to use Internet browsing over IPSec. add a firewall encryption policy. you can only use DES for encryption and MD5 for authentication. In the Virtual IP Acquisition dialog box. Therefore. Note: If you have the FortiClient evaluation version. Configuring the FortiGate VPN settings To configure the FortiGate unit to accept FortiClient VPN connections. select Acquire Virtual IP Address and select Config.0.0. select either DHCP over IPSec or manually set an IP. In the Advanced Settings dialog box. enter the IP address and subnet mask of the remote network. The default FortiGate phase 1 and 2 VPN settings match the default FortiClient VPN settings if you have a registered FortiClient version. you must also select DES and MD5.0.0 and select OK. The following procedures are applicable to v2. Enter 0./0. To use Internet browsing over IPSec 5 1 2 3 4 Select a VPN and then select edit. when you configure the FortiGate VPN settings. For detailed configuration information.

Select Create New to create a new VPN tunnel. Enter the individual address or the subnet address that you want the dialup users to access through VPN.0 MR1 User Guide 04-20001-0183-20051017 . Select OK. To add a firewall policy 1 2 3 Go to Firewall > Policy. Enter the subnet IP address which will be used as the virtual IP addresses for the remote FortiClient PCs. Select Create New. Gateway Name Enter a name for the remote FortiClient user. To configure phase 2 settings 1 2 3 Go to VPN > IPSec > Phase 2. Select Create New. Remote Gateway Mode Select Dialup User. To add a destination address 1 2 3 4 5 Go to Firewall > Address > External. such as FortiClient_User1. Authentication Select Pre-shared Key. Select OK. Tunnel Name Remote Gateway Concentrator Enter a name for the VPN tunnel.Setting up a FortiClient-to-FortiGate VPN with manual configuration Configuration 3 Enter the following information and select OK. Select New. Enter the following information and select OK. Peer option Select Accept any peer ID. Select the gateway name you entered in phase 1 configuration. Method Pre-shared Key Enter the pre-shared key. Source Destination Internal External Source Select the address name you added in “To add a source address” on Address Name page 16. This subnet should be different from the local FortiGate subnet. Enter an address name. To add a source address 1 2 3 4 5 Go to Firewall > Address. Select None. Enter an address name. 16 FortiClient Host Security Version 2. Select Main Mode. Enter the following information and select OK.

Configuration

Setting up a FortiClient-to-FortiGate VPN with automatic configuration

Destination Select the address name you added in “To add a destination address” on Address Name page 16. Schedule Service Action VPN Tunnel Protection Profile Log Traffic Always Any Encrypt Select the VPN tunnel you added in “To configure phase 2 settings” on page 16. Select Allow inbound and Allow outbound. Optional Optional

4

Move the encryption policy above the non-encrypt firewall policies in the policy list.

Setting up a FortiClient-to-FortiGate VPN with automatic configuration
If the remote FortiGate gateway is configured as a VPN policy deployment server, you can configure the FortiClient software to download the VPN policies from the FortiGate gateway. The policy server has a daemon running all the time for incoming policy download requests. This daemon communicates with the FortiClient PC to process user authentication, policy lookup, and delivery. After the policy is sent out, the daemon closes the SSL connection, and you can start up the VPN tunnel from the FortiClient side.
Note: For VPNs with automatic configuration, only preshared keys are supported. Certificates are not supported.

On the FortiClient side, you only need to create a VPN name and specify the IP address of the FortiGate gateway. To add a VPN with automatic configuration on the FortiClient PC 1 2 3 4 5 6 Go to VPN > Connections. Select Add. In the New Connection dialog box, enter a connection name. For Configuration, select Automatic. For Policy Server, enter the IP address or FQDN of the FortiGate gateway. Select OK.

Configuring the FortiGate gateway
On the FortiGate side, you must do the following to configure the FortiGate gateway to work as a VPN policy server: 1 Add the FortiClient users to a user group for authentication. When the FortiClient users try to connect to the FortiGate gateway to download the VPN policies, they are challenged for user names and passwords. See “Configuring FortiGate user authentication” on page 18. Create a dialup VPN. See “Configuring the FortiGate VPN settings” on page 15.

2

FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017

17

Testing the connection

Configuration

3

Create a firewall policy for the dialup VPN. See “To add a firewall policy” on page 16.

Configuring FortiGate user authentication
The FortiGate units support user authentication to the FortiGate user database, a RADIUS server, and an LDAP server. You can add user names to the FortiGate user database and then add a password to allow the user to authenticate using the internal database. You can also use the RADIUS and LDAP servers to authenticate users. To enable authentication, you must add user names to one or more user groups. You can also add RADIUS servers and LDAP servers to user groups. You can then select a user group when you require authentication. For more information, see the user authentication chapter of FortiGate Administration Guide. To add a FortiClient user to the FortiGate local user database 1 2 3 4 On the FortiGate web-based manager, go to User > Local. Select Create New. Enter a user name and a password. Select OK. To add a user to a group 1 2 3 4 5 Go to User > User Group. Select Create New to add a new user group, or select the Edit icon to edit a configuration. Enter a Group Name to identify the user group. To add users to the user group, select a user from the Available Users list and select the right arrow to add the name to the Members list. To add a RADIUS server to the user group, select a RADIUS server from the Available Users list and select the right arrow to add the RADIUS server to the Members list. To add an LDAP server to the user group, select an LDAP server from the Available Users list and select the right arrow to add the LDAP server to the Members list. To remove users, RADIUS servers, or LDAP servers from the user group, select a user, RADIUS server, or LDAP server from the Members list and select the left arrow to remove the name, RADIUS server, or LDAP server from the group. Select a protection profile from the Protection Profiles list. Select OK.

6

7

8 9

Testing the connection
After you configure both the FortiClient and FortiGate sides, you can test the VPN connection from your FortiClient PC. To test the connection 1 2 Go to VPN > Connections. Select the connection you want to test.

18

FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017

Configuration

Testing the connection

3

Select Test. A log window opens and begins to negotiate the VPN connection with the remote FortiGate unit. If the test is successful, the last line of the log will read “IKE daemon stopped”.
Note: For a VPN with automatic configuration, the FortiClient software downloads the VPN policy first. To test the VPN connection, the FortiClient software attempts to negotiate the VPN connection but does not actually open a VPN connection.

If the last line of the log reads “Next_time = x sec”, where x is an integer, the test was not successful. The FortiClient software is continuing to try to negotiate the connection. See “Troubleshooting” on page 28. 4 Select Close.
Figure 2: A successful connection test

FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017

19

If the negotiation is successful and the connection is established. the connection attempt failed. The FortiClient software opens a log window and begins to negotiate a VPN connection with the remote FortiGate firewall. To connect to a remote FortiGate gateway 1 2 3 Go to VPN > Connections.0 MR1 User Guide 04-20001-0183-20051017 . Test the connection to verify the configuration. the last line of the log will read “Negotiation Succeeded!” 4 Select OK or wait for the log window to close automatically. Select the connection you want to start.Connecting to the remote FortiGate network Configuration Figure 3: A failed connection test Connecting to the remote FortiGate network After you set up a VPN connection. and other advanced VPN settings. 5 To stop the connection. If the last line of the log is “Negotiation failed! Please check log” and the log window does not close automatically. Select Connect. you can start or stop the connection as required. See “Setting up a FortiClient-toFortiGate VPN with automatic configuration” on page 17. IPSec parameters. select Disconnect. 20 FortiClient Host Security Version 2. Configuring the advanced VPN settings You can configure the detailed IKE.

Under Policy. Select OK to save the settings. select Legacy or Default. You can also select Legacy or Default to go back to the original legacy or default settings. and for any Cisco gateways that only support legacy settings. In the Connection Detailed Settings dialog box.0 MR1 User Guide 04-20001-0183-20051017 21 .Configuration Configuring the advanced VPN settings Configuring IKE and IPSec policies FortiClient has two preconfigured IKE and IPSec policies: • • Use the Legacy policy for a VPN to a FortiGate unit running FortiOS v2. configure the settings in the following table. If you want to configure the detailed settings. or select Edit to edit a connection. To modify the Legacy or Default policy settings 1 2 3 4 Go to VPN > Connections. You can use the Legacy or Default policies. Use the Default policy for a VPN to a FortiGate unit running FortiOS v2. Select Advanced.36. select Config. FortiClient Host Security Version 2.50 or higher. Select Add to add a new connection. The policy settings appear in the IKE and IPSec boxes. 5 6 Under Policy. continue with next step.

0 MR1 User Guide 04-20001-0183-20051017 .Configuring the advanced VPN settings Configuration Figure 4: Editing the detailed configuration settings 22 FortiClient Host Security Version 2.

starting at the top of the list. You cannot select multiple DH Groups. a new key is generated without interrupting service. Select one Diffie-Hellman group from DH group 1. Note there is no limit to how many FortiClient peers can use the same local ID. It is also difficult to use efficiently when a VPN peer uses its identity as part of the authentication process. When the key expires. If you are using peer IDs for authentication. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 2147483648 kbytes. 2.Configuration Configuring the advanced VPN settings Table 1: FortiClient IKE settings correspond to FortiGate phase 1 settings IKE Proposals Add or delete encryption and authentication algorithms. Mode DH Group • Key Life Enter the number in seconds. you can enter the local ID. The keylife is the amount of time in seconds before the IKE encryption key expires. The remote FortiGate gateway must use the same proposals. P1 proposal keylife can be from 120 to 172. the key does not expire until both the time has passed and the number of kbytes have been processed. after a specified number of kbytes of data have been processed by the VPN tunnel. Main mode requires the exchange of more messages than Aggressive mode. The proposal list is used in the IKE negotiation between the FortiClient software and the remote FortiGate unit. When the VPN peers employ main mode. When using aggressive mode. Local ID Table 2: FortiClient IPSec settings correspond to FortiGate phase 2 settings IPSec Proposals DH Group Add or delete encryption and authentication algorithms. Select either Main or Aggressive. a new key is generated without interrupting service.800 seconds. If you are using certificates for authentication. The keylife causes the IPSec key to expire after a specified amount of time. Key Life FortiClient Host Security Version 2. DH group 1 is least secure. Main mode provides an additional security feature called identity protection which hides the identities of the VPN peers so that they cannot be discovered by passive eavesdroppers. and 5. 2. select up to three DH groups for the dialup server and select one DH group for the dialup user (client or gateway). enter the peer ID FortiClient will use to authenticate itself to the remote FortiGate gateway. or select both. If you select both. or both. and 5. • When the VPN peers use aggressive mode in a dialup configuration. DH group 5 is most secure. Select one or more Diffie-Hellman groups from DH group 1.0 MR1 User Guide 04-20001-0183-20051017 23 . Select either Seconds or KBytes for the keylife. The FortiClient software will propose the algorithm combinations in order. • When the VPN peers have static IP addresses and use aggressive mode. you can select multiple DH groups. which is the distinguished name (DN) of the local certificate. the VPN peers exchange identifying information in the clear. The remote FortiGate gateway must use the same proposals. select a single matching DH group. When the key expires. The remote FortiGate gateway must use the same DH Group settings.

If the same packets exceed a specified sequence range. Enable this option if you expect the IPSec VPN traffic to go through a gateway that performs NAT. This virtual IP address must be an actual address in the remote network. enabling NAT traversal has no effect. For information about how to configure the FortiGate gateway. If no NAT device is detected. you cannot set the virtual IP address to be in the same subnet of the remote network. If you enable NAT traversal. because the v2.Configuring the advanced VPN settings Configuration Table 3: FortiClient advanced VPN settings Replay Detection With replay detection.50 FortiGate gateway does not support proxy ARP. Select the DHCP over IPSec option to allow the DHCP server in the remote network to dynamically assign an IP address to your FortiClient computer after the VPN connection is established. Note: If you are connecting to a v2. see FortiGate Administration Guide and FortiGate VPN Guide. You can specify the DNS and WINS server IP addresses of the remote network.0 MR1 User Guide 04-20001-0183-20051017 .50 FortiGate gateway. 24 FortiClient Host Security Version 2. If NAT Traversal is selected. you can set the keepalive frequency. Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. Select the Manually Set option to manually specify a virtual IP address for your FortiClient computer. The keepalive frequency specifies how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until the IKE and IPSec keylife expires. the FortiClient software checks the sequence number of every IPSec packet to see if it has been previously received. Dead Peer Detection Enable this option to clean up dead VPN connections and establish new VPN connections. enter the Keepalive Frequency in seconds. If you are connecting to a v2. consult your network administrator for a proper virtual IP address.80 FortiGate gateway. the FortiClient software discards them. The keepalive frequency can be from 0 to 900 seconds. Configuring Virtual IP address acquisition The FortiClient software supports two methods for virtual IP address acquisition: dynamic host configuration protocol (DHCP) over IPSec and manual entry. NAT traversal is enabled by default. PFS NAT Traversal Keepalive Frequency Autokey Keep Alive Enable this option to keep the VPN connection open even if no data is being transferred.

Select OK. select Acquire virtual IP address.Configuration Configuring the advanced VPN settings Figure 5: Configuring virtual IP address acquisition To configure virtual IP address acquisition 1 2 3 4 5 6 7 8 Go to VPN > Connections.0 MR1 User Guide 04-20001-0183-20051017 25 . FortiClient Host Security Version 2. Select Config. Select Dynamic Host Configuration Protocol (DHCP) over IPSec or Manually Set. it will require the FortiClient software to provide a user name and password when a VPN connection is attempted. The default is DHCP. Select Add to add a new connection. For information about how to configure the XAuth server. In the Advanced Settings dialog box. enter the IP address and subnet mask. The user name and password are defined by the XAuth server. or they can be entered manually every time a connection is attempted. see FortiGate Administration Guide and FortiGate VPN Guide. or select Edit to edit an existing connection. Configuring eXtended authentication (XAuth) If the remote FortiGate unit is configured as an XAuth server. Optionally specify the DNS and WINS server IP addresses. They can be saved as part of an advanced VPN configuration. Select Advanced. If you select Manually Set.

In the Extended Authentication dialog box. 26 FortiClient Host Security Version 2. When prompted to log in. Select Advanced.Monitoring VPN connections Configuration Figure 6: Configuring eXtended authentication To configure XAuth 1 2 3 4 5 Go to VPN > Connections.0 MR1 User Guide 04-20001-0183-20051017 . Monitoring VPN connections Go to VPN > Monitor to view current VPN connection and traffic information. • 6 Select OK. If you want to save the login user name and password. select Config for eXtended Authentication. clear Prompt to login and enter the user name and password. Select Add to add a new connection. select Prompt to login. you can select the password saving option so that you do not have to enter the password the next time you are prompted to log in. do one of the following: • If you want to enter the login user name and password for each VPN connection. In the Advanced Settings dialog box. or select Edit to edit a connection.

The authentication algorithm and key.Configuration Monitoring VPN connections Figure 7: VPN Monitor For the current connection. For the incoming VPN traffic. Packets Bytes Encryption Authentication The number of packets received. you can view the following information. The encryption algorithm and key. The IP address of the local gateway (the FortiClient computer). Name Local Gateway Remote Time Out (sec) The name of the current VPN connection. The number of bytes received. you can view the following information. The authentication algorithm and key. The of number bytes sent. The remaining lifetime of the VPN connection. The IP address of the remote gateway (the FortiGate unit). you can view the following information. For the outgoing VPN traffic. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 27 . The encryption algorithm and key. Packets Bytes Encryption Authentication The number of packets sent.

Select a file folder and enter a file name.0 MR1 User Guide 04-20001-0183-20051017 . Locate the file and select Open. The total number of incoming and outgoing bytes transferred is also displayed. Some common FortiClient software configuration errors are listed in Table 4. Note: If the imported file has the same file name as an existing connection.Exporting and importing VPN policy files Configuration Viewing the traffic summary The traffic summary displays a graph of the incoming and outgoing VPN traffic. you can import this file back to your local FortiClient PC or to other FortiClient PCs. 28 FortiClient Host Security Version 2. To import a VPN policy file 1 2 Select Import. Note: When traffic is transferred over an open VPN connection. If required. The following are some tips to troubleshoot a VPN connection failure: • • • PING the remote FortiGate firewall from the FortiClient computer to verify you have a working route between the two. it will overwrite the existing one. Troubleshooting Most connection failures are due to a configuration mismatch between the remote FortiGate unit and the FortiClient software. Select the connection for which you want to export the VPN policy file. Some common FortiGate Antivirus Firewall configuration errors are listed in Table 5. The green column indicates outgoing traffic. Select Export. Check the FortiClient software configuration. The left column displays incoming traffic and the right column displays outgoing traffic. Exporting and importing VPN policy files You can export a VPN policy file to your local or network computer as a backup of the VPN configuration settings. To export a VPN policy file 1 2 3 4 5 Go to VPN > Connections. Select Save. Check the FortiGate firewall configuration. The red column indicates incoming traffic. the FortiClient system tray icon will change to a traffic summary graph.

so that you can be authenticated by the domain through the VPN tunnel. select the Start VPN before logging on to Windows option on the VPN > Connections page. you must activate a virtual adapter. Wrong preshared key. it is required. Wrong order of the encryption policy in the firewall policy table. For example. The VPN tunnel will start up prior to Windows logon. but can only be used if the CA supports SCEP. FortiClient Host Security Version 2. Correction Check the IP addresses of the remote gateway and network.Configuration Starting up VPN before logging on to Windows Table 4: Common FortiClient software configuration errors Configuration Error Wrong remote network information. Reenter the source and destination address. external-to-internal instead of internal-to-external. you need: • • • a signed certificate. Correction Change the policy to internal-to-external. Note: To use the VPN tunnel before you log on to a domain. Table 5: Common FortiGate Antivirus Firewall configuration errors Configuration Error Wrong direction of the encryption policy. the certificate authority (CA) certificates for any CAs you are using.0 MR1 User Guide 04-20001-0183-20051017 29 . The encryption policy must be placed above other non-encryption policies. Mismatched IKE or IPSec proposal combination in the proposal lists. Getting a signed smartcard certificate Getting a signed local certificate If you want to have a local certificate signed by the CA server and then import it into FortiClient. you must also use the virtual IP acquisition feature. See “Configuring Virtual IP address acquisition” on page 24. Wrong firewall policy source and destination addresses. Wrong Aggressive Mode peer ID. No Perfect Forward Secrecy (PFS) when Enable PFS. SCEP is simpler. any applicable certificate revocation lists (CRLs). Make sure both the FortiClient software and the remote FortiGate gateway use the same proposals. following the steps below. Reset to the correct Peer ID. Make sure you select the correct DH group on both ends. Therefore. The FortiClient software can use a manual. Starting up VPN before logging on to Windows If you need to log on to a Windows domain through a VPN when you start up your Windows workstation. Managing digital certificates To use local or smartcard digital certificates. Reenter the preshared key. file based enrollment method or the simple certificate enrollment protocol (SCEP) to get certificates. Wrong or mismatched IKE or IPSec Diffie-Hellman group.

Import the signed local certificate into FortiClient.0 MR1 User Guide 04-20001-0183-20051017 . 30 FortiClient Host Security Version 2. See “To retrieve the signed local certificate from the CA” on page 32. See “To import the signed local certificate” on page 32 and “To export the signed local certificate” on page 32. Note: The digital certificates must comply with the X. See “To send the certificate request to a CA” on page 32. See “To export the local certificate request” on page 31. See “To generate a local certificate request” on page 30.Managing digital certificates Configuration File-based enrollment requires copying and pasting text files from the local computer to the CA. and from the CA to the local computer.509 standard. Select Generate. Enter a Certificate Name. Figure 8: Generating a local certificate request To generate a local certificate request 1 2 3 Go to VPN > My Certificates. Export the local certificate request to a . SCEP automates this process but CRLs must still be manually copied and pasted between the CA and the local computer. Send the signed local certificate request to a CA. You can also backup the certificate by exporting it. General steps to get a signed local certificate 1 2 3 4 5 Generate the local certificate request.csr file. Retrieve the signed certificate from a CA.

If you select file based enrollment. Company City State/Province Country 7 8 9 Select OK. If you selected IP address. enter the IP address of the FortiClient computer being certified. 10 11 The signed local certificate is displayed on the Local Certificates list with the type of Certificate. To export the local certificate request 1 2 3 Go to VPN > My Certificates. Enter the name of the country where the FortiClient computer is located. Enter the information for the ID type that you selected.0 MR1 User Guide 04-20001-0183-20051017 31 . FortiClient Host Security Version 2. Continue with “Getting a CRL” on page 34. enter the fully qualified domain name of the FortiClient computer being certified. Enter a name that identifies the department or unit within the organization requesting the certificate for the FortiClient computer (such as Manufacturing or MF). If you selected email address. you must configure the proxy server settings before you can use online SCEP. retrieves and imports the signed local certificate. The expiration dates of the certificates are listed in the Valid To column of each list. The FortiClient software generates 1024bit keys. select the local certificate to export. The CA certificate is displayed on the CA Certificates list. If the FortiClient computer uses a proxy server. The FortiClient software: • • • submits the local certificate request. the private/public key pair is generated and the certificate request is displayed in the My Certificates list with the type of Request. Email Department Enter a contact email address for the FortiClient computer user. Enter the name of the city or town where the FortiClient Computer is located.Configuration Managing digital certificates 4 5 Under subject information. 6 Optionally select Advanced and enter the advanced setting information. select an issuer CA from the list provided or enter the URL of the CA server. Select Export. You can select from domain name. Continue with “To export the local certificate request”. enter the email address of the owner of the FortiClient computer being certified. retrieves and imports the CA certificate. email address or IP address. Enter the name of the state or province where the FortiClient computer is located. From the certificate list. Select OK to generate the private and public key pair and the certificate request. Domain name Email address IP address If you selected domain name. See “Configuring proxy server settings” on page 12. If you select Online SCEP as the enrollment method. Enter the legal name of the organization requesting the certificate for the FortiClient computer. select the ID Type for the subject. Select either File Based or Online SCEP as the enrollment method.

submit the certificate request to the CA web server. Note: Current FortiClient releases support the Aladdin eToken PRO series USB tokens. open the local certificate request using a text editor. Enter a file name. Select Import. The expiration date of the certificate is listed in the Valid To column. Getting a signed smartcard certificate If you are using a USB token (smartcard) certificate for authentication. Select the certificate and select Export. In the Save As dialog box. To import the signed local certificate 1 2 3 4 Go to VPN > My Certificates. After exporting the certificate request. connect to the CA web server and download the signed local certificate to the FortiClient computer.0 MR1 User Guide 04-20001-0183-20051017 . Select Save. Enter the path or browse to locate the signed local certificate on the FortiClient computer.Managing digital certificates Configuration 4 Name the file and save it in a directory on the FortiClient computer. To send the certificate request to a CA 1 2 3 On the FortiClient computer. To retrieve the signed local certificate from the CA After you receive notification from the CA that it has signed the certificate request. select the folder where you want to save the file. The following procedures uses a Windows 2000 Advanced Server as an example. you must enter a password. 32 FortiClient Host Security Version 2. The signed local certificate is displayed on the Local Certificates list with the type of Certificate showing in the certificate list. paste the certificate request to the CA web server. To export the signed local certificate 1 2 3 4 5 6 Go to VPN > My Certificates. If you select PKCS12. Select OK. you must also have the certificate signed by the CA server and install the signed certificate on you token. Connect to the CA web server. Select either PKCS7 or PKCS12. you can submit it to the CA so that the CA can sign the certificate. Follow the CA web server instructions to: • • • add a base64 encoded PKCS#10 certificate request to the CA web server.

Follow the CA web server instructions to download the CA certificate. When prompted to enter the eToken password. The remote VPN peer obtains the CA certificate to validate the digital certificate that it receives from the FortiClient computer. select eToken Base Cryptographic Provider. you must do so now. To send a certificate request 1 2 3 4 5 Log on to the CA server. The FortiClient computer obtains the CA certificate to validate the digital certificate that it receives from the remote VPN peer. Select the certificate request. Select Submit. Select Checking on a pending certificate. Select Submit a certificate request to this CA using a form. For CSP. Getting a CA certificate For the FortiClient software and the FortiGate gateway to authenticate themselves to each other. Select Request a certificate. enter the password. See “To send a certificate request” on page 33. In the request form: • • • • 6 7 Enter the identifying information.0 MR1 User Guide 04-20001-0183-20051017 33 . For Intended Purpose. Select Import. Select Install this certificate to install the certificate to the USB token. then select next. To retrieve the CA certificate 1 2 Connect to the CA web server. Leave all other default settings. select Client Authentication Certificate. Note: The CA certificate must comply with the X.Configuration Managing digital certificates General steps to get a signed smartcard certificate 1 2 Send the certificate request to the CA server. See “To install a certificate” on page 33. they must both have a CA certificate from the same CA. FortiClient Host Security Version 2.509 standard. for example. then select Next. Install the signed certificate on the token. To import the CA certificate 1 2 Go to VPN > CA Certificates. Then the CA Web page displays that your certificate request has been received. http://<CA_server>/certsrv. then select next. To install a certificate 1 2 3 4 Log on to the CA Server if the certificate has been signed. Select Advanced request. If you have not plugged the USB token into your computer’s USB port. then select Next.

34 FortiClient Host Security Version 2.Scanning for viruses Configuration 3 4 Enter the path or browse to locate the CA certificate on the FortiClient computer.0 MR1 User Guide 04-20001-0183-20051017 . To retrieve the CRL 1 2 Connect to the CA web server. Antivirus Using the FortiClient antivirus feature. Enter the path or browse to locate the CRL on the FortiClient computer. The expiration date of the certificate is listed in the Valid To column. The list contains the revoked certificates and the reason(s) for revocation. Select OK. It also records the certificate issue dates and the CAs that issued them. The FortiClient software can also perform realtime virus protection and monitor Windows Registry changes. The FortiClient software uses the CRL to ensure that the certificates belonging to the CA and the remote VPN peer are valid. Scanning for viruses You can run a quick scan to detect the most malicious viruses and worms. Follow the CA web server instructions to download the CRL. The CA certificate is displayed on the CA Certificates list. Select OK. The CRL is displayed on the CRL list. You can also set up scan schedules and scan the files in a specified folder. Getting a CRL A CRL is a list of CA certificate subscribers paired with digital certificate status. Select Import. you can protect your computer by regularly scanning the computer for viruses. To import the CRL 1 2 3 4 Go to VPN > CRL.

The Antivirus Scanning dialog box opens. 3 4 To stop the scanning process. Depending on the option you choose on the Antivirus Settings tab. To scan files in a specified directory 1 2 Under File System Scan. Select Scan Now. see “Configuring antivirus settings” on page 36. Quarantines the virus-infected file. Cleans the virus-infected file. the FortiClient software does one of the following when it finds any viruses: • • • Displays a virus alert message. select View Result. To view the detailed summary of the scanning process after the scan is finished.Configuration Scanning for viruses Figure 9: Scanning for viruses To run a quick scan 1 2 Go to Antivirus > Scan. select Browse to locate the directory to scan. The infected file list displays the names of any infected files. Select Quick Scan. FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 35 . select Stop. For information about how to configure what happens when the FortiClient software finds a virus. displaying the scanning process and results.

3 4 To modify a schedule. select Add. For information on how to submit a quarantined file. then select Delete. weekly. Configuring antivirus settings You can specify what types of files to scan and what to do when a virus is detected. set up a new schedule. To delete a schedule. In the New Schedule dialog box. You can set up daily. or one-time schedules. see “Managing quarantined files” on page 40.Configuring antivirus settings Configuration To manage scan schedules 1 2 To add a schedule. select the schedule. You can also specify which folder to scan. Figure 10: Configuring antivirus settings 36 FortiClient Host Security Version 2. You can also specify an SMTP server to use when submitting a quarantined file to Fortinet for analysis.0 MR1 User Guide 04-20001-0183-20051017 . select the schedule and then select Edit.

the FortiClient software attempts to remove the virus from the infected file. If you select Alert. For more information. Quarantine.0 MR1 User Guide 04-20001-0183-20051017 37 . Add or delete file types to be scanned for viruses. which means no limit. see “Selecting file types to scan or exclude” on page 38. See “Integrating FortiClient antivirus scanning with Windows shell” on page 39. If you select Clean. the FortiClient software moves the file to a quarantine directory. See “Specifying an SMTP server for virus submission” on page 39. folders and file types to be excluded from virus scanning. then select Add to add the file or folder to the exemption list. click the Select file types button. click the Select file and folders button. Clean is selected by default. Table 6: Default antivirus settings Configuration Option File types to scan Scan files with no extension What to do when a virus is found (manual scan) What to do when a virus is found (real-time protection) Integrate with Windows shell Notify user the virus signature is out of date Setting All files Enabled Clean Deny access Enabled Enabled To configure the antivirus settings 1 2 3 4 Go to Antivirus > Settings. On the Advanced Settings dialog box. Select files. See “Selecting file types to scan or exclude” on page 38. specify whether to scan grayware. or Clean. it quarantines the file automatically. Select the file types to be scanned. you can: • • specify whether to scan the compressed files and the file size limit. Select Integrate with Windows shell if you want to add a FortiClient antivirus scanning menu command to the shortcut menu in Windows Explorer. Select what to do when a virus is found. The default size limit is 0. Optional select Advanced Settings. Note: If FortiClient cannot clean an infected file. You can select Alert. Optionally select the Notify user the virus signature is out of date option. To exclude a file type.Configuration Configuring antivirus settings The default antivirus settings are listed in Table 6. then add the file types. a message is displayed if a virus is detected during real-time file system monitoring. If you select Quarantine. • • 5 To exclude a file or folder. 8 9 FortiClient Host Security Version 2. 6 7 Configure the settings to submit viruses.

and also add the same file extension to the exclusion list. For example. Note: The exclusion list takes priority over the inclusion list. click Select file types.Configuring antivirus settings Configuration • enable heuristic scanning. Select New. You can add file types to or delete file types from the default file types list. You can create a list of file types to exclude from virus scanning. Figure 11: Adding a new file extension To add a new file type to the file types or exclusion list 1 2 3 4 5 Go to Antivirus > Settings. Selecting file types to scan or exclude If you do not want the FortiClient software to scan all files for viruses. Under either File types to scan or Exclusion list. Heuristics looks at characteristics of a file. 38 FortiClient Host Security Version 2. the files with this extension will not be scanned. if you select a file extension to scan. You can add file types with double extensions. You can also reset the file types list to defaults. as well as behaviors of its code to determine the likelihood of an infection. Type the file extension to add to the list. FortiClient software uses heuristic techniques to scan files to find the unknown viruses and threats that have not yet been cataloged with signatures. Select OK. you can select file types from the default list of file types. such as size or architecture.0 MR1 User Guide 04-20001-0183-20051017 .

Under What to do when a virus is found. For SMTP server. enter the SMTP server that you use for outgoing email. Under Submit Virus. Select Apply. Integrating FortiClient antivirus scanning with Windows shell By integrating FortiClient antivirus scanning with Windows shell. you can select Scan with FortiClient Antivirus from the shortcut menu to scan the selected folder/folders or file/files. then click Add to add the file or folder to the exemption list. • • 5 To exclude a file or folder. you can specify an SMTP server to use when submitting the quarantined files. See “Selecting file types to scan or exclude” on page 38. Specifying an SMTP server for virus submission Instead of using the default mail server. Select the file types to be scanned. folders and file types to be excluded from virus scanning. select Need authentication and enter the logon user name and password. Configuring real-time protection Configure the real-time protection settings to specify what types of files to scan and exclude and what happens when a virus is detected during real-time system monitoring. To configure real-time protection 1 2 3 4 Go to Antivirus > Real-time Protection. Add or delete file types to be scanned for viruses. To integrate with Windows shell 1 2 3 Go to Antivirus > Settings. click Select file and folders. Select Integrate with Windows Shell. If the SMTP server needs authentication to log on. select Use this mail account to submit virus. select Deny Access. Select files.Configuration Configuring real-time protection Note: Scanning files with no extension is enabled by default. To exclude a file type.0 MR1 User Guide 04-20001-0183-20051017 39 . In Windows Explorer. To specify an SMTP server 1 2 3 4 5 Go to Antivirus > Settings. you can use the FortiClient antivirus shortcut menu in Windows Explorer to scan the selected folders or files for viruses. Select Apply. FortiClient Host Security Version 2. after you right-click on a folder/folders or file/files. see “Selecting file types to scan or exclude” on page 38. Quarantine or Clean.

as well as behaviors of its code to determine the likelihood of an infection. such as size or architecture. 6 Select or clear the following two options: • • Do not pop up alert message box in real-time scan. Check the status of a quarantined file before restoring. Select Apply. ! 40 FortiClient Host Security Version 2. you can use FortiClient’s worm detection feature. Managing quarantined files Quarantined files will remain in the quarantine directory until you delete them or restore them to their original location. The file is moved to a quarantine directory. Do not pop up alert message box in registry monitor. Scanning emails for viruses Go to Antivirus > Email to configure the FortiClient software to scan the incoming (POP3) and outgoing (SMTP) emails and attachments for viruses. The FortiClient agent attempts to remove the virus from the infected file. Clean is selected by default. Using Heuristics scanning FortiClient software uses heuristic techniques to scan email attachments to find the unknown viruses and threats that have not yet been cataloged with signatures. Caution: Quarantined files may still be infected. Heuristics looks at characteristics of a file. You can also enable email scanning for Microsoft Outlook client (MAPI) if Outlook connects to a Microsoft Exchange server. it quarantines the file automatically. Through the default mail server or the SMTP server you specify. 7 8 Select Advanced Settings to specify compressed file and grayware scanning. For information on how to specify an SMTP server.0 MR1 User Guide 04-20001-0183-20051017 . Go to Antivirus > Email to enable worm detection. see “Specifying an SMTP server for virus submission” on page 39. Go to Antivirus > Email to enable heuristics scanning. you can submit the quarantined file to Fortinet for analysis. Scanning emails for worms To prevent worms from spreading with emails. Configuring email scanning FortiClient software can scan the incoming and outgoing emails and email attachments for virus and worms. Note: If FortiClient cannot clean an infected file. run or modify the file until it is cleaned.Configuring email scanning Configuration Deny Access Quarantine Clean You cannot open.

Select Submit to send the file to Fortinet. The startup list shows the Windows registry entries for any applications that are started as part of your Windows profile when you log on to Windows. The Current startup list displays all current registry entries.Configuration Monitoring Windows startup list entries To manage the quarantined files 1 2 Go to Antivirus > Quarantine. changing an existing application’s configuration settings. The FortiClient software can monitor the Windows startup list and detect unauthorized changes to the registry. FortiClient Host Security Version 2. select the file(s). removing or modifying an application installation. The FortiClient software assumes the following registry changes are unauthorized if the changes were not made by an authorized user: • • adding. Select Delete to delete the file. Entries are displayed in three lists: • • • The Rejected entries list displays new. unauthorized startup entries.0 MR1 User Guide 04-20001-0183-20051017 41 . The list also includes any applications that are started transparently and are not displayed in the system tray. The startup list is checked when the FortiClient software starts. The Changed entries list displays previously existing entries that have changed since the last Windows startup. Note: You can submit a maximum of three quarantined files a day. Monitoring Windows startup list entries Some viruses can modify existing Windows registry entries or insert new entries to cause malicious code to be executed when you start or log on to Windows. The list includes applications that are displayed in the system tray. • • • Select Restore to restore the file to its original location. From the list.

select Rejected entries.Monitoring Windows startup list entries Configuration Figure 12: Registry Monitor To view Windows startup list entries 1 2 3 Go to Antivirus > Registry Monitor. 42 FortiClient Host Security Version 2. do not restore the startup list entry. ! 1 2 3 4 To restore a changed or rejected startup list entry Go to Antivirus > Registry Monitor. Select restore. Under What to view. Under What to view. Changed entries or Current startup list. Optionally select Refresh to refresh the startup list entries to view recently added. Caution: If you are unsure what application an entry is for.0 MR1 User Guide 04-20001-0183-20051017 . select Changed entries or Rejected entries. Restoring changed or rejected startup list entries Changed or rejected entries can be restored. Select the entry you want to restore. changed or rejected registry entries.

0 MR1 User Guide 04-20001-0183-20051017 43 . FortiClient firewall can detect and block the common network attacks. Advanced firewall rules. see “Configuring network security zones” on page 45. • • Intrusion detection. network zone permissions. See “Configuring application access permissions” on page 44. For inbound traffic. then the application control rules. You can specify the applications that can access the network and be accessed by the network. • Network security zone. and denies all incoming traffic from the public zone. You can select from the three protection profiles. or time frames. You can go to Firewall > Status to select a different firewall mode (protection level). See “Selecting a firewall profile” on page 43. For the traffic related to system process. For outbound traffic. FortiClient firewall has the following running modes: Deny all Normal Pass all Blocks all the incoming and outgoing traffic. and Blocked Zone. Selecting a firewall profile If you select the Normal firewall mode on Firewall > Status. Select this profile if your PC is a standalone home computer and not connected to other networks or PCs. No firewall protection. For zone information. “Configuring network security zones” on page 45. the traffic is only accepted when it is allowed by both advanced rules and zone security settings. you can select from the following firewall protection profiles: Basic home use Allows all outgoing traffic and denies all incoming traffic. The advanced firewall rules do not have effect. Selecting a firewall mode By default. such as NetBIOS. The Custom profile allows you to configure the application level permissions. allows all incoming traffic from the trusted zone. The network is categorized into three zones: Public Zone. the advanced firewall rules will be applied first. protocols. You can create specific rules to control the traffic based on source addresses. you can protect your computer by using the following FortiClient firewall features: • Application level network access control. Trusted Zone. and “Configuring advanced firewall rules” on page 47.Configuration Selecting a firewall mode Firewall Using the FortiClient firewall feature. This is the default profile. destination addresses. only application level control rules are applied. FortiClient firewall runs in Normal mode to protect your system. Basic business Custom profile FortiClient Host Security Version 2. Allows all outgoing traffic. and advanced firewall filtering rules.

and other detailed information. Select View Connections to view the current active connections. Prompts to ask your permission for the incoming or outgoing access requests. Blocked Number of blocked requests from outside to access your local application request applications and vice versa. listening ports. To do this. The information displays in the graphical monitor. whenever FortiClient firewall blocks network traffic. To view the traffic information 1 2 3 4 Go to Firewall > Status. 44 FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 . Number of outgoing network packets. you assign the applications access permissions. PID. Current connections Number of current connections between your system and the network. a notification pops up at the FortiClient system tray icon area. Three levels of access permissions are available: Allow Ask Block Allows application access request without asking. Configuring application access permissions You can specify the applications that can access the network and be accessed by the network. select the Disable taskbar notification for blocked network traffic option. By default. Network packets that are blocked by the firewall.Viewing traffic information Configuration Viewing traffic information You can configure the FortiClient software to display the following network traffic information: Figure 13: Firewall status Inbound traffic Outbound traffic Blocked network packets Number of incoming network packets. Blocks all access requests. Select the traffic type you want to view. To disable the blocked traffic notification.

Select OK.Configuration Configuring network security zones Note: Applications not listed in the access control list will be asked for network access attempts. In the Add New Application dialog box. FortiClient allows the legitimate Windows system applications to access the network. These applications are displayed in the application control list. You can modify or delete the permission levels of these applications. Select permission levels for the public zone and trusted zone. Configuring network security zones FortiClient firewall protects your system by categorizing the network systems into three zones. See “Customizing security settings” on page 46.0 MR1 User Guide 04-20001-0183-20051017 45 . Note: Permission levels for the public zone can only be lower than or equal to those for the trusted zone. FortiClient Host Security Version 2. You can also customize the security levels. To add an application to the access control list 1 2 3 4 5 Go to Firewall > Applications. FortiClient firewall treats IP addresses in the public zone with the highest security level. Figure 14: Network security zones Public Zone By default. enter or browse to the application path. Select Add. By default.

Note that the default medium security level settings for public and trusted zones are different: • For public zone. You can also customize these default settings. or an individual IP address to the network zones. Select Add. medium. you can use the default high. To add IP addresses 1 2 3 4 5 Go to Firewall > Network.0 MR1 User Guide 04-20001-0183-20051017 46 . enter a description. You can also edit or delete the existing IP entries. For information about security level settings. FortiClient firewall treats IP addresses in the trusted zone with medium-level security settings. High Medium By default. To customize the security settings 1 2 Go to Firewall > Network. If it is listed in both the trusted and public zones. move the slider to High or Medium. Note: The security level for the public zone can only be higher than or equal to that for the trusted zone. 3 Select Settings. an IP range. see “Customizing security settings” on page 46. Optionally. the incoming ICMP and NetBIOS packets are blocked • Low For trusted zone. Note: Low level security disables packet level rules and you cannot customize the Low level settings. these packets are allowed. For Public Zone Security Level or Trusted Zone Security Level. and public zone. Packet level rule is disabled and application level control is on. FortiClient Host Security Version 2. it will be blocked. In the IP Address dialog box. If it is not listed in any of the three zones. Customizing security settings For the public and trusted zones. Adding IP addresses to zones You can add a subnet.Configuring network security zones Configuration Trusted Zone By default. Blocked Zone FortiClient firewall prioritizes the zones in the order of blocked zone. Select OK. most of the connections are allowed unless you customize the settings. By default. All traffic to and from IP addresses in the blocked zone is not allowed. or low level security settings. This means: • • • If an IP address is listed in all of the three zones. select a zone and enter the IP addresses. trusted zone. it will be public. it will be trusted. incoming connections are allowed only if there are listening ports for these connections.

By default. from this zone Block other inbound traffic coming This option is not selected by default. Allow ICMP in Allows incoming ICMP (Internet Control Message Protocol) traffic. Allows outgoing NetBIOS traffic. see “Managing groups” on page 48. this option is not selected. For information about adding an address group.Configuration Configuring intrusion detection 4 If you select High level. so that the traffic from these IP addresses will be blocked. Configuring advanced firewall rules Apart from application access control. By default. a single IP address. • • FortiClient Host Security Version 2. and intrusion detection. network zone security. Blocks outgoing NetBIOS traffic. By default. you can move the IP address to the trusted IP list by selecting the Trust this IP button.0 MR1 User Guide 04-20001-0183-20051017 47 . Blocks incoming NetBIOS traffic. FortiClient firewall protects your computer with another layer of security: advanced firewall rules. Network protocols can be TCP. a range of IP addresses. or TCP/UDP. or a address group. By default. this option is not selected. Go to Firewall > Intrusion Detection to view the IP addresses where the detected attacks originate. Allow NetBIOS in Allow NetBIOS out Allow other inbound traffic coming This option is selected by default. The firewall rules allow or block network traffic according to the following three types of filtering criteria you specify: • Source and destination addresses can be your own computer. By default. this option is not selected. this option is not selected. this option is not selected. Because the signatures are hardcoded into the program. so that FortiClient will not detect traffic from this IP address any more. You can move the IP addresses to the blocked zone by selecting the Move to blocked zone button. a subnet. modify the following settings and select OK. you must install the latest FortiClient build. from this zone 5 If you select Medium level. Block ICMP in Blocks incoming ICMP (Internet Control Message Protocol) traffic. one of the two zones (Public Zone and Trusted Zone). this option is not selected. Allows incoming NetBIOS traffic. You can also remove an IP from the Trusted IP list by selecting the Don’t trust this IP button. If any of the IP addresses can be trusted. modify the following settings and select OK. Block NetBIOS in Block NetBIOS out Configuring intrusion detection FortiClient software can detect and block some common network attacks using the hard-coded signatures. UDP. to get the latest signatures. Day and Time ranges can be applied to a rule to restrict access based on the day of the week and the time of day. By default.

and time schedules into groups and use the groups when creating rules. Apply the rule to the traffic that originates from the source address and terminates at your computer. Select OK. see “Managing groups” on page 48. Protocol Group. if a rule blocks the traffic to the Trusted Zone. specify the day and time range. Select Address Group. protocols. Select add to add a day/time range when the rule should be executed. specify a description. Optionally. For a time group. In the Add Rule dialog box. Select Add to add a protocol to the rule. For an address group. For information about adding an address group. For a protocol group. you can also specify the destination and source ports. In the Add Time dialog box. Time range is specified using a 24 hour clock. While specifying the protocol in the Add Protocol dialog box. you can combine the source addresses. the traffic will be blocked. Either Enable or Disable the rule.0 MR1 User Guide 04-20001-0183-20051017 . Select Add.Configuring advanced firewall rules Configuration The advance firewall rules take precedence over the zone security settings. Select Add. Destination Protocol Time Note: You can use any combination of the filtering criteria. For information about adding an address group. enter the following information and select OK. IP range. Managing groups To simplify management. For example. Select Groups. or Time Group. Enter a name and description. Name Description State Action Source Enter a name for the rule. enter the subnet. time range and one or more days. To create a firewall rule 1 2 3 Go to Firewall > Advanced. Select Add to add the destination address. Select Add to add the source address. To create a group 1 2 3 4 5 6 7 Go to Firewall > Advanced. destination address. Select Add. 8 48 FortiClient Host Security Version 2. see “Managing groups” on page 48. Apply the rule to the traffic that originates from my computer and terminates at the destination address. enter a short description. or IP address. enter specify the protocol and port number. Either Allow or Block the traffic.

0 MR1 User Guide 04-20001-0183-20051017 49 . Default Child Adult Default web filter settings. FortiClient comes with three predefined profiles to allow or block different combinations of the web categories. Enter a password and select OK. For instance. FortiClient software uses the FortiGuard-web filtering service to help you control the web URL access. FortiClient also allows you to specify URLs to block or bypass. Blocks the categories that are not suitable for children. block. Your FortiClient PC accesses the nearest FortiGuard-Web Service Point server to determine the category of a requested web page. Configuring the web filter settings FortiGuard-Web includes over 60 million individual ratings of web sites applying to hundreds of millions of pages. FortiGuard-Web is a managed web filtering solution provided by Fortinet. or monitor. Pages are sorted and rated into 56 categories and these categories are divided into eight larger groups for easy management. FortiClient Host Security Version 2. In addition to the control of web category access.Configuration Setting the administration password Web Filter You can use the FortiClient web filtering feature to control web access according to the rules you specify. FortiGuard-Web sorts hundreds of millions of web pages into a wide range of categories users can allow. shutting down the program. which are the same as those of the Child profile. Setting the administration password You must set a password to prevent users from modifying the web filter settings. Select Change Password. Then the FortiClient software decides either to allow or block the web page according to the categories you specify. you can use the FortiClient predefined web access profile for children to prevent your children from accessing the unhealthy web sites. or uninstalling the program. Only blocks the security violating web sites. To set the password 1 2 3 Go to WebFilter > WebFilter.

Enter the password if you already set one. Select Modify Settings. Select OK.Configuring the web filter settings Configuration Figure 15: Web filter settings To configure the web filter settings 1 2 3 4 5 6 7 Go to WebFilter > WebFilter. Specifying URLs to block or bypass You can specify the exact URLs to block. 50 FortiClient Host Security Version 2. You can also specify the URLs to bypass the block category. To specify URLs to block or bypass 1 2 3 4 Go to WebFilter > WebFilter.0 MR1 User Guide 04-20001-0183-20051017 . Select a profile from the Current profile list. select Add. select Settings. You can modify the category list if required. To cancel the modifications and use the default settings instead. Select Modify Settings. select Default Values. select Enable webfilter. In the Web Filter Settings dialog box. In the WebFilter Settings dialog box. In the Block or bypass specific url dialog box.

Updating FortiClient Updates can be run manually or scheduled to run automatically on a daily basis. Select Apply. you can specify the proxy server settings so that the FortiClient software can get updates through the proxy server. you can enter: • • • • • wildcard characters (* and ?) in URLs. To schedule updates 1 2 Under Update Schedule. To manually update the software and antivirus signatures 1 2 Download the FortiClient update package file (. it also sends out the ID number. If you want to use a different server.swf to block all flash animations. such as *. Go to Update and select Manual Update. you can view the update process and results. If the FortiClient computer uses a proxy server. 6 7 Select Block or Bypass. To initiate immediate updates 1 2 Go to Update. Whenever FortiClient sends out an update request.Configuration Updating FortiClient 5 In the Set url permission dialog box. Select Update Now. complete URLs.jpg to block all jpeg files.0 MR1 User Guide 04-20001-0183-20051017 51 .fortinet. partial URLs. Select OK. Each copy of the FortiClient software has a unique identifier called UID. You can view the current AV definition and AV engine version information on the Update page. See “Configuring proxy server settings” on page 12. Fortinet technical support can use this number to pinpoint the problem. If you encounter any update problem. Update You can use the Update feature to update the AV definition and AV engine. enter the URL.pkg file) to the FortiClient computer. file types. select the check update option and enter the time. It is displayed at the up right corner of the Update page. IP addresses. FortiClient Host Security Version 2. In the URL box. and *.com. select the Use this server to update option and enter the URL of the update server. Under Update Status. Note: The default update server is forticlient. You do not need to specify http:// or https:// as part of the URL.

Figure 16: Configuring log file settings To configure log settings 1 2 Go to Logs > Settings. starting with the oldest. These log file entries are deleted once they reach the specified maximum life time. locate the update package file and select Open.0 MR1 User Guide 04-20001-0183-20051017 . The default is 5120 KB. the oldest log entries will be deleted. log type. and log entry lifetime. The default is 0 days.Configuring log settings Configuration 3 In the Open dialog box. Configuring log settings You can specify the log level. Logs Use the FortiClient logging feature to configure logging of different types of events for any or all of the FortiClient services. log size. s 52 FortiClient Host Security Version 2. A maximum life time of 0 days means log entries are kept until the maximum log size is reached. when the maximum log file size is reached. Log entries are overwritten. 3 Enter the Maximum Life Time. Enter the Maximum Log Size. Note: If the log file reaches either the specified maximum file size or the specified maximum life time. whichever comes first.

Configuration Managing log files 4 5 Select the Log Level. The most recent log entries are displayed at the top of the list. Select what to log. or refresh the log entries. To delete all the log messages. To display the most recent log messages. select Export. save. Figure 17: FortiClient system tray icon menus FortiClient Host Security Version 2. select the log entry type you want to view. Optionally select a specific log entry from the log window to view the complete log entry information. From the dropdown list. specify the types of events to log. Warning or Information. select Clear All. You can view. 4 5 6 To save the log messages. Using the FortiClient system tray icon menus Many of the frequently used FortiClient features are available from the system tray icon menus. You can select Error. Managing log files The log viewer can display logs of all events or only the events associated with a specific service. select Refresh. You can select either All events or Check to select. If you choose Check to select. Use the log navigation buttons to move between log entries or to move to the top or bottom of the log file. To manage the log messages 1 2 3 Go to Logs > Logview. clear. The default is Warning. 6 Select Apply.0 MR1 User Guide 04-20001-0183-20051017 53 .

See “Connecting to the remote FortiGate network” on page 20. For details. If you have already added VPN tunnels.0 MR1 User Guide 04-20001-0183-20051017 . or Pass All. For details. Opens the online help. see “Web Filter” on page 49. You can select Deny All. you can start or stop the VPN connections by selecting or deselecting the connection names.Managing log files Configuration Open FortiClient Console FortiClient Help VPN Opens the management console so that you can configure the settings and use the services. Enable/Disable Realtime AV Protection Enable/Disable Startup Registry Monitor Firewall Enable/Disable WebFilter Shutdown FortiClient 54 FortiClient Host Security Version 2. Stops all FortiClient services and closes FortiClient console. See “Selecting a firewall mode” on page 43. Normal. For details. see “Configuring real-time protection” on page 39. see “Monitoring Windows startup list entries” on page 41.

8 9 Does FortiClient support DDNS? FortiClient v1. 10 Can I install FortiClient together with other antivirus software? No. Does FortiClient support proxy server? Yes. FortiClient Host Security Version 2. the manually set IP address must be on a different subnet.1 as the virtual IP address for FortiClient.168. What languages does FortiClient support? English and simplified Chinese.com. the IP address can either be on the same subnet as the remote network.2 and newer versions support Dynamic DNS names. 1 2 3 4 5 Is it possible to evaluate FortiClient? Yes. When conflict is detected. if the remote network is 192. If FortiClient connects to a v2.80 FortiGate unit. you can use 192. Two antivirus programs may conflict with each other. FortiClient turns off its realtime protection to avoid system lockup. FortiClient tries to detect if there is any conflict. Otherwise. check the update settings and the network connection. Does FortiClient work over any dialup Internet connection? FortiClient only supports the native Windows dialup client. you can also find answers in other chapters of this user guide. or on a different subnet. Go to the General > Connection page to configure the settings. FortiClient may not support it. For many questions.fortinet. Please note that the remote gateway should also be configured to support it. See http://support. 6 Does FortiClient support DHCP over IPSec? FortiClient supports this feature. Please contact Fortinet Technical Support. Why is automatic update not available? You may be using an evaluation version.2.50 FortiGate unit.Frequently asked questions Frequently asked questions This chapter lists some of the most frequently asked questions.0. Does FortiClient support Windows XP SP2? FortiClient v1.168.1. For example. If your ISP requires third-party dialup software.0 MR1 User Guide 04-20001-0183-20051017 55 . can I use an IP address that is in the same subnet as the remote network? If FortiClient connects to a v2.2 MR1 and newer versions support it. 7 When manually setting a virtual IP for FortiClient.

Network sharing (NetBIOS) is allowed in this zone. Network sharing is not allowed in this zone. For instance. you should install the latest FortiClient builds. 15 Can the network attack signatures be updated? No. Please use one firewall at a time. You can configure the application permissions by going to the Firewall > Applications page.Frequently asked questions 11 Why does my computer’s performance become very slow when I open a folder with many ZIP files in it? FortiClient tries to open each zip file to scan for viruses. Blocked Zone. 12 Why am I unable to access other subnets after installing FortiClient? FortiClient firewall categorizes IP addresses into three zones: • • • Trusted Zone. If you have a lot of zip files. you must add the networks you want to access to the Trusted Zone.0 MR1 User Guide 04-20001-0183-20051017 . By default. 14 Are all the applications blocked for outgoing and incoming connection requests by default? No. The attack signatures are hard-coded into the program. the Windows system programs. All traffic to and from this zone is blocked. There is a predefined safe list that FortiClient does not block. Public Zone. 13 Can FortiClient firewall co-exist with other firewalls? If more than one firewall is installed and enabled on one PC. To get the latest signatures. To do this. only your own subnet belongs to this zone. there may be some conflicts. you can turn off the compressed file scanning or lower the compressed file size limit to scan by selecting Advanced Settings on the Antivirus > Realtime Protection page. go to the Firewall > Network page. Therefore. 56 FortiClient Host Security Version 2.

Index A advanced configuration 11 antivirus 34 antivirus settings configuring 36. 18 country local certificate request 31 CRL getting a CRL 34 importing 34 retrieve 34 customer service and technical support 6 F file extension add to the file types or exclusion list 38 file types adding a new file extension 38 selecting the file types to scan or exclude 38 FortiClient software manual update 51 FortiGate gateway connect to 20 FortiGate models supported by FortiClient 7 FortiGate network connect to 20 FortiGate unit configuring 15 FortiOS versions supported by FortiClient 7 D dead peer detection 24 default policy settings modifying 21 department local certificate request 31 G general settings 11 FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 57 . 37 authentication 27 autokey keep alive 24 DH group policy setting 23 digital certificate management certificate management 29 domain name local certificate request 31 E email local certificate request 31 email address local certificate request 31 email scanning 40 encryption incoming VPN traffic 27 outgoing VPN traffic 27 entering a license key 11 error configuration 29 eToken certificate 32 exclude selecting the file types to exclude 38 exclusion list adding a new file extension 38 exporting local certificate request 31 extended authorization (XAuth) configuring 25 B bytes incoming VPN traffic 27 outgoing VPN traffic 27 C CA certificate getting a CA certificate 33 importing 33 retrieve 33 certificate eToken 32 importing a CA certificate 33 smartcard 32 city local certificate request 31 comments on Fortinet technical documentation 5 company local certificate request 31 configuration advanced 11 error 29 option 37 connect to a remote FortiGate gateway 20 to the remote FortiGate network 20 connection testing 17.

55 intrusion detection 47 IP address local certificate request 31 IPSec policies configuring 21 IPSec proposals 23 mode policy setting 23 monitoring VPN connections 26 name 27 N name monitoring VPN connections 27 NAT traversal 24 O obtaining a signed local certificate 29 P packets incoming VPN traffic 27 outgoing VPN traffic 27 PFS advanced VPN setting 24 policies configuring 21 policy settings modifying default 21 modifying legacy 21 proposal IKE 23 IPSec 23 protection configuring real-time 39 K keepalive frequency 24 key entering a license key 11 key life incoming VPN traffic 23 outgoing VPN traffic 23 L legacy policy settings modify 21 license key enter 11 entering 11 local certificate city 31 company 31 country 31 department 31 domain name 31 email 31 email address 31 importing a signed local certificate 32 IP address 31 requesting 32 retrieving an signed local certificate 32 state/province 31 local gateway 27 local id 23 log file configuring settings 52 viewing 53 logs 52 managing log files 53 Q quarantined files managing 40 quick scan running 35 quick start 9 R real-time protection configuring 39 remote monitoring VPN connections 27 remote FortiGate network connect to 20 replay detection 24 request a signed local certificate 32 restore changed startup list entry 42 quarantined file 41 rejected startup list entry 42 retrieve CA certificate 33 CRL 34 signed local certificate 32 M manage log files 53 quarantined files 40 scan schedules 36 S scan files in a specified directory for viruses 35 58 FortiClient Host Security Version 2.I icon status 12 IKE and IPSec policies configuring 21 IKE proposals 23 import CA certificate 33 CRL 34 signed local certificate 32 installation 7 introduction 5.0 MR1 User Guide 04-20001-0183-20051017 .

for viruses 34 selecting the file types to scan 38 settings general 11 signed local certificate importing 32 requesting 32 smartcard certificate 32 startup list entries viewing 42 startup list entry restoring a changed or rejected startup list entry 42 state/province local certificate request 31 status icons 12 U update FortiClient software 51 update schedule setting 51 URL block or bypass 50 V virtual IP address acquisition configuring 24. 25 VPN 13 monitoring connections 26 troubleshooting 28 VPN connections 28 VPN settings configuring 14 T test connection 17. 18 time out monitoring VPN connections 27 traffic summary viewing 28 troubleshooting 28 W web filter 49 configuring 49 X XAuth configuring 26 FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 59 .

60 FortiClient Host Security Version 2.0 MR1 User Guide 04-20001-0183-20051017 .