0% found this document useful (0 votes)

335 views185 pages

FortiClient & FortiClient EMS 7.4 New Features Guide

FortiClient_&_FortiClient_EMS_7.4_New_Features_Guide

Uploaded by

breakscutum

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

335 views185 pages

FortiClient & FortiClient EMS 7.4 New Features Guide

FortiClient_&_FortiClient_EMS_7.4_New_Features_Guide

Uploaded by

breakscutum

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

New Features Guide

FortiClient & FortiClient EMS 7.4

FORTINET DOCUMENT LIBRARY
[Link]

FORTINET VIDEO LIBRARY

[Link]

FORTINET BLOG
[Link]

CUSTOMER SERVICE & SUPPORT

[Link]

FORTINET TRAINING & CERTIFICATION PROGRAM

[Link]

FORTINET TRAINING INSTITUTE

[Link]

FORTIGUARD LABS
[Link]

END USER LICENSE AGREEMENT

[Link]

FEEDBACK
Email: techdoc@[Link]

September 16, 2025

FortiClient & FortiClient EMS 7.4 New Features Guide
04-740-1010608-20250916
TABLE OF CONTENTS
Overview 5
ZTNA 6
Endpoint: Fabric Agent 6
JWT support for ZTNA UID and tag sharing 6
Transparent FortiClient upgrade 8
Zero Trust tag renamed to security posture tag 10
Support security posture rules based on CrowdStrike ZTA score 7.4.1 11
FortiTray icons for On-Fabric and VPN connection status 7.4.1 13
Sending email events from the Microsoft Exchange server 7.4.1 17
Support ZTNA destinations over UDP 7.4.1 17
ZTNA automatic login using Microsoft Entra ID 7.4.3 19
FortiPAM agent for macOS 7.4.3 25
FortiAnalyzer Cloud configuration improvements 7.4.3 27
Video Filter support for macOS and Linux 7.4.3 28
FSSOMA connectivity status 7.4.4 28
FortiDeceptor integration 7.4.4 31
FortiData integration 7.4.4 35
Endpoint: Remote Access 43
IPsec VPN over TCP on Windows, macOS, and Linux 7.4.1 43
Configure IPsec IKEv2 on multiple protocols 7.4.1 62
IKEv2 session resumption 7.4.1 64
EAP-TTLS support for IPsec VPN 7.4.3 66
Support LB IPsec VPN gateways with a single FQDN 7.4.3 68
Security posture tag enforcement during VPN connection 7.4.3 75
Dual IPsec VPN tunnel support 7.4.4 76
LDAP support for IPsec IKEv2 VPN 7.4.4 85
FortiClient EMS 95
ZTNA 95
MDM integration support for EMS HA, FortiClient Cloud, and multitenancy 95
ZTNA application catalog 7.4.1 96
FortiClient EMS auto-detects FortiGate configuration of non-web ZTNA
applications 7.4.1 97
Security posture tags enhancements 7.4.3 101
Upload custom certificate and private key for ZTNA 7.4.3 103
Removing support for legacy SKUs 105
FortiClient (Linux) installer creation support 106
Linux-based EMS model 111
Support for access key for Fortinet Security Fabric devices to connect to
FortiClient Cloud 112
On-fabric detection based on destination address 7.4.1 113
Auto upgrade EMS to latest patch release 7.4.1 114
FortiClient hotfix deployment via EMS 7.4.1 114
Deploying EMS as a VM image 7.4.1 117
FortiClient GUI enhancement 7.4.1 120

FortiClient & FortiClient EMS 7.4 New Features Guide 3

Fortinet Inc.
Keyboard navigation 121
Create connectors with OAuth 2.0 token-based authentication 7.4.1 121
Assign AD and local Windows server groups to roles 7.4.1 124
FortiEndpoint (FortiClient integration of FortiEDR agent) 7.4.1 127
Example 1 127
Example 2 130
Support forensic analysis reports on macOS endpoints 7.4.1 132
Add support for ManageEngine MDM 7.4.1 133
Preparing for on-premise ManageEngine instances 133
Preparing for cloud ManageEngine instances 134
Enrolling the device and deploying FortiClient 134
EMS VM image 7.4.1 137
Consolidated endpoint events 7.4.3 142
Installing EMS with separate time series ES DB 7.4.3 144
Syncing remote categories from imported FortiOS or FortiManager Web Filter
profile 7.4.3 145
Vulnerability detection popup 7.4.3 150
EMS automatic upgrade improvements 7.4.3 151
Add FortiAnalyzer Cloud entitlement for FortiClient Cloud SKUs 7.4.3 153
EMS VM image support for Hyper-V and VirtualBox 7.4.3 154
Post-installation setup wizard 7.4.3 158
On-demand forensic artifact collection with forensic engine 7.4.4 161
RADIUS server authentication for administrators 7.4.4 165
EMS VM CLI enhancements 7.4.4 167
Endpoint health check 7.4.4 169
EMS upgrade notification improvement 7.4.4 170
Custom invitation email template for on-premise EMS 7.4.4 171
FortiClient and EMS upgrade and compatibility matrix signature 7.4.4 173
Support FortiClient ARM installer creation and deployment 7.4.4 176
Firmware maturity levels 7.4.4 177
Index 179
7.4.0 179
ZTNA 179
FortiClient EMS 179
7.4.1 180
ZTNA 180
FortiClient EMS 180
7.4.3 181
ZTNA 181
FortiClient EMS 181
7.4.4 181
ZTNA 181
FortiClient EMS 182
Other 182
Change log 183

FortiClient & FortiClient EMS 7.4 New Features Guide 4

Fortinet Inc.
Overview
This guide provides details of new features introduced in FortiClient & FortiClient EMS 7.4. For each feature,
the guide provides detailed information on configuration, requirements, and limitations, as applicable. The
guide organizes features into the following sections:
l ZTNA on page 6
l Endpoint: Fabric Agent on page 6
l Endpoint: Remote Access on page 43
l FortiClient EMS on page 95
l ZTNA on page 95
For features introduced in 7.4.1 and later versions, the version number is found at the end of the topic
heading. For example, was introduced in 7.4.1. If a topic heading has no version number at the end, the
feature was introduced in 7.4.0.
For a list of all features organized by the version number that they were introduced, see Index on page 179.

FortiClient & FortiClient EMS 7.4 New Features Guide 5

Fortinet Inc.
ZTNA

Endpoint: Fabric Agent

JWT support for ZTNA UID and tag sharing

As an enhancement to security posture tag sharing in the Fortinet Security Fabric connection between
EMS and FortiOS, EMS now also sends security posture tags to FortiClient in JSON web token (JWT) format.
You can install JWTs on endpoints. A browser on an endpoint can use JWTs to share endpoint identity and
tags with FortiOS directly. This feature makes security posture tag sharing more resilient, resulting in a
more fault-tolerant zero trust network access (ZTNA) connection between the endpoint and ZTNA server.
This feature makes it possible for endpoints to access remote resources via the ZTNA server in the event of
EMS, FortiClient, and FortiOS network loss or connection interruption.
Prior to the addition of JWT support, in the event of connection loss between FortiClient and EMS or a
Fabric connection issue between EMS and FortiOS, legitimate endpoints could not access remote resources
via a ZTNA server.
This feature has the following limitations:
l Endpoint default gateway must be the ZTNA server.
l The FortiGate only receives tokens on physical interfaces.
l ZTNA server configuration only uses TCP forwarding.

To configure JWT support for ZTNA UID and tag sharing:

1. Configure the feature in EMS:

a. Configure EMS Settings:
i. Go to System Settings > EMS Settings.
ii. Click Enable ZTNA token.
iii. In the ZTNA token timeout field, enter the JWT expiry time in minutes. The minimum and default
value is 60 minutes. When the expiry time is reached, EMS generates a new JWT and sends it
to endpoints. Configure other fields as desired, then save.

FortiClient & FortiClient EMS 7.4 New Features Guide 6

Fortinet Inc.
ZTNA

b. Go to Endpoint Profiles > ZTNA Destinations.

c. Create a new profile or edit an existing one.
d. Enable Destinations.
e. Add a remote resource and ZTNA server address to the profile. Configure other fields as desired,
then save.
f. Go to Administration > Fabric Devices.
g. Confirm that EMS has authorized the FortiGate which acts as the ZTNA server. This FortiGate must
also be the default gateway for endpoints that use the JWT.
h. Go to Security Posture Tags > Security Posture Tagging Rules.
i. Configure tags and tagging rules as desired. The JWT and FortiGate ZTNA server use these tags to
allow traffic to remote resources if the ZTNA policy matches with the tags. For example, you could
create a security posture tagging rule that tags endpoints as win10 if they have Windows 10
installed.
2. In FortiOS, go to Policy & Objects > Proxy Policy.
3. Create a new policy or edit an existing one.
4. For Type, select ZTNA.
5. Under Security Posture Tag, select the tags that you configured in EMS.

FortiClient & FortiClient EMS 7.4 New Features Guide 7

Fortinet Inc.
ZTNA

6. Configure other fields as desired, then click OK.

7. After FortiClient receives the profile changes from EMS, in FortiClient, go to the ZTNA Destination tab to
view the ZTNA destination received from EMS.
8. To ensure EMS successfully pushed the generated JWT to FortiClient, in Registry Editor, view
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_ESNAC\ztna_token.
9. To verify that FortiClient maintains ZTNA connection with the ZTNA server to access remote resources
in the event of EMS network connection loss or Fabric connection interruption, disable EMS interfaces
to simulate the network connection loss. Confirm that FortiClient can still access a remote resource via
the ZTNA server, for example an SSH server that runs in a different subnet.

Transparent FortiClient upgrade

You can now upgrade FortiClient to the latest version without needing a system reboot if there are no
changes in the driver version. This improvement ensures a smoother upgrade process, reducing

FortiClient & FortiClient EMS 7.4 New Features Guide 8

Fortinet Inc.
ZTNA

interruptions and allowing users to continue their work without unnecessary reboots.
If drivers are removed or added due to disabling or enabling features in the deployment package, FortiClient
still requires a system reboot.

To deploy FortiClient upgrade:

1. In EMS, go to Deployment & Installers > FortiClient Installer.

2. Click Add.
3. Create a deployment package for FortiClient 7.4.0 with auto registration enabled.

4. Go to Deployment & Installers > Manage Deployment.

5. Create a deployment configuration.
6. From the Deployment Package dropdown list, select the FortiClient 7.4.0 deployment package.
7. Enable Reboot When Needed.
8. Configure other fields as desired, then click Save.
9. On a FortiClient registered to EMS, after the profile updates synchronize, FortiClient displays a
notification that an upgrade is available.

The endpoint details page in EMS shows that the deployment process has started on the endpoint. On
the endpoint, a FortiTray icon displays for the upgrade. Click it to open the FortiClient Setup dialog. Click
OK to start the upgrade at the scheduled time.

FortiClient & FortiClient EMS 7.4 New Features Guide 9

Fortinet Inc.
ZTNA

You can monitor the upgrade process in the FortiClient Setup dialog. The FortiClient upgrade succeeds
without requiring a system reboot in this case because the upgraded version's driver versions are the
same as the previous version's. FortiClient autoconnects to EMS after the upgrade and shows the latest
version on the About tab. The endpoint details page in EMS shows that deployment is complete on that
endpoint.

Zero Trust tag renamed to security posture tag

In FortiClient & FortiClient EMS 7.4.0, "Zero Trust tags" have been renamed to "security posture tags". This
change reflects that these tags are not exclusively used for the zero trust network access (ZTNA) use case.
You can use these tags for grouping and classifying endpoints for various use cases, including IP or MAC
address-based access control on FortiOS, ZTNA proxy posture check, and other Fortinet Security Fabric
devices doing network access control.
The use of "Zero Trust tags" has been updated to use "security posture tags" across the FortiClient &
FortiClient EMS GUIs. The following screenshots show some examples of where the changes have been
made.
On the FortiClient avatar page, Security Posture Tags replaces Zero Trust Tags.

FortiClient & FortiClient EMS 7.4 New Features Guide 10

Fortinet Inc.
ZTNA

In EMS, Security Posture Tags, Security Posture Tagging Rules, and Security Posture Tag Monitor replace Zero
Trust Tags, Zero Trust Tagging Rules, and Zero Trust Tag Monitor on the left pane. The top navigation pane
and category name are also updated to use Security Posture instead of Zero Trust.

Support security posture rules based on CrowdStrike ZTA

score 7.4.1
The CrowdStrike agent performs a zero trust assessment (ZTA) and stores the result on the host. This
information is directly available to other software that runs on the host, such as FortiClient. The
ZTA generates a score between 1 to 100. You can create a security posture tagging rule to tag endpoints
based on their ZTA score.

To create the ZTA tagging rule:

1. In EMS, go to Security Posture Tags > Tagging Rules.

2. Click Add.
3. In the Tag Endpoint As field, enter the desired name. This example uses a tag named crowd_equalto_75.
4. Click Add Rule.
5. For OS, select Windows.
6. From the Rule Type dropdown list, select CrowdStrike ZTA Score.

FortiClient & FortiClient EMS 7.4 New Features Guide 11

Fortinet Inc.
ZTNA

7. In the CrowdStrike ZTA Score field, you can configure comparative operators =, >, <, >=, and <=. For
example, you can configure a tagging rule for endpoints that have a ZTA score equal to or greater than
75. In this example, the rule tags endpoints that have a ZTA score equal to 75.
8. Click Save.
9. Configure other fields as desired, then click Save.

To verify the rule configuration:

1. On an endpoint with a ZTA score of 75, click the FortiClient user avatar. For Security Posture Tags, the
crowd_equalto_75 tag displays.

FortiClient & FortiClient EMS 7.4 New Features Guide 12

Fortinet Inc.
ZTNA

2. In EMS, you can verify the tagged endpoint in Security Posture Tags > Tag Monitor and Security Posture
Tags in the endpoint summary in Endpoints.

3. If EMS is part of a Fortinet Security Fabric with a FortiGate, verify that FortiOS displays the tags in Policy
& Objects > ZTNA > Security Posture Tags > Security Posture IP Tag.

FortiTray icons for On-Fabric and VPN connection status

7.4.1

FortiTray, visible in the Windows System Tray, now shows different icons to represent FortiClient's On-
Fabric and VPN connection status. Likewise, hovering over the tray icon will display a message that
describes the current status.

FortiClient & FortiClient EMS 7.4 New Features Guide 13

Fortinet Inc.
ZTNA

To review the connection status in FortiTray:

a. In the endpoint, connect to FortiClient EMS and ensure it is reachable through both Wi-Fi and Ethernet.
b. In FortiClient EMS, create an On-Fabric Detection Rule and assign it to the configured profile.

c. Review the status:

l If the endpoint is connected to the network through Ethernet alone, the Status should display Off-
fabric and the FortiTray logo will have a gray icon.

Hovering over the icon will display an off-fabric message.

FortiClient & FortiClient EMS 7.4 New Features Guide 14

Fortinet Inc.
ZTNA

l If the endpoint is connected to the network through Wi-Fi alone, the Status should display On-fabric
and the FortiTray logo will have a green icon. Hovering over the icon will display an on-fabric
message.

FortiClient & FortiClient EMS 7.4 New Features Guide 15

Fortinet Inc.
ZTNA

Connecting to a VPN tunnel will then result in an orange icon and an updated status message.

If FortiClient disconnects from the VPN tunnel and attempts to reestablish the connection, the icon
will display arrows

FortiClient & FortiClient EMS 7.4 New Features Guide 16

Fortinet Inc.
ZTNA

Sending email events from the Microsoft Exchange server

7.4.1

FortiClient can be configured to send email events from Microsoft Exchange server. These events can
contain metadata such as the email sender, email recipient, date/time, subject, size, IP address, and so on.
This metadata can be used by a SOAR or SIEM to correlate with security events.

To send email events from the Microsoft Exchange server to FortiAnalyzer:

1. In FortiClient EMS, edit the XML settings to enable send_ms_exch_events and define the interval.

2. Set the following registry to true:

Path Computer\HKEY_LOCAL_
MACHINE\SOFTWARE\Fortinet\FortiClient\FA_DBLOG

Value name send_exch_events

Value TRUE

3. Configure the exchange server.

4. In FortiAnalyzer, verify that the Exchange server event was transmitted from FortiClient in Log View >
Fabric using the filter Host OS Family=MS Exchange.

Support ZTNA destinations over UDP 7.4.1

ZTNA destinations are now supported over UDP. Previously ZTNA destinations only supported TCP.

FortiClient & FortiClient EMS 7.4 New Features Guide 17

Fortinet Inc.
ZTNA

Though FortiClient supports ZTNA over UDP, it also depends on if the individual
application is using UDP protocol to transfer network traffic at that time.

To configure a ZTNA destination over UDP:

1. On the FortiGate, configure H3 support:

config firewall vip

edit "ZTNA-Server"
set type access-proxy
set server-type https
set extip [Link]
set h3-support enable
set extintf "port1"
set extport 8445
set ssl-certificate "Fortinet_Factory"
next
end

2. In FortiClient EMS, Go to Fabric & Connectors > ZTNA Applications Catalog.

3. Locate the ZTNA applications synchronized from the FortiGate configuration as a result of establishing
telemetry connections between the FortiGate and FortiClient EMS.
4. Switch to Gateway View.
5. Configure the FQDN for the ZTNA proxy gateway.
6. Add the ZTNA destination from the FortiClient EMS endpoint:
a. Go to ZTNA Destinations.
b. Add a ZTNA destination that supports ZTNA over UDP.
c. Click Save.
d. Go to the XML tab and set the <enable_udp> tag to 1 under the ZTNA rule that was added:

<?xml version="1.0" ?>

FortiClient & FortiClient EMS 7.4 New Features Guide 18

Fortinet Inc.
ZTNA

<enable_udp>1</enable_udp>
<type>private</type>
<app_uid>00000000</app_uid>
<allow_all_gateways>1</allow_all_gateways>
<mask>[Link]</mask>
<encryption>0</encryption>
<mode>transparent</mode>
<destination>[Link]</destination>
<gateway>[Link]</gateway>
<redirect>0</redirect>
<gateway_ip>[Link]</gateway_ip>
<has_web_apps>True</has_web_apps>
</rule>

ZTNA automatic login using Microsoft Entra ID 7.4.3

When a user is logged in to an Entra ID domain on an endpoint then attempts to access zero trust network
access (ZTNA) TCP-forwarding traffic, FortiClient automatically authenticates with the FortiGate using
Entra ID credentials. This simplifies the user experience by eliminating the need for manual authentication.
This feature requires FortiOS 7.6.1 or a later version.
The following instructions assume that you have configured a FortiClient enterprise application in the Entra
ID portal.

FortiClient & FortiClient EMS 7.4 New Features Guide 19

Fortinet Inc.
ZTNA

In this example, the application has the following values which you configure in the FortiClient
ZTNA Destinations profile:

Entra ID portal field Corresponding FortiClient XML profile Value

element

Application (client) ID <client_id> b87f1f1b...

Directory (tenant) ID <tenant_name> f1a72219...

To configure ZTNA automatic login using Entra ID:

1. In FortiOS, run the following commands to configure support for this feature. Lines bolded in the CLI
sample highlight key commands to support this feature:

config user external-identity-provider

edit "eip1"
set type ms-graph
set version v1.0
next
end
config user group
edit "Autologon"
set member "eip1"
next
end
config authentication scheme
edit "Autologon"
set method entra-sso
set external-idp "eip1"
next
end
config authentication rule
edit "Auth"
set srcintf "port1"
set srcaddr "all"
set ip-based disable
set sso-auth-method "Autologon"
set web-auth-cookie enable
next
end

2. In EMS, configure support for this feature:

a. Go to Endpoint Profiles > ZTNA Destinations.
b. Create a new profile or edit an existing one.
c. Click XML, then click Edit.
d. Configure the profile as follows. Configure <client_id> and <tenant_name> with the Application
(client) ID and Directory (tenant) ID values for the enterprise application in the Entra ID portal. Lines
bolded in the XML sample highlight key fields to support this feature:

FortiClient & FortiClient EMS 7.4 New Features Guide 20

Fortinet Inc.
ZTNA

<forticlient_configuration>
<ztna>
<enabled>1</enabled>
<notify_on_error>1</notify_on_error>
<portals_enabled>1</portals_enabled>
<web_proxy_rules>
<web_proxy_rule>
<gateway>[Link]:8445</gateway>
<gateway_ip>[Link]:8445</gateway_ip>
</web_proxy_rule>
</web_proxy_rules>
<azure_auto_login>
<enabled>1</enabled>
<azure_app>
<client_id>b87f1f1b...</client_id>
<tenant_name>f1a72219...</tenant_name>
</azure_app>
</azure_auto_login>
<gateways_enabled>1</gateways_enabled>
<allow_personal_rules>1</allow_personal_rules>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<rules>
<rule uid="3BDCA7D2-75EE-404F-8322-1FECFAF85109">
<name>[Link]</name>
<enable_udp>0</enable_udp>
<type>private</type>
<app_uid>6ea31259-617a-59b5-16e5-74a61f8cd31a</app_uid>
<allow_all_gateways>1</allow_all_gateways>
<mask/>
<encryption>0</encryption>
<mode>transparent</mode>
<destination>[Link]</destination>
<gateway>[Link]</gateway>
<redirect>0</redirect>
<gateway_ip>[Link]</gateway_ip>
</rule>
</rules>
<disabled_rules/>
</ztna>
<forticlient_configuration>

3. Connect the endpoint to the Entra ID domain:

a. Go to Settings > Access work or school > Join this device to Microsoft Entra ID.
b. Log in with your Entra ID credentials.

FortiClient & FortiClient EMS 7.4 New Features Guide 21

Fortinet Inc.
ZTNA

c. Confirm that the endpoint connected successfully.

FortiClient & FortiClient EMS 7.4 New Features Guide 22

Fortinet Inc.
ZTNA

4. Log out, then log in to Windows using the Entra ID credentials.

5. Connect FortiClient to EMS.

6. Click the avatar. In the Domain field, confirm that the endpoint is joined to Entra ID (previously known as
Azure Active Directory).
7. Go to the ZTNA Destination tab to confirm that FortiClient received the desired ZTNA Destinations
profile from EMS.
8. Attempt to access a ZTNA destination. In this example, the user attempts to access an SSH TCP
forwarding destination. The user can access the protected resource without authentication since
FortiClient automatically authenticated with the FortiGate using the provided Entra ID credentials.

FortiClient & FortiClient EMS 7.4 New Features Guide 23

Fortinet Inc.
ZTNA

FortiClient & FortiClient EMS 7.4 New Features Guide 24

Fortinet Inc.
FortiPAM agent for macOS 7.4.3

FortiClient (macOS) supports privileged access management (PAM). FortiClient (macOS) supports the
following features for PAM:
l Communicating with the FortiPAM server
l Communicating and forwarding messages to a FortiPAM browser extension
l Running local programs
l Recording videos of running programs
l Recording user keystrokes and mouse events
l Creating zero trust network access channels with the FortiPAM server
l Uploading all data to the FortiPAM server

To configure FortiPAM agent for macOS:

1. On a macOS endpoint, install FortiClient with the FortiPAM feature enabled.

2. After install, open Activity Monitor and find the fortipam process is present to ensure that the FortiPAM
feature installed successfully.
3. In EMS, configure FortiPAM settings:
a. Go to Endpoint Profiles > System Settings.
b. Create a new profile or edit an existing one.
c. Enable Privileged Access Agent.
d. In the Port field, enter the same port that is configured in FortiPAM in System > Settings > Advanced
> Client Port.

FortiClient & FortiClient EMS 7.4 New Features Guide 25

Fortinet Inc.
e. Save.
4. In FortiPAM, create a secret as Creating a secret describes.
5. Launch the secret as Launching a secret describes. The example launches an RDP secret, using
Microsoft Remote Desktop for macOS. This example assumes that Windows App is installed on the
macOS device.

FortiClient & FortiClient EMS 7.4 New Features Guide 26

Fortinet Inc.
6. Go to Monitoring > Active Sessions to monitor the user's connection.

7. Go to Log & Report > Secret to view secret logs and video.

FortiAnalyzer Cloud configuration improvements 7.4.3

FortiClient Cloud has been enhanced to connect to FortiCloud to retrieve FortiAnalyzer Cloud SNI
information (account ID) and automatically populate it in endpoint log settings if the EMS administrator's
FortiCloud account has a FortiAnalyzer Cloud entitlement. You simply need to enable Auto-config FAZ Cloud
in Endpoint Profiles > System Settings > Log for EMS to automatically populate the FortiAnalyzer Cloud
connection information in the IP Address/Hostname field. You do not need to manually enter the SNI or
account ID as this process occurs automatically in the background.
This document assumes that you have obtained a FortiClient Cloud contract that includes FortiAnalyzer
Cloud.

To confirm that EMS automatically configures FortiAnalyzer Cloud as a logging destination:

1. Log in to FortiCloud.
2. In Asset Management, go to Products > Product List.
3. Select your FortiClient Cloud instance.
4. Confirm that the Entitlement widget lists FortiAnalyzer Cloud.
5. Go to Services > Cloud Management > FortiClient EMS Cloud to access your FortiClient Cloud GUI.
6. Go to Fabric & Connectors > Fabric Connectors. This page displays the FortiAnalyzer Cloud instance. It
make take a few minutes for the FortiAnalyzer Cloud instance to come online.

7. Go to Endpoint Profiles > System Settings.

8. Create a new profile or edit an existing one.
9. EMS automatically populates the FortiAnalyzer Cloud connection information in Log > Upload Logs to
FortiAnalyzer/FortiManager > IP Address/Hostname. You can click Change, then Auto-config FAZ Cloud,
to populate the default FortiAnalyzer Cloud link in the field. Save.

FortiClient & FortiClient EMS 7.4 New Features Guide 27

Fortinet Inc.
Video Filter support for macOS and Linux 7.4.3

FortiClient (macOS) and (Linux) add support for Video Filter. See Web and Video Filter.

FSSOMA connectivity status 7.4.4

A new status icon for the FortiClient single sign on mobility agent (FSSOMA) connection has been added
under the FSSOMA configuration area in FortiClient Settings. This addition allows users to easily check the
FSSOMA connection status, aiding in troubleshooting FSSOMA on endpoints.
The FSSOMA connection statuses are as follows:

Status Indicates that FSSOMA is... Color

Disconnected Not configured Gray

Unreachable Configured but unable to connect to FortiAuthenticator due to a firewall Red

block, incorrect IP address, port number, or improper resolution of the
FortiAuthenticator FQDN. FortiClient also shows this status when the
endpoint is logged in as a non-domain user.

Connected Configured, successfully connects to FortiAuthenticator, and the endpoint is Green

logged in as a domain user.

The following shows Settings when FSSOMA is not configured:

FortiClient & FortiClient EMS 7.4 New Features Guide 28

Fortinet Inc.
The following shows Settings when FSSOMA configured but unable to connect to FortiAuthenticator:

FortiClient & FortiClient EMS 7.4 New Features Guide 29

Fortinet Inc.
The following shows Settings when FSSOMA configured and functioning:

FortiClient & FortiClient EMS 7.4 New Features Guide 30

Fortinet Inc.
FortiDeceptor integration 7.4.4

FortiDeceptor can connect to EMS, leveraging EMS capabilities to push deception tokens to
FortiClient endpoints more efficiently without requiring mobile device management or group policy objects.
The following summarizes the workflow for this integration:
1. Configure a Fortinet Security Fabric connector for FortiDeceptor in EMS. This leverages the same Fabric
connection that FortiGate uses. See Configuring a Fabric connector for FortiDeceptor in EMS: on page
32.
2. Import a campaign profile from FortiDeceptor to EMS. See Importing a FortiDeceptor campaign profile to
EMS on page 32.
3. Apply the profile to the desired endpoint policy. See Applying the profile to the desired endpoint policy
on page 33.
4. After FortiClient receives the profile update, it downloads and installs the FortiDeception token. The
token deploys lure services across various locations on the endpoint to attract potential attackers. If an
attacker triggers the lure, FortiClient generates an incident report and sends it to the FortiDeceptor. If
you enabled quarantine integration, the endpoint is automatically quarantined. You can remove the

FortiClient & FortiClient EMS 7.4 New Features Guide 31

Fortinet Inc.
endpoint from quarantine using EMS or FortiDeceptor. See FortiDeceptor integration on FortiClient and
EMS on page 33.
This feature supports FortiClient (Windows) and (Linux).

Configuring a Fabric connector for FortiDeceptor in EMS:

To configure a Fabric connector for FortiDeceptor in EMS:

1. Enable the FortiDeceptor integration feature in EMS:

a. Go to System Settings > Feature Select.
b. Enable FortiDeceptor (Beta).
c. Click Save.
2. Go to Fabric & Connectors > Fabric Devices.
3. Under OAuth 2.0 Fabric Connectors, click Add.
4. From the Connector Type dropdown list, select FortiDeceptor.
5. Configure the fields as applicable for your FortiDeceptor. You can generate the REST API key on
FortiDeceptor in Account > REST API > Generate. Click Test.
6. After verifying the connection, on the Admin Settings tab, configure the fields as desired. For Role, the
EMS admin role selected defines which EMS APIs (and therefore, features) that the Fabric device
connector can access. For example, a Fabric connector that is configured with the Standard
administrator role can access EMS APIs for endpoint and policy permissions and has read-only
permissions to settings permissions. Click Finish.
7. The Client Credentials dialog displays the client ID and secret, which are required to configure
quarantine integration. Copy these values and save them in a secure location. The client secret is not
visible once you close this dialog. Click Close.
8. Click Yes to confirm closing the dialog. The Fabric connection successfully establishes and displays in
the OAuth 2.0 Fabric Connectors list. Status updates when quarantine integration is enabled on
FortiDeceptor. Otherwise, it displays as N/A.

Importing a FortiDeceptor campaign profile to EMS

To import a FortiDeceptor campaign profile to EMS:

1. Go to Endpoint Profiles > FortiDeceptor Campaign.

2. Click Import Profile from FortiDeceptor.
3. From the dropdown list, select the desired FortiDeceptor. Click Next.
4. Select the desired FortiDeception token. Click Next.

FortiClient & FortiClient EMS 7.4 New Features Guide 32

Fortinet Inc.
5. Configure the synchronization mode as desired:

Option Description

One Time Pull FortiClient EMS does not automatically sync profile changes from the
FortiGate or FortiManager. You can manually sync profile changes
after importing the profile.

Group Schedule Configure a group synchronization schedule for all selected profiles.
Select the next date and time to automatically update the profiles, and
the profile update interval in days, hours, or seconds.

Individual Schedule Configure an individual synchronization schedule for each selected

profile. Select the next date and time to automatically update each
profile, and the profile update interval in days, hours, or seconds.

6. Click Import. The FortiDeceptor campaign profile displays in the campaign list.

Applying the profile to the desired endpoint policy

To apply the profile to the desired endpoint policy:

1. Go to Endpoint Policy & Components > Manage Policies.

2. Edit the desired existing policy or create a new one.
3. In the Profile > FDC dropdown list, select the imported profile.
4. Configure other fields as desired, then click Save.

FortiDeceptor integration on FortiClient and EMS

After FortiClient receives the policy change from EMS, FortiClient retrieves the FortiDeception token from
EMS and installs it on the endpoint. When viewing the endpoint in EMS, the Status > FortiDeceptor Campaign
Deployment field displays the current status of the token, which progresses from Pending to Notified to
Deployed.

In Endpoints, you can filter endpoints by their FortiDeceptor campaign deployment status.
After FortiClient installs the token, it strategically distributes lures across various locations on the endpoint.
For example, an RDP lure is placed in the Documents folder. Linux supports a limited set of lure types.
Possible locations may include the following:

FortiClient & FortiClient EMS 7.4 New Features Guide 33

Fortinet Inc.
Lure type OS support Description

AWS l Windows Specify where to create the lure file, aws_access_

test22222222222222222_key.JSON, in FortiDeceptor.

Azure l Windows Specify where to create the lure file, azure_access.JSON, in

FortiDeceptor.

Cached l Windows Multiple [Link] and [Link] processes are created and
credentials visible in Task Manager.

HoneyDoc l Windows Specify where to create the lure file in FortiDeceptor.

ODBC l Windows Added to the User Data sources list and can be viewed using the
ODBC Data Source Administrator (32-bit) application.

RDP l Windows RDP config file located in:

l Linux l Windows: Documents directory

l Linux: ~/Documents

SAP l Windows sap_logon.ini file created at

C:\Users\Username\AppData\Roaming\SAP\Common

SMB/Samba l Windows SMB lure service file installed at:

l Linux l Windows: Documents directory. Run net use command in

Command Prompt to display all active SMB connections,

including the lure.
l Linux: ~/Documents

SSH l Windows SSH config file located at:

l Linux l Windows: C:\Usersfct2\.ssh\config

l Linux: ~/.ssh/config

When a lure service is triggered on the endpoint, FortiClient detects the event and reports the incident to
FortiDeceptor. For example, if an RDP file is executed, it initiates a connection to the remote decoy machine,
and the incident is logged in FortiDeceptor in Incident > Analysis.

Quarantine integration
If FortiDeceptor is configured with quarantine integration, it can automatically quarantine an endpoint when
a lure service is triggered.

FortiClient & FortiClient EMS 7.4 New Features Guide 34

Fortinet Inc.
You can remove an endpoint from quarantine using FortiDeceptor or EMS.

To remove an endpoint from quarantine:

Do one of the following:

l To remove an endpoint from quarantine using FortiDeceptor, go to Fabric > Quarantine Status, select the
endpoint, and click Unblock.
l To remove an endpoint from quarantine using EMS, see Quarantining an endpoint.
FortiClient sends FortiDeceptor quarantine events to EMS. You can view them on the endpoint System
Events tab.

Removing the FortiDeceptor token from an endpoint

You can disable the FortiDeceptor profile from an endpoint. For example, you can reconfigure the assigned
endpoint policy to use the default FortiDeceptor profile, which is not configured with tokens. When
FortiClient receives the profile change, it uninstalls the token and removes all lures from the endpoint. In
Endpoints, the FortiDeceptor Campaign Deployment status progresses from Pending to uninstall to Notified to
uninstall to Clean. The FortiDeceptor Campaign Deployment field will eventually no longer be visible for the
endpoint.

FortiData integration 7.4.4

FortiData is a document classification and labeling service. It contains a database (DB) of your file hashes,
along with file metadata, including a data category (optional) and a label. The file data labels work in the
same way as Microsoft's Purview Information Protection labels, although the labels are not included in the
file content but are associated with the file hash in the FortiData DB. A label taxonomy is defined to

FortiClient & FortiClient EMS 7.4 New Features Guide 35

Fortinet Inc.
represent the various classification levels required for an organization. FortiClient can integrate with
FortiData to retrieve file data labels and use them to control file access.
The following describes how the integration functions once configured:
1. The EMS administrator configures a FortiData Fortinet Security Fabric Connector to establish trust. EMS
and FortiData communicate in the following ways:
l EMS pulls a data label list from FortiData to use in Data Protection profiles.
l EMS send its certificate to FortiData to verify tokens that managed endpoints send for lookup.
l FortiData must provide a connector API key for Fabric connection with EMS.
l Any other information exchanges between EMS and FortiData are done via this connector.
l FortiData only accepts requests from endpoints that this EMS manages. FortiData verifies this
using the EMS serial number.
l EMS sends FortiData a zero trust network access (ZTNA) certificate that FortiData to verify
FortiClient requests. FortiData must provide the API key to receive the ZTNA certificate.
2. The EMS administrator defines a Data Protection profile and monitors access to a file based on its data
label.
3. The EMS administrator defines which file types to send to FortiData for classification lookup. FortiClient
only sends the selected file types for lookup. FortiData supports file uploads for OCR, such as JPEG and
GIF.
4. When a user downloads or opens a file that matches the configuration, FortiClient performs a
hash lookup and retrieves the data label from FortiData for that file.
5. FortiClient sends its token with the request to authenticate with FortiData to authorize the endpoint.
6. FortiClient enforces file access based on classification rules that EMS defined. All file monitor activity is
logged.
FortiClient and EMS support integration with FortiData 7.6.1 and later versions. This feature requires the
Endpoint Protection Platform license.

To configure FortiData for the integration:

1. Install FortiData-VM 7.6.1.

2. Configure FortiData discovery policies for file scanning on the endpoint:
a. Go to Discovery > Policies.
b. Create and configure a policy as desired.
3. Configure scan policies to scan for those files. FortiData scans files and assigns labels to files that
match the policy after the scan completes:

FortiClient & FortiClient EMS 7.4 New Features Guide 36

Fortinet Inc.
a. Go to Discovery > Scans.
b. Configure the scan policy as desired.

4. For FortiData and EMS to establish Fabric connection, you must upload a publicly signed certificate to
FortiData. Upload the certificate:
a. Go to System > Certificates.
b. Click Import Certificate > Add a new certificate.
c. Upload the certificate and key files.
5. Go to Fabric > HTTP2 Service > API Keys. Click New API Key. You will use this API key to establish Fabric
connection between EMS and FortiData.
6. Create a Fabric connector for EMS in FortiData:
a. Go to Fabric > HTTP2 Service.
b. Under Settings, configure a new device.
c. From the Device Type dropdown list, select FortiClient EMS.
d. In the IPv4 Address / Ranges field, enter [Link]/0.
e. Click Enable API Key Authentication.
f. From the Associated Scan Policies dropdown list, select the scan policy that you created.
g. From the Associated Discovery Policies dropdown list, select the discovery policy that you created.
h. Click Save.

FortiClient & FortiClient EMS 7.4 New Features Guide 37

Fortinet Inc.
7. Create a Fabric connector for FortiClient in FortiData:
a. Go to Fabric > HTTP2 Service.
b. Under Settings, configure a new device.
c. From the Device Type dropdown list, select FortiClient.
d. Click Enable Client Certificate Validation Using EMS CA.
e. Click Save.

To configure the integration in EMS:

1. Create a FortiData connector:

a. In EMS, go to Fabric & Connectors . Fabric Devices.
b. Click Add.
c. From the Connector Type dropdown list, select FortiData.
d. In the FortiData Hostname / IP address field, enter the FortiData IP address.
e. In the FortiData Port field, enter 8443.
f. In the FortiData REST API Key field, paste the key that you created in FortiData.
g. Click Next and complete creating the FortiData connector. Once EMS establishes the connection
with FortiData, it queries tags and file types from FortiData.
2. Create a data protection profile:
a. Go to Endpoint Profiles > Data Protection.
b. Create a new profile.
c. From the Server dropdown list, select the FortiData server.
d. Under Enable On, enable Browser, Messaging Clients, or Clipboard to enable the data protection
feature on.

FortiClient & FortiClient EMS 7.4 New Features Guide 38

Fortinet Inc.
e. Under File Extensions, select the desired extensions.

3. Configure the certificate that you created in FortiData in EMS:

a. Go to Endpoint Policy & Components > CA Certificates.
b. Click Upload.
c. Click Upload File.
d. Browse to and select the certificate that you created in FortiData. Click OK.
e. Go to Endpoint Profiles > System Settings.
f. Create a new profile or edit an existing one.
g. Under Other, enable Install CA Certificate on Client.
h. Ensure that the desired certificate is selected. FortiClient uses certificate chain validation to verify
the FortiData server identity. If you generated your own self-signed certificate for FortiData, you
only need to install a root certificate authority (CA) certificate on the endpoint. Using an SSL
certificate from a trusted CA is recommended.
i. Click Save.

To install FortiClient with FortiData support:

1. Run the FortiClient installer on the endpoint. In Additional Security Features, select Data Protection.
Configure other installation options as desired.
2. After FortiClient connects to EMS, in Registry Editor, confirm that Computer\HKEY_
LOCAL\SOFTWARE\Fortinet\FortiClient\FA_FTDATA exists and includes the configurations from EMS.

FortiClient & FortiClient EMS 7.4 New Features Guide 39

Fortinet Inc.
To verify the FortiData integration:

1. Do one of the following from the endpoint, using a file that matches the conditions configured in
FortiData:
l Upload a file to a website.
l Upload a file on a messaging client, such as Microsoft Teams.
l Open a file and take a screenshot. This copies the file to the clipboard.
FortiClient calculates the hash of the file, sends it to FortiData, and checks if the hash matches any
labels. If there is a label match, FortiClient monitors access to the file and sends event details to EMS.
2. In EMS, go to Endpoints > All Endpoints.
3. Select the desired endpoint.
4. Go to the Data Protection Events tab. This tab lists the following information about data protection
events:

l Date/time of event
l User name
l Hostname
l Action type, i.e. monitor or block.
l Mode: either simulation or protection mode.
l File hash
l Data Label
l Filename/path
5. After uploading the file check fcaptmontrace_1 logs in the trace folder, you can see the matched label
and file name and uploaded platform. The following shows example logs for different scenarios:

FortiClient & FortiClient EMS 7.4 New Features Guide 40

Fortinet Inc.
Scenario Log example

Browser [2025-06-27 [Link].2311041 UTC-07:00] [4244:4656] [fcaptmontrace 431 info]

upload sending ems alert,C:\Users\kk\Desktop\testpkg\testpkg\phi_internal\phi_1_
patient_admission_notes--patient_name-[Link],Monitor- Matched
label(s): Internal;Machine_Learning;PHI;PII, Content:
C:\Users\kk\Desktop\testpkg\testpkg\phi_internal\phi_1_patient_admission_
notes--patient_name-[Link], hash =
9fc7c807621dadcf29e459db8569884ddce8e718,,Monitor,9fc7c807621dadcf29e459db85
69884ddce8e718,Internal;Machine_Learning;PHI;PII,[Link]

Screensh [2025-06-26 [Link].2583481 UTC-07:00] [5780:10548] [fcaptmontrace 431 info]

otted sending ems alert,[Link],Monitor-clipboard Matched label(s):
Internal;Machine_Learning;PHI;PII;Public, Content: [Link], hash =
(clipboar fedbfa3746a420fbd86342077eb04dbd7d821947,clipboard,Monitor,fedbfa3746a420fbd
d) 86342077eb04dbd7d821947,Internal;Machine_Learning;PHI;PII;Public,clipboard

Sent via [2025-06-26 [Link].0600390 UTC-07:00] [5780:12240] [fcaptmontrace 431 info]

Microsoft sending ems alert,C:\Users\kk\Desktop\testpkg\testpkg\pii_public\pii--50_
[Link],Monitor- Matched label(s): Machine_Learning;PII;Public, Content:
Teams C:\Users\kk\Desktop\testpkg\testpkg\pii_public\pii--50_names.txt, hash =
42f2c523834b26ae6934d73de2238a656eafba22,,Monitor,42f2c523834b26ae6934d73de2
238a656eafba22,Machine_Learning;PII;Public,[Link]

Sent via [2025-06-27 [Link].7196748 UTC-07:00] [4244:5768] [fcaptmontrace 431 info]

Telegram sending ems alert,C:\Users\kk\Desktop\testpkg\testpkg\pii_public\pii--50_
names-50_ssns-50_us_drivers_licenses.xlsx,Monitor- Matched label(s):
Machine_Learning;PII;Public, Content:
C:\Users\kk\Desktop\testpkg\testpkg\pii_public\pii--50_names-50_ssns-50_us_
drivers_licenses.xlsx, hash =
3a0b43d3e2e5998e40c45adbaae260bf7900d9be,,Monitor,3a0b43d3e2e5998e40c45adbaa
e260bf7900d9be,Machine_Learning;PII;Public,[Link]

6. To check the logs in FortiData, run the following commands:

diagnose logs http2 50

diagnose logs analyzer 50

The following shows example output from these commands:

[DEBUG] 2025/06/26 [Link].160563 tag_info_service.go:58 Updated tag cache: map

[APPI:Compliance APPs:Compliance ASIA:Data Residency AUSTRALIA:Data Residency BRAZIL:Data
Residency CCPA:Compliance CSL:Compliance Clinical Records:Data Classification Clinical
Studies:Data Classification Compliance and Risk Management:Data Classification
Confidential:Sensitivity Configuration Files:Data Classification Contracts and Agreements:Data
Classification Credentials and Keys:Data Classification Credit and Risk Management:Data
Classification DPA:Compliance Development Documentation:Data Classification EU:Data Residency
Education:Data Classification FERPA:Compliance FISMA:Compliance Finance:Data Classification
Financial Report:Data Classification Financial Strategy and Research:Data Classification
GDPR:Compliance GLBA:Compliance HIPAA:Compliance HR Documentation:Data Classification
Healthcare:Data Classification Highly Confidential:Sensitivity Information Technology:Data
Classification Insurance and Settlement:Data Classification Internal:Sensitivity JAPAN:Data
Residency LGPD:Compliance Legal:Data Classification License Agreement:Data Classification
Manufacture:Data Classification Medication Management:Data Classification NDA Form:Data
Classification NIST 800-53 and NIST 800-171:Compliance Operational Documentation:Data
Classification PCI_DSS:Compliance PHI:Data Classification PII:Data Classification
PIPEDA:Compliance Patent:Data Classification Payment Card Data:Data Classification Performance

FortiClient & FortiClient EMS 7.4 New Features Guide 41

Fortinet Inc.
Review:Data Classification Public:Sensitivity Restricted:Sensitivity SOX:Compliance Source
Code:Data Classification Test Documentation:Data Classification Timesheet:Data Classification
Training Materials:Data Classification Transaction Record:Data Classification UK:Data
Residency US:Data Residency User Documentation:Data Classification]
[DEBUG] 2025/06/26 [Link].160441 tag_info_service.go:58 Updated tag cache: map
[APPI:Compliance APPs:Compliance ASIA:Data Residency AUSTRALIA:Data Residency BRAZIL:Data
Residency CCPA:Compliance CSL:Compliance Clinical Records:Data Classification Clinical
Studies:Data Classification Compliance and Risk Management:Data Classification
Confidential:Sensitivity Configuration Files:Data Classification Contracts and Agreements:Data
Classification Credentials and Keys:Data Classification Credit and Risk Management:Data
Classification DPA:Compliance Development Documentation:Data Classification EU:Data Residency
Education:Data Classification FERPA:Compliance FISMA:Compliance Finance:Data Classification
Financial Report:Data Classification Financial Strategy and Research:Data Classification
GDPR:Compliance GLBA:Compliance HIPAA:Compliance HR Documentation:Data Classification
Healthcare:Data Classification Highly Confidential:Sensitivity Information Technology:Data
Classification Insurance and Settlement:Data Classification Internal:Sensitivity JAPAN:Data
Residency LGPD:Compliance Legal:Data Classification License Agreement:Data Classification
Manufacture:Data Classification Medication Management:Data Classification NDA Form:Data
Classification NIST 800-53 and NIST 800-171:Compliance Operational Documentation:Data
Classification PCI_DSS:Compliance PHI:Data Classification PII:Data Classification
PIPEDA:Compliance Patent:Data Classification Payment Card Data:Data Classification Performance
Review:Data Classification Public:Sensitivity Restricted:Sensitivity SOX:Compliance Source
Code:Data Classification Test Documentation:Data Classification Timesheet:Data Classification
Training Materials:Data Classification Transaction Record:Data Classification UK:Data
Residency US:Data Residency User Documentation:Data Classification]
[DEBUG] 2025/06/26 [Link].159709 tag_info_service.go:58 Updated tag cache: map
[APPI:Compliance APPs:Compliance ASIA:Data Residency AUSTRALIA:Data Residency BRAZIL:Data
Residency CCPA:Compliance CSL:Compliance Clinical Records:Data Classification Clinical
Studies:Data Classification Compliance and Risk Management:Data Classification
Confidential:Sensitivity Configuration Files:Data Classification Contracts and Agreements:Data
Classification Credentials and Keys:Data Classification Credit and Risk Management:Data
Classification DPA:Compliance Development Documentation:Data Classification EU:Data Residency
Education:Data Classification FERPA:Compliance FISMA:Compliance Finance:Data Classification
Financial Report:Data Classification Financial Strategy and Research:Data Classification
GDPR:Compliance GLBA:Compliance HIPAA:Compliance HR Documentation:Data Classification
Healthcare:Data Classification Highly Confidential:Sensitivity Information Technology:Data
Classification Insurance and Settlement:Data Classification Internal:Sensitivity JAPAN:Data
Residency LGPD:Compliance Legal:Data Classification License Agreement:Data Classification
Manufacture:Data Classification Medication Management:Data Classification NDA Form:Data
Classification NIST 800-53 and NIST 800-171:Compliance Operational Documentation:Data
Classification PCI_DSS:Compliance PHI:Data Classification PII:Data Classification
PIPEDA:Compliance Patent:Data Classification Payment Card Data:Data Classification Performance
Review:Data Classification Public:Sensitivity Restricted:Sensitivity SOX:Compliance Source
Code:Data Classification Test Documentation:Data Classification Timesheet:Data Classification
Training Materials:Data Classification Transaction Record:Data Classification UK:Data
Residency US:Data Residency User Documentation:Data Classification]
[DEBUG] 2025/06/26 [Link].159904 tag_info_service.go:58 Updated tag cache: map
[APPI:Compliance APPs:Compliance ASIA:Data Residency AUSTRALIA:Data Residency BRAZIL:Data
Residency CCPA:Compliance CSL:Compliance Clinical Records:Data Classification Clinical
Studies:Data Classification Compliance and Risk Management:Data Classification
Confidential:Sensitivity Configuration Files:Data Classification Contracts and Agreements:Data

FortiClient & FortiClient EMS 7.4 New Features Guide 42

Fortinet Inc.
Classification Credentials and Keys:Data Classification Credit and Risk Management:Data
Classification DPA:Compliance Development Documentation:Data Classification EU:Data Residency
Education:Data Classification FERPA:Compliance FISMA:Compliance Finance:Data Classification
Financial Report:Data Classification Financial Strategy and Research:Data Classification
GDPR:Compliance GLBA:Compliance HIPAA:Compliance HR Documentation:Data Classification
Healthcare:Data Classification Highly Confidential:Sensitivity Information Technology:Data
Classification Insurance and Settlement:Data Classification Internal:Sensitivity JAPAN:Data
Residency LGPD:Compliance Legal:Data Classification License Agreement:Data Classification
Manufacture:Data Classification Medication Management:Data Classification NDA Form:Data
Classification NIST 800-53 and NIST 800-171:Compliance Operational Documentation:Data
Classification PCI_DSS:Compliance PHI:Data Classification PII:Data Classification
PIPEDA:Compliance Patent:Data Classification Payment Card Data:Data Classification Performance
Review:Data Classification Public:Sensitivity Restricted:Sensitivity SOX:Compliance Source
Code:Data Classification Test Documentation:Data Classification Timesheet:Data Classification
Training Materials:Data Classification Transaction Record:Data Classification UK:Data
Residency US:Data Residency User Documentation:Data Classification]

Endpoint: Remote Access

IPsec VPN over TCP on Windows, macOS, and Linux 7.4.1

IPsec VPN, dependent on UDP, can run over TCP. IPsec over TCP can help VPN traffic pass through
restrictive firewalls, especially when the firewall only allows TCP-based traffic. You can configure an IPsec
VPN tunnel to use UDP or TCP exclusively or automatically switch to TCP mode if the firewall blocks UDP
mode. In high latency or congested networks, UDP-based VPN connections may experience packet loss or
degradation in performance. TCP's built-in mechanisms for error correction and retransmission can improve
the reliability and stability of the VPN connection in these conditions. IPsec over TCP is especially useful in
mobile or dynamic environments (e.g., public Wi-Fi, hotel networks, or cellular data) where the network
conditions or restrictions can vary significantly. It allows for more seamless and stable VPN connectivity in
a wider range of scenarios.

To configure this feature:

1. FortiOS 7.4.5 and 7.6 use IKE ports 500 and 4500 for UDP and TCP, respectively, for NAT traversal. You
can configure custom ports as follows:

config system settings

set ike-port 5000
set ike-tcp-port 5500
end

2. In EMS, you can configure this feature using <transport_mode>. The following summarizes the available
values for this element:

FortiClient & FortiClient EMS 7.4 New Features Guide 43

Fortinet Inc.
Value Description
0 UDP transport mode. This is the default and used for most VPN
connections.
1 TCP transport mode. This is recommended for use in restrictive
networks.
2 Auto mode. FortiOS dynamically selects the transport mode.

You can also configure custom ports using the <tcp_port> and <udp_port> elements. The following
provides an example of the <transport_mode> and <udp_port> elements. This example does not include
all elements required for a functioning VPN connection:

<forticlient_configuration>
<vpn>
<ipsecvpn>
<connections>
<connection>
<transport_mode>1</transport_mode>
<tcp_port>5500</tcp_port>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>

The following describes configuring IPsec VPN for UDP, TCP, or auto mode.

Example: Configuring UDP transport mode

UDP is the standard IPsec VPN transport mode that encapsulates IPsec VPN traffic within UDP packets.

To configure UDP transport mode:

1. In FortiOS, configure an IPsec VPN IKEv2 tunnel:

config vpn ipsec phase1-interface

FortiClient & FortiClient EMS 7.4 New Features Guide 44

Fortinet Inc.
set eap-identity send-request
set authusrgrp "IPSEC"
set transport udp
set ipv4-start-ip [Link]
set ipv4-end-ip [Link]
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
STwYpf2ddbBq+9YPcCGIFoBBk4N7lbCV1CtQ43ABjxb3RalrZrmrUv0lyYCaqrpy9ReJb4pj98coVdNtSd9PrWWzhwk3TA
6AhbQqdDpierIe+WgNYOlPCrVkTMJXOMC+EGo0/Bk5q/othaLhIQNWeyaZcjFiwNYv4Eq8kjsPxIWguopaaGd4yhaSxO+c
WxxdDwehLVlmMjY3dkVA
next
end

2. In EMS, go to Endpoint Profiles > Remote Access.

3. Select an existing profile or create a new one.
4. Click XML, then Edit. The following provides an example XML configuration for the feature:

<?xml version="1.0" ?>

<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<sslvpn>
<connections/>
<options>
<dnscache_service_control>0</dnscache_service_control>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<negative_split_tunnel_metric/>
<enabled>1</enabled>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<no_dns_registration>0</no_dns_registration>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
<block_ipv6>1</block_ipv6>
<show_auth_cert_only>0</show_auth_cert_only>
<use_gui_saml_auth>0</use_gui_saml_auth>
</options>
</sslvpn>
<ipsecvpn>
<connections>
<connection>
<name>v2_psk_120</name>
<uid>FE3DDC0A-C4D4-48CB-8FF6-3B88EED55A03</uid>
<machine>0</machine>
<keep_running>0</keep_running>
<disclaimer_msg/>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<ui>
<show_remember_password>1</show_remember_password>

FortiClient & FortiClient EMS 7.4 New Features Guide 45

Fortinet Inc.
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<show_passcode>1</show_passcode>
<save_username>1</save_username>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<ike_settings>
<server>[Link]</server>
<authentication_method>Preshared Key</authentication_method>
<transport_mode>0</transport_mode>
<udp_port>5000</udp_port>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid>120</localid>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>1</enable_local_lan>
<enable_ike_fragmentation>1</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<run_fcauth_system>1</run_fcauth_system>
<sso_enabled>0</sso_enabled>
<auth_data>
<preshared_key>Enc
56ab85d0afa80ae6acb61fdfc19dc33b917298bf68f004a3e49a2e0684c4</preshared_key>
</auth_data>
<xauth_timeout>120</xauth_timeout>
<dhgroup>5</dhgroup>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>

FortiClient & FortiClient EMS 7.4 New Features Guide 46

Fortinet Inc.
<remote_networks>
<network>
<addr>[Link]</addr>
<mask>[Link]</mask>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>[Link]</ip>
<mask>[Link]</mask>
<dnsserver>[Link]</dnsserver>
<winserver>[Link]</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<android_cert_path/>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>

FortiClient & FortiClient EMS 7.4 New Features Guide 47

Fortinet Inc.
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<enabled>0</enabled>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
<uselocalcert>0</uselocalcert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<check_for_cert_private_key>0</check_for_cert_private_key>
<disable_default_route>0</disable_default_route>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<usewincert>1</usewincert>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<use_win_current_user_cert>1</use_win_current_user_cert>
<no_dns_registration>0</no_dns_registration>
<block_ipv6>1</block_ipv6>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<show_auth_cert_only>0</show_auth_cert_only>
</options>
</ipsecvpn>
<lockdown>
<exceptions>
<ips/>
<icdb_domains/>
<domains/>
<apps/>
</exceptions>
<grace_period>120</grace_period>
<max_attempts>3</max_attempts>
<enabled>0</enabled>
</lockdown>
<options>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_windows_credentials>0</use_windows_credentials>
<certs_require_keyspec>0</certs_require_keyspec>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<secure_remote_access>0</secure_remote_access>

FortiClient & FortiClient EMS 7.4 New Features Guide 48

Fortinet Inc.
<on_os_start_connect/>
<allow_personal_vpns>1</allow_personal_vpns>
<show_negotiation_wnd>0</show_negotiation_wnd>
<suppress_vpn_notification>0</suppress_vpn_notification>
<autoconnect_on_install>0</autoconnect_on_install>
<keep_running_max_tries>0</keep_running_max_tries>
<disable_connect_disconnect>0</disable_connect_disconnect>
<after_logon_saml_auth>0</after_logon_saml_auth>
<minimize_window_on_connect>1</minimize_window_on_connect>
</options>
</vpn>
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>
</ui>
</endpoint_control>
</forticlient_configuration>

5. In FortiClient, connect to the tunnel.

6. In FortiOS, run diagnose vpn ike gateway list to verify the IPsec VPN tunnel status. Note addr shows
the UDP custom port value and transport shows UDP:

vd: root/0
name: v2_psk-120_0
version: 2
interface: port1 3
addr: [Link]:5000 -> [Link]:5000
tun_id: [Link]/::[Link]
remote_location: [Link]
network-id: 0
transport: UDP
virtual-interface-addr: [Link] -> [Link]
created: 633s ago

FortiClient & FortiClient EMS 7.4 New Features Guide 49

Fortinet Inc.
eap-user: ipsec
2FA: no
peer-id: 120
peer-id-auth: no
FortiClient UID: B70BAD123010487E86DB102969115E99
assigned IPv4 address: [Link]/[Link]
nat: peer
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 20/20/20 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 22 e14bbad06bc282a3/fd72048d5f1911d7
direction: responder
status: established 633-633s ago = 20ms
proposal: aes256-sha256
child: no
SK_ei: 7cf79efa1dd1964a-98692d8f641b6624-be5dd5c659abccc9-b79d6391beb1af0e
SK_er: 73cf8cf9ec463dee-a7d2cf4acfa23cf9-2428429fbfd88dd9-faf6261916aa13c5
SK_ai: 81037c42a5f9e571-0eafd0157a02a501-948abb44f1f23603-3b9b5553a08aa135
SK_ar: 7ddb59bdbffab109-76bc5dfb810f7707-54fb81094e46345a-0b9b4ad5dc49c8d3
PPK: no
message-id sent/recv: 0/132
QKD: no
lifetime/rekey: 86400/85496
DPD sent/recv: 00000000/00000000
peer-id: 120

Example: Configuring TCP transport mode

TCP mode ensures VPN traffic can pass through restrictive firewalls that block UDP traffic but allow TCP,
such as port 443 (HTTPS). You can specify a custom port to avoid conflict with the management port on the
FortiGate.

To configure UDP transport mode:

1. In FortiOS, configure an IPsec VPN IKEv2 tunnel:

config vpn ipsec phase1-interface

FortiClient & FortiClient EMS 7.4 New Features Guide 50

Fortinet Inc.
set comments "VPN: v2_psk-120 (Created by VPN wizard)"
set eap enable
set eap-identity send-request
set authusrgrp "IPSEC"
set transport tcp
set ipv4-start-ip [Link]
set ipv4-end-ip [Link]
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
STwYpf2ddbBq+9YPcCGIFoBBk4N7lbCV1CtQ43ABjxb3RalrZrmrUv0lyYCaqrpy9ReJb4pj98coVdNtSd9PrWWzhwk3TA
6AhbQqdDpierIe+WgNYOlPCrVkTMJXOMC+EGo0/Bk5q/othaLhIQNWeyaZcjFiwNYv4Eq8kjsPxIWguopaaGd4yhaSxO+c
WxxdDwehLVlmMjY3dkVA
next
end

2. In EMS, go to Endpoint Profiles > Remote Access.

3. Select an existing profile or create a new one.
4. Click XML, then Edit. The following provides an example XML configuration for the feature:

<?xml version="1.0" ?>

FortiClient & FortiClient EMS 7.4 New Features Guide 51

Fortinet Inc.
<ui>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<show_passcode>1</show_passcode>
<save_username>1</save_username>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<ike_settings>
<server>[Link]</server>
<authentication_method>Preshared Key</authentication_method>
<transport_mode>1</transport_mode>
<tcp_port>5500</tcp_port>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid>120</localid>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>1</enable_local_lan>
<enable_ike_fragmentation>1</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<run_fcauth_system>1</run_fcauth_system>
<sso_enabled>0</sso_enabled>
<auth_data>
<preshared_key>Enc
56ab85d0afa80ae6acb61fdfc19dc33b917298bf68f004a3e49a2e0684c4</preshared_key>
</auth_data>
<xauth_timeout>120</xauth_timeout>
<dhgroup>5</dhgroup>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>

FortiClient & FortiClient EMS 7.4 New Features Guide 52

Fortinet Inc.
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>[Link]</addr>
<mask>[Link]</mask>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>[Link]</ip>
<mask>[Link]</mask>
<dnsserver>[Link]</dnsserver>
<winserver>[Link]</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<android_cert_path/>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>

FortiClient & FortiClient EMS 7.4 New Features Guide 53

Fortinet Inc.
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<enabled>0</enabled>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
<uselocalcert>0</uselocalcert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<check_for_cert_private_key>0</check_for_cert_private_key>
<disable_default_route>0</disable_default_route>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<usewincert>1</usewincert>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<use_win_current_user_cert>1</use_win_current_user_cert>
<no_dns_registration>0</no_dns_registration>
<block_ipv6>1</block_ipv6>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<show_auth_cert_only>0</show_auth_cert_only>
</options>
</ipsecvpn>
<lockdown>
<exceptions>
<ips/>
<icdb_domains/>
<domains/>
<apps/>
</exceptions>
<grace_period>120</grace_period>
<max_attempts>3</max_attempts>
<enabled>0</enabled>
</lockdown>
<options>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_windows_credentials>0</use_windows_credentials>
<certs_require_keyspec>0</certs_require_keyspec>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>

FortiClient & FortiClient EMS 7.4 New Features Guide 54

Fortinet Inc.
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<secure_remote_access>0</secure_remote_access>
<on_os_start_connect/>
<allow_personal_vpns>1</allow_personal_vpns>
<show_negotiation_wnd>0</show_negotiation_wnd>
<suppress_vpn_notification>0</suppress_vpn_notification>
<autoconnect_on_install>0</autoconnect_on_install>
<keep_running_max_tries>0</keep_running_max_tries>
<disable_connect_disconnect>0</disable_connect_disconnect>
<after_logon_saml_auth>0</after_logon_saml_auth>
<minimize_window_on_connect>1</minimize_window_on_connect>
</options>
</vpn>
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>

</ui>
</endpoint_control>
</forticlient_configuration>

5. In FortiClient, connect to the tunnel.

6. In FortiOS, run diagnose vpn ike gateway list to verify the IPsec VPN tunnel status. Note addr shows
the TCP custom port value and transport shows TCP:

vd: root/0
name: v2_psk-120_0
version: 2
interface: port1 3
addr: [Link]:5500 -> [Link]:54854
tun_id: [Link]/::[Link]
remote_location: [Link]
network-id: 0
transport: TCP
virtual-interface-addr: [Link] -> [Link]
created: 592s ago
eap-user: ipsec
2FA: no
peer-id: 120
peer-id-auth: no
FortiClient UID: B70BAD123010487E86DB102969115E99
assigned IPv4 address: [Link]/[Link]
nat: me peer
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 80/80/80 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 23 93b6803bff7cff00/f89d6f9965fbf3a7
direction: responder
status: established 592-592s ago = 80ms
proposal: aes256-sha256

FortiClient & FortiClient EMS 7.4 New Features Guide 55

Fortinet Inc.
child: no
SK_ei: f93108f3f8d9a94e-3e0a78289defb329-4d1ae67365f2cb56-e0d471a57ccb4f8d
SK_er: 58b37cf4d2e96cb3-cb7e334a48905459-ac8e4ff743c86e5c-630454f2e35b97e6
SK_ai: fc83b139808121a2-1dd68396d804e28d-bd619c0c4778dbda-9a1eb9e6fdf13808
SK_ar: edad89ee56bf9ecc-81443426c00c78f5-0574d6b71163a43b-d9ebf04c3ae4b87f
PPK: no
message-id sent/recv: 0/124
QKD: no
lifetime/rekey: 86400/85537
DPD sent/recv: 00000000/00000000
peer-id: 120

Example: Configuring auto transport mode

In auto mode, the FortiGate dynamically selects the best mode based on the network conditions. If UDP
traffic is blocked, it will switch to TCP transport mode automatically.
This provides flexibility to the VPN connection, ensuring the best possible transport method is used for
stable and reliable connectivity.

To configure UDP transport mode:

1. In FortiOS, configure an IPsec VPN IKEv2 tunnel:

config vpn ipsec phase1-interface

edit "v2_psk-120"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 [Link]
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set localid "120"
set comments "VPN: v2_psk-120 (Created by VPN wizard)"
set eap enable
set eap-identity send-request
set authusrgrp "IPSEC"
set transport udp-fallback-tcp
set ipv4-start-ip [Link]
set ipv4-end-ip [Link]
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
STwYpf2ddbBq+9YPcCGIFoBBk4N7lbCV1CtQ43ABjxb3RalrZrmrUv0lyYCaqrpy9ReJb4pj98coVdNtSd9PrWWzhwk3TA
6AhbQqdDpierIe+WgNYOlPCrVkTMJXOMC+EGo0/Bk5q/othaLhIQNWeyaZcjFiwNYv4Eq8kjsPxIWguopaaGd4yhaSxO+c
WxxdDwehLVlmMjY3dkVA

FortiClient & FortiClient EMS 7.4 New Features Guide 56

Fortinet Inc.
next
end

2. In EMS, go to Endpoint Profiles > Remote Access.

3. Select an existing profile or create a new one.
4. Click XML, then Edit. The following provides an example XML configuration for the feature:

<?xml version="1.0" ?>

FortiClient & FortiClient EMS 7.4 New Features Guide 57

Fortinet Inc.
<server>[Link]</server>
<authentication_method>Preshared Key</authentication_method>
<transport_mode>2</transport_mode>
<tcp_port>5500</tcp_port>
<udp_port>5000</udp_port>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid>120</localid>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>1</enable_local_lan>
<enable_ike_fragmentation>1</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<run_fcauth_system>1</run_fcauth_system>
<sso_enabled>0</sso_enabled>
<xauth_timeout>120</xauth_timeout>
<auth_data>
<preshared_key>Enc
56ab85d0afa80ae6acb61fdfc19dc33b917298bf68f004a3e49a2e0684c4</preshared_key>
</auth_data>
<dhgroup>5</dhgroup>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>[Link]</addr>
<mask>[Link]</mask>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>

FortiClient & FortiClient EMS 7.4 New Features Guide 58

Fortinet Inc.
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>[Link]</ip>
<mask>[Link]</mask>
<dnsserver>[Link]</dnsserver>
<winserver>[Link]</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<android_cert_path/>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<enabled>0</enabled>
<mode>1</mode>

FortiClient & FortiClient EMS 7.4 New Features Guide 59

Fortinet Inc.
</traffic_control>
</connection>
</connections>
<options>
<uselocalcert>0</uselocalcert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<check_for_cert_private_key>0</check_for_cert_private_key>
<disable_default_route>0</disable_default_route>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<usewincert>1</usewincert>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<use_win_current_user_cert>1</use_win_current_user_cert>
<no_dns_registration>0</no_dns_registration>
<block_ipv6>1</block_ipv6>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<show_auth_cert_only>0</show_auth_cert_only>
</options>
</ipsecvpn>
<lockdown>
<exceptions>
<ips/>
<icdb_domains/>
<domains/>
<apps/>
</exceptions>
<grace_period>120</grace_period>
<max_attempts>3</max_attempts>
<enabled>0</enabled>
</lockdown>
<options>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_windows_credentials>0</use_windows_credentials>
<certs_require_keyspec>0</certs_require_keyspec>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<secure_remote_access>0</secure_remote_access>
<on_os_start_connect/>
<allow_personal_vpns>1</allow_personal_vpns>
<show_negotiation_wnd>0</show_negotiation_wnd>
<suppress_vpn_notification>0</suppress_vpn_notification>
<autoconnect_on_install>0</autoconnect_on_install>
<keep_running_max_tries>0</keep_running_max_tries>
<disable_connect_disconnect>0</disable_connect_disconnect>
<after_logon_saml_auth>0</after_logon_saml_auth>
<minimize_window_on_connect>1</minimize_window_on_connect>
</options>
</vpn>

FortiClient & FortiClient EMS 7.4 New Features Guide 60

Fortinet Inc.
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>
</ui>
</endpoint_control>
</forticlient_configuration>

5. In FortiClient, connect to the tunnel. If the network blocks UDP, the connection switches to TCP
transport mode automatically.
6. In FortiOS, run diagnose vpn ike gateway list to verify the IPsec VPN tunnel status. Note addr shows
the TCP custom port value and transport shows TCP if the network blocks UDP:

id/spi: 23 93b6803bff7cff00/f89d6f9965fbf3a7
direction: responder
status: established 592-592s ago = 80ms
proposal: aes256-sha256
child: no
SK_ei: f93108f3f8d9a94e-3e0a78289defb329-4d1ae67365f2cb56-e0d471a57ccb4f8d
SK_er: 58b37cf4d2e96cb3-cb7e334a48905459-ac8e4ff743c86e5c-630454f2e35b97e6
SK_ai: fc83b139808121a2-1dd68396d804e28d-bd619c0c4778dbda-9a1eb9e6fdf13808
SK_ar: edad89ee56bf9ecc-81443426c00c78f5-0574d6b71163a43b-d9ebf04c3ae4b87f
PPK: no
message-id sent/recv: 0/124
QKD: no
lifetime/rekey: 86400/85537
DPD sent/recv: 00000000/00000000
peer-id: 120

FortiClient & FortiClient EMS 7.4 New Features Guide 61

Fortinet Inc.
Configure IPsec IKEv2 on multiple protocols 7.4.1

Previously IPsec VPNs exclusively used UDP. Now an IPsec IKEv2 tunnel can be configured to use TCP,
Auto, or UDP. The advantage of using TCP is that the network traffic can use port 443, normally already
opened on the firewall.

To configure IKEv2 protocol in the FortiClient EMS GUI:

1. In FortiClient EMS, go to Endpoint Profiles > Remote Access.

2. Create a new IPsec VPN tunnel.
3. In VPN Settings, Set IKE to Version 2.
4. Select the Encapsulation mode:
l IKE UDP Port

l IPsec over TCP

FortiClient & FortiClient EMS 7.4 New Features Guide 62

Fortinet Inc.
l Auto

To view and modify the IKEv2 protocol in the XML editor:

1. In Endpoint Profiles > Remote Access, select the VPN tunnel and click Edit.
2. Edit the <transport_mode> tag:
l For UDP, set 0.
l For TCP, set 1.
l For Auto, set 2.

To configure IKEv2 protocol in the FortiClient GUI:

1. Go to Remote Access.
2. Create a new VPN connection.
3. In Advanced Settings > VPN Settings:
a. Set IKE to Version 2.
b. Select the Encapsulation mode.
c. Click Save.

FortiClient & FortiClient EMS 7.4 New Features Guide 63

Fortinet Inc.
IKEv2 session resumption 7.4.1

IKEv2 session resumption enhances IPsec VPN with session resumption capabilities, allowing clients to
quickly reconnect to VPN gateways without restarting the full negotiation process. This feature benefits
mobile environments or high availability scenarios where users frequently switch networks or face network
outages.

This feature requires one of the following FortiOS versions:

l 7.4.4 and later

l 7.6

To configure IKEv2 session resumption:

1. On the FortiGate, enable client resume functionality:

config vpn ipsec phase1-interface

FortiClient & FortiClient EMS 7.4 New Features Guide 64

Fortinet Inc.
set dpd on-idle
set comments "VPN: v2_psk-120 (Created by VPN wizard)"
set eap enable
set eap-identity send-request
set authusrgrp "IPSEC"
set client-resume enable
set client-resume-interval 120
...
next
end

This configuration allows a 120 second window for session resumption.

2. In EMS, configure <session_resume>:

<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<ipsecvpn>
<connections>
<connection>
<name>IPsec_VPN_session resumption</name>
...
<ike_settings>
...
<session_resume>1</session_resume>
...
</ike_settings>
...

3. If FortiClient loses network connection or the client device goes to sleep, the FortiGate starts a client
resume sleep period. When the network connectivity is restored or the device wakes, FortiClient
attempts to resume the session.
l If FortiClient resumes within the set interval (120 seconds in this example), the FortiGate detects
that the client has resumed and maintains the existing session, as this example debug log shows:

ike V=root:0:v2_psk-120_0: starting client-resume sleep period 120 sec (1)

ike V=root:0: comes [Link]:64917->[Link]:4500,ifindex=4,vrf=0,len=84....
ike V=root:0: IKEv2 exchange=INFORMATIONAL id=f92b4d7d59bca602/c38e3c8ae542e2c1:00000008
len=80
ike 0: in
F92B4D7D59BCA602C38E3C8AE542E2C12E202508000000080000005000000034F2CBE78DC8ACBDE5D79B36F2B7
C03321B73F8829E4964786BE4C057209F43AA7A64139F193A7DB3692C4E12F91D2B05E
ike V=root:0:v2_psk-120_0: client has resumed (1)
ike 0:v2_psk-120_[Link] out
...

l If FortiClient does not resume the session within the set interval, FortiGate considers the session
expired and the tunnel is deleted. FortiClient must initiate a new full IKEv2 negotiation for
reconnection.

FortiClient & FortiClient EMS 7.4 New Features Guide 65

Fortinet Inc.
EAP-TTLS support for IPsec VPN 7.4.3

When using IKEv2, user authentication is handled via Extensible Authentication Protocol (EAP). You can
configure FortiClient to use EAP-TTLS for authentication, which provides a more secure and flexible user
authentication method. Only IKEv2 supports EAP-TTLS. You can configure this feature using <eap_method>
in the XML configuration:

Field Description
<eap_method> Configure one of the following for the EAP method:
l 1: requires EAP-MSCHAPv2 authentication.

l 2: requires EAP-TTLS/PAP authentication. FortiClient (iOS) and

(Android) do not support EAP-TTLS/PAP authentication.

l 0: allows EAP-MSCHAPv2 or EAP-TTLS/PAP authentication.

FortiClient (macOS) and (Linux) support this value. If a FortiClient

(Windows) endpoint receives a value of 0 for this field, it requires
EAP-MSCHAPv2 authentication. FortiClient (iOS) and (Android) do
not support EAP-TTLS/PAP authentication.

EAP-TTLS for LDAP authentication

For LDAP-based user authentication using IKEv2, EAP-TTLS (Tunneled Transport Layer Security) must be
used. EAP-TTLS allows credentials to be securely transmitted to FortiGate over a TLS tunnel, ensuring
secure user authentication. For steps to configure LDAP authentication with IKEv2, see LDAP authentication
with IKEv2 using TCP as transport.

To configure EAP-TTLS authentication:

1. In EMS, go to Endpoint Profiles > Remote Access.

2. Create a new profile or edit an existing one.
3. Click XML.
4. Click Edit.
5. Edit the XML configuration to include the following:

<forticlient_configuration>
<vpn>
<ipsecvpn>
<connections>
<connection>
<name>IKEV2-PSK - EAP_TTLS</name>
<ike_settings>
<authentication_method>Preshared Key</authentication_method>
<eap_method>2</eap_method>
</ike_settings>
</connection>
</connections>
</ipsecvpn>

FortiClient & FortiClient EMS 7.4 New Features Guide 66

Fortinet Inc.
</vpn>
</forticlient_configuration>

6. On an endpoint that received the configuration, on the Remote Access tab, connect to the applicable
IPsec VPN tunnel.
7. Go to C:\%ProgramFiles%\Fortinet\FortiClient\logs\trace\ and open FortiIKE_1.log. The following shows
expected log output for this feature:

[2568:6176] [FortiIKE 524 info] IPsec daemon start [Link] -s FC_{73EFB30F-1CAD-4a7a-

AE2E-150282B6CE25}_000002 -i 1 --PROTOCOL udp -g [Link] IKEV2-PSK - EAP_TTLS

[2568:6176] [FortiIKE 407 debug] EAP-TTLS method loaded

[2568:6176] [FortiIKE 415 debug] EAP-GTC method loaded

[2568:6176] [FortiIKE 4947 debug] 0:IKEV2-PSK - EAP_TTLS:0: initiator received EAP msg
[2568:6176] [FortiIKE 400 debug] EAP: Initialize selected EAP method: vendor 0 method 21
(TTLS)
[2568:6176] [FortiIKE 145 debug] EAP-TTLS: Phase2 type: PAP
[2568:6176] [FortiIKE 4787 debug] 0:IKEV2-PSK - EAP_TTLS:0: authentication succeeded

The following shows expected log output when EAP-MSCHAPv2 authentication is configured:

[9008:6308] [FortiIKE 524 info] IPsec daemon start [Link] -s FC_{73EFB30F-1CAD-4a7a-

AE2E-150282B6CE25}_000002 -i 1 --PROTOCOL udp -g [Link] IKEV2-PSK

[9008:6308] [FortiIKE 394 debug] EAP-MSCHAPv2 method loaded

FortiClient & FortiClient EMS 7.4 New Features Guide 67

Fortinet Inc.
[9008:6308] [FortiIKE 415 debug] EAP-GTC method loaded

[9008:6308] [FortiIKE 4947 debug] 0:IKEV2-PSK:0: initiator received EAP msg

[9008:6308] [FortiIKE 400 debug] EAP: Initialize selected EAP method: vendor 0 method 26
(MSCHAPV2)

[9008:6308] [FortiIKE 385 debug] EAP-MSCHAPV2: Authentication succeeded

Support LB IPsec VPN gateways with a single FQDN 7.4.3

FortiClient supports load balancing (LB) IPsec VPN gateways with a single fully qualified domain name
(FQDN). This feature simplifies configuration management, reducing the need for users to manually select
specific VPN gateway IP addresses.
Before IPsec VPN authentication, FortiClient resolves the FQDN to an IP address and saves it in the hosts
file to ensure it remains connected to the same FortiGate throughout the tunnel establishment process,
including authentication and tunnel creation. However, since DNS servers may return IP addresses using
round robin, FortiClient may resolve the FQDN to a different FortiGate during login, leading to connection
inconsistencies and IPsec VPN connection failure. This feature enables FortiClient to connect to different
FortiGate IP addresses under a single FQDN. If a FortiGate is down, FortiClient can attempt to connect to it
until the next DNS resolution provides an alternative IP address.
The example deployment consists of the following components:
l Three FortiGates acting as remote gateways, with the following IP addresses:
l FGTVM_0_182: [Link]
l FGTVM_1_183: [Link]
l FGTVM_2_184: [Link]
l Single FQDN mapping the three FortiGates on the DNS server: [Link]
l Microsoft Entra ID user to support SAML login for FortiClient VPN

To configure the DNS server:

1. Create three A records on the DNS server to map a single FQDN to three different IP addresses, each
corresponding to a remote VPN gateway.

2. Run nslookup to confirm that the FQDN resolves to the three IP addresses.

C:\Windows\system32>nslookup [Link]
Server: [Link]
Address: [Link]

FortiClient & FortiClient EMS 7.4 New Features Guide 68

Fortinet Inc.
Name: [Link]
Addresses: [Link]
[Link]
[Link]

To configure FortiOS:

1. Configure a user for Entra ID SAML login:

config user saml

edit "saml_azure"
set entity-id "[Link]
set single-sign-on-url "[Link]
set single-logout-url "[Link]
set idp-entity-id "[Link]
set idp-single-sign-on-url "[Link]
ce3b341b7cf4/saml2"
set idp-single-logout-url "[Link]
ce3b341b7cf4/saml2"
set idp-cert "REMOTE_Cert_1"
set user-name "[Link]
set group-name "[Link]"
set digest-method sha1
next
end

2. Configure a VPN authentication user group that includes the user that you created in step 1:

config user group

edit "saml_grp"
set member "saml_azure"
next
end

3. Configure an IPsec VPN IKEv2 tunnel:

config vpn ipsec phase1-interface

edit "IKEV2-SAML-AZ"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 [Link]
set proposal aes128-sha256 aes256-sha256
set comments "VPN: IKEV2_SAML_AZ (Created by VPN wizard)"
set dhgrp 5
set eap enable
set eap-identity send-request
set wizard-type dialup-forticlient
set authusrgrp "saml_grp"

FortiClient & FortiClient EMS 7.4 New Features Guide 69

Fortinet Inc.
set network-overlay enable
set network-id 20
set transport tcp
set ipv4-start-ip [Link] ## <<< or [Link] or [Link]
set ipv4-end-ip [Link]
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
y77chAtwvT25RPgnZTM5Xq51TzPpGjVKQ53r3kFUE5eQQmp1t8gxFSgXBth5nHCGChzcNB7VJhSUxmfCVOuz1c7qlS+n6e
RSs73jOGxUH++k3FgzVmFMmzidFW9nIA5/AqvUpPDL8tddMPsItRmtW/TLU355pYFHYa9RFB1UVuqTxZXlnJGqG51S54fb
ZF2C5lvptVlmMjY3dkVA
next
end
config vpn ipsec phase2-interface
edit "IKEV2_SAML_AZ"
set phase1name "IKEV2-SAML-AZ"
set proposal aes128-sha256 aes256-sha256
set comments "VPN: IKEV2_SAML_AZ (Created by VPN wizard)"
next
end

To configure EMS:

1. In EMS, go to Endpoint Profiles > Remote Access.

2. Create a new profile or edit an existing one.
3. Under VPN Tunnels, click Add.
4. For Type, select IPsec VPN.
5. In the Remote Gateway field, enter the FQDN. In this example, it is [Link].
6. In Advanced Settings, toggle on Enable SAML Login.
7. Configure other fields as desired, then save.
The following shows example XML configuration:

<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<ipsecvpn>
<connections>
<connection>
<name>IPSec-SAML-IntWeb</name>
<uid>19527DD4-406D-48E1-9070-2FA86EB30254</uid>
<machine>0</machine>
<keep_running>0</keep_running>
<keep_fqdn_resolution_consistency>1</keep_fqdn_resolution_
consistency>
<disclaimer_msg/>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<ui>
<show_remember_password>1</show_remember_password>

FortiClient & FortiClient EMS 7.4 New Features Guide 70

Fortinet Inc.
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<show_passcode>0</show_passcode>
<save_username>0</save_username>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<ike_settings>
<server>[Link]</server>
<authentication_method>Preshared Key</authentication_
method>
<transport_mode>1</transport_mode>
<session_resume>1</session_resume>
<tcp_port>4500</tcp_port>
<udp_port>500</udp_port>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid/>
<networkid>20</networkid>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>0</enable_local_lan>
<enable_ike_fragmentation>0</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<run_fcauth_system>0</run_fcauth_system>
<sso_enabled>1</sso_enabled>
<use_external_browser>0</use_external_browser>
<ike_saml_port>1234</ike_saml_port>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<auth_data>
<preshared_key>Enc
41ea469c65f8ab068dc4ccf7f5f2544133fd01262b6d0e3536b2c17ccb8d</preshared_key>
</auth_data>
<xauth_timeout>120</xauth_timeout>
<dhgroup>5</dhgroup>
<proposals>

FortiClient & FortiClient EMS 7.4 New Features Guide 71

Fortinet Inc.
<proposal>AES128|SHA256</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>[Link]</addr>
<mask>[Link]</mask>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>[Link]</ip>
<mask>[Link]</mask>
<dnsserver>[Link]</dnsserver>
<winserver>[Link]</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA256</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<android_cert_path/>
<warn_invalid_server_certificate>1</warn_invalid_server_
certificate>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>

FortiClient & FortiClient EMS 7.4 New Features Guide 72

Fortinet Inc.
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<enabled>0</enabled>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
<use_win_current_user_cert>1</use_win_current_user_cert>
<enabled>1</enabled>
<enable_udp_checksum>0</enable_udp_checksum>
<usewincert>1</usewincert>
<check_for_cert_private_key>0</check_for_cert_private_key>
<block_ipv6>1</block_ipv6>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<disable_default_route>0</disable_default_route>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<show_auth_cert_only>0</show_auth_cert_only>
<no_dns_registration>0</no_dns_registration>
<beep_if_error>0</beep_if_error>
<disallow_invalid_server_certificate>0</disallow_invalid_server_
certificate>
</options>
</ipsecvpn>
<options>
<show_negotiation_wnd>0</show_negotiation_wnd>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<use_windows_credentials>0</use_windows_credentials>
<show_vpn_before_logon>1</show_vpn_before_logon>
<autoconnect_on_install>0</autoconnect_on_install>
<secure_remote_access>0</secure_remote_access>
<on_os_start_connect/>
<certs_require_keyspec>0</certs_require_keyspec>
<suppress_vpn_notification>0</suppress_vpn_notification>
<allow_personal_vpns>1</allow_personal_vpns>
<keep_running_max_tries>0</keep_running_max_tries>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<minimize_window_on_connect>0</minimize_window_on_connect>

FortiClient & FortiClient EMS 7.4 New Features Guide 73

Fortinet Inc.
<disable_connect_disconnect>0</disable_connect_disconnect>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<after_logon_saml_auth>2</after_logon_saml_auth>
<disable_internet_check>1</disable_internet_check>
<current_connection_name>IPSec-SAML-IntWeb</current_connection_name>
<current_connection_type>ipsec</current_connection_type>
</options>
</vpn>
</forticlient_configuration>

To verify the configuration using FortiClient:

1. On three endpoints that received the profile updates, open FortiClient.

2. On the Remote Access tab, from the VPN Name dropdown list, select the configured IPsec VPN tunnel.
3. Click Connect.
4. FortiClient displays an authentication dialog. Enter the Entra ID credentials. If configured, you may also
perform multifactor authentication.
The endpoints connect to the VPN gateways using the configured FQDN, [Link]. On the
Remote Access tab, you can confirm in the IP Address field that the endpoints have connected to different IP
addresses as corresponds to the three remote gateways:
l FGTVM_0_182: [Link]
l FGTVM_1_183: [Link]
l FGTVM_2_184: [Link]

FortiClient & FortiClient EMS 7.4 New Features Guide 74

Fortinet Inc.
Round robin DNS does not ensure even distribution, as DNS caching and query
timing may result in some clients resolving to the same IP address rather than a
perfectly balanced spread. If one gateway goes offline, an endpoint that previously
resolved to that gateway randomly selects one of the available gateways based o
the round robin DNS response.

Security posture tag enforcement during VPN connection

7.4.3

In FortiClient 7.4.2 and earlier, security posture tag compliance status of endpoints is only checked when
establishing the VPN tunnel. Endpoints remain connected to the VPN regardless of a security posture tag
compliance status change.
FortiClient 7.4.3 enforces security posture tag compliance of endpoints connected to VPN by periodically
checking the tag compliance status. If the endpoint no longer has the security posture tag, the endpoint is
blocked from VPN connection with the following error.

FortiClient & FortiClient EMS 7.4 New Features Guide 75

Fortinet Inc.
See Configuring a profile to allow or block endpoint from VPN tunnel connection based on the applied
security posture tag for more information.

Dual IPsec VPN tunnel support 7.4.4

FortiClient 7.4.4 adds support for dual IPsec VPN IKEv2 connections. You can route internet traffic through
multiple VPN gateways for enhanced security.
The example configures two VPN tunnels, which FortiClient can be connected to at the same time in a
parallel configuration. The two tunnels are as follows:
l Internet Access, a full tunnel
l Van IPSec VPN, a split tunnel
After FortiClient connects to both tunnels successfully, the end user can access file servers behind each
FortiGate via the respective VPN tunnel.

FortiClient & FortiClient EMS 7.4 New Features Guide 76

Fortinet Inc.
To configure dual VPN tunnel support on EMS:

1. Go to Endpoint Profiles > Remote Access.

2. Create a new profile or edit an existing one.
3. Under General, toggle on Enable Multi-Connect on Eligible Tunnels.
4. Eligible tunnels appear below the toggle. There can be a maximum of 50 such tunnels per profile. Drag
and drop tunnels to define the DNS query priority. The priority list determines which tunnel interface
has higher priority for DNS queries on Windows. When performing a DNS query, Windows queries the
DNS server from the tunnel with the highest priority. If the query fails, then Windows queries the
DNS server from the tunnel with the next highest priority, and so on. The DNS priority is the same as the
VPN tunnel interface metric.

FortiClient & FortiClient EMS 7.4 New Features Guide 77

Fortinet Inc.
5. If desired, you can pin tunnels, which increases their visibility in FortiClient. Create or edit an existing
VPN tunnel as desired.
6. In Basic Settings, enable Pinned Tunnel.
7. Click Save, then click Save again.
You can also configure these features using XML elements. See XML configuration on page 84.

To connect to dual VPN tunnels from FortiClient:

1. On the endpoint, to verify the configuration before connecting to any VPN tunnel, run ipconfig in
Command Prompt. The following shows an example output:

FortiClient & FortiClient EMS 7.4 New Features Guide 78

Fortinet Inc.
Windows IP Configuration

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . : [Link]

Link-local IPv6 Address . . . . . : fe80::bf3a:ec09:aac8:8d0f%12
IPv4 Address. . . . . . . . . . . : [Link]
Subnet Mask . . . . . . . . . . . : [Link]
Default Gateway . . . . . . . . . : [Link]

2. After FortiClient receives the profile updates from EMS, go to Remote Access.
3. From the View dropdown list, select Selected VPNs. Only pinned tunnels display in FortiClient and
FortiTray. If Enable View Selected VPNs is not enabled in EMS, FortiClient remembers the Selected VPNs
setting and only shows pinned tunnels for that user when they open the FortiClient console in the
future. FortiClient respects the local setting over the EMS setting in this case.
4. Click Connect for the first desired tunnel. In this example, this tunnel is Internet Access.

5. Run ipconfig again. The output differs now that FortiClient is connected to the Internet Access tunnel:

Windows IP Configuration
Unknown adapter Internet Access:

FortiClient & FortiClient EMS 7.4 New Features Guide 79

Fortinet Inc.
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::549c:eb47:9f4a:b437%20
Default Gateway . . . . . . . . . : [Link]

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . : [Link]

Link-local IPv6 Address . . . . . : fe80::bf3a:ec09:aac8:8d0f%12
IPv4 Address. . . . . . . . . . . : [Link]
Subnet Mask . . . . . . . . . . . : [Link]
Default Gateway . . . . . . . . . : [Link]

6. Run route print to view the routing table information. At this point, all traffic goes through the tunnel
interface with an IP address of [Link]:

===========================================================================
Interface List
20...........................Fortinet VPN-V Network Adapter
12...00 15 5d a1 9f 1b ......Microsoft Hyper-V Network Adapter #2
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table

IPv6 Route Table

===========================================================================
Active Routes:

FortiClient & FortiClient EMS 7.4 New Features Guide 80

Fortinet Inc.
If Metric Network Destination Gateway
1 331 ::1/128 On-link
12 271 fe80::/64 On-link
20 261 fe80::/64 On-link
20 261 fe80::549c:eb47:9f4a:b437/128
On-link
12 271 fe80::bf3a:ec09:aac8:8d0f/128
On-link
1 331 ff00::/8 On-link
12 271 ff00::/8 On-link
20 261 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

7. Click Connect for the second desired tunnel. In this example, this tunnel is Van IPSec VPN.
8. Run commands in Command Prompt to verify the endpoint network configuration with the dual VPN
connections:
a. Run ipconfig again. The output differs now that FortiClient is connected to two tunnels:

Unknown adapter Van IPSec VPN:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::549c:eb47:9f4a:b437%22
IPv4 Address. . . . . . . . . . . : [Link]
Subnet Mask . . . . . . . . . . . : [Link]
Default Gateway . . . . . . . . . : [Link]

Unknown adapter Internet Access:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::549c:eb47:9f4a:b437%20
IPv4 Address. . . . . . . . . . . : [Link]
Subnet Mask . . . . . . . . . . . : [Link]
Default Gateway . . . . . . . . . : [Link]

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . : [Link]

Link-local IPv6 Address . . . . . : fe80::bf3a:ec09:aac8:8d0f%12
IPv4 Address. . . . . . . . . . . : [Link]
Subnet Mask . . . . . . . . . . . : [Link]
Default Gateway . . . . . . . . . : [Link]

b. Run netsh interface ipv4 show interface to verify the VPN tunnel interface metrics. You can see
that Van IPSec VPN has the lowest metric (the value in the Met column):

Idx Met MTU State Name

--- ---------- ---------- ------------ ---------------------------
1 75 4294967295 connected Loopback Pseudo-Interface 1
20 3 1280 connected Internet Access

FortiClient & FortiClient EMS 7.4 New Features Guide 81

Fortinet Inc.
22 1 1280 connected Van IPSec VPN
12 15 1500 connected Ethernet 2

c. Run route print to view the routing table information. As the Van IPSec VPN tunnel has the lowest
metric, traffic destined for split tunnels goes through the Van IPSec VPN tunnel:

===========================================================================
Interface List
22...........................Fortinet VPN-V Network Adapter #2
20...........................Fortinet VPN-V Network Adapter
12...00 15 5d a1 9f 1b ......Microsoft Hyper-V Network Adapter #2
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table

===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
[Link] [Link] [Link] [Link] 15
[Link] [Link] [Link] [Link] 9001
[Link] [Link] [Link] [Link] 4
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 16
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] On-link [Link] 331
[Link] [Link] On-link [Link] 331
[Link] [Link] On-link [Link] 331
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] [Link] [Link] 2
[Link] [Link] On-link [Link] 271
[Link] [Link] On-link [Link] 271
[Link] [Link] On-link [Link] 271
[Link] [Link] [Link] [Link] 16
[Link] [Link] On-link [Link] 259
[Link] [Link] On-link [Link] 259
[Link] [Link] On-link [Link] 259
[Link] [Link] On-link [Link] 257
[Link] [Link] On-link [Link] 257
[Link] [Link] On-link [Link] 257
[Link] [Link] [Link] [Link] 2

FortiClient & FortiClient EMS 7.4 New Features Guide 82

Fortinet Inc.
[Link] [Link] On-link [Link] 331
[Link] [Link] On-link [Link] 271
[Link] [Link] On-link [Link] 259
[Link] [Link] On-link [Link] 257
[Link] [Link] On-link [Link] 331
[Link] [Link] On-link [Link] 271
[Link] [Link] On-link [Link] 259
[Link] [Link] On-link [Link] 257
===========================================================================
Persistent Routes:
None

IPv6 Route Table

===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
12 271 fe80::/64 On-link
20 261 fe80::/64 On-link
22 261 fe80::/64 On-link
20 261 fe80::549c:eb47:9f4a:b437/128
On-link
22 261 fe80::549c:eb47:9f4a:b437/128
On-link
12 271 fe80::bf3a:ec09:aac8:8d0f/128
On-link
1 331 ff00::/8 On-link
12 271 ff00::/8 On-link
20 261 ff00::/8 On-link
22 261 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

d. Confirm access to protected networks by pinging resources behind the FortiGates.

i. Ping a resource behind the first FortiGate. This example pings [Link], the IP address
of a file server behind FortiGate A:

ping [Link] -t

Pinging [Link] with 32 bytes of data:

Reply from [Link]: bytes=32 time=1ms TTL=127
Reply from [Link]: bytes=32 time=1ms TTL=127
Reply from [Link]: bytes=32 time=2ms TTL=127

Ping statistics for [Link]:

Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

ii. Ping a resource behind the second FortiGate. This example pings [Link], the IP address
of the LAN behind FortiGate B:

FortiClient & FortiClient EMS 7.4 New Features Guide 83

Fortinet Inc.
ping [Link]

Pinging [Link] with 32 bytes of data:

Reply from [Link]: bytes=32 time<1ms TTL=255
Reply from [Link]: bytes=32 time=1ms TTL=255
Reply from [Link]: bytes=32 time=1ms TTL=255

Ping statistics for [Link]:

Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

XML configuration
This feature introduces the following new XML tags:

Tag Description
<enable_multi_vpn> Allows FortiClient to connect to multiple VPN tunnels concurrently.
<allow_concurrent> Per-tunnel configuration. Allow user to connect to this tunnel via the
FortiClient console or FortiTray as one of multiple concurrent VPN
tunnels.
<pinned> Per-tunnel configuration. A pinned tunnel displays in the FortiTray menu
and in the FortiClient GUI when View > Selected VPNs is selected.
<enable_view_selected_vpns> Enable for FortiClient to display pinned tunnels by default.
If disabled, the FortiClient GUI displays all configured VPN tunnels. The
user can select View > Selected VPNs to only display pinned tunnels.
FortiClient remembers this setting and only shows pinned tunnels for
that user when they open the FortiClient console in the future. FortiClient
respects the local setting over the EMS setting in this case.
<dns_priority> Per-tunnel configuration. A lower value means that the tunnel has higher
priority for DNS queries on Windows when the endpoint is connected to
multiple tunnels. The priority list determines which tunnel interface has
higher priority for DNS queries on Windows. When performing a DNS
query, Windows queries the DNS server from the tunnel with the highest
priority. If the query fails, then Windows queries the DNS server from the
tunnel with the next highest priority, and so on.

The following provides the example XML configuration. The XML sample is an incomplete configuration that
does not provide all necessary tags:

<forticlient_configuration>
<vpn>
<ipsecvpn>
<connections>
<connection>
<name>Van IPSec VPN</name>

FortiClient & FortiClient EMS 7.4 New Features Guide 84

Fortinet Inc.
<dns_priority>1</dns_priority>
<pinned>1</pinned>
<allow_concurrent>1</allow_concurrent>
</connection>
</connections>
</ipsecvpn>
<options>
<autoconnect_tunnel>Internet Access</autoconnect_tunnel>
<enable_multi_vpn>1</enable_multi_vpn>
<enable_view_selected_vpns>0</enable_view_selected_vpns>
</options>
</vpn>
</forticlient_configuration>

LDAP support for IPsec IKEv2 VPN 7.4.4

FortiClient can now leverage centrally managed user credentials from an LDAP server for IPsec IKEv2 VPN
authentication, simplifying user management.

Topology

To configure an LDAP server and user in the FortiOS GUI:

1. Go to User & Authentication > LDAP Servers.

2. Create a new LDAP server or edit an existing one.
Optionally, click Test User Credentials to ensure that the account has sufficient access rights.

FortiClient & FortiClient EMS 7.4 New Features Guide 85

Fortinet Inc.
3. Go to User & Authentication > User Groups.
4. Create a user group with the LDAP users as members.
For example, the following creates a user group VPN_Group with the member of LDAP user ldap_user.

5. Go to VPN > VPN Tunnels and add the user group (eg. VPN_Group) to the phase1 interface of your IPsec
tunnel.

FortiClient & FortiClient EMS 7.4 New Features Guide 86

Fortinet Inc.
6. Go to FortiView and verify that the IPsec VPN connection has been established successfully.

To configure an LDAP server and user in the FortiOS CLI:

config user group

edit "VPN_Group"
set member "AD" "fac_rad"
config match
edit 1
set server-name "AD"
set group-name "CN=ldap_user,CN=Users,DC=fortinet-fsso,DC=com"
next
end
next
end

FortiClient & FortiClient EMS 7.4 New Features Guide 87

Fortinet Inc.
FGTVM_1_183 # diagnose test authserver ldap AD ldap_user 123456
authenticate 'ldap_user' against 'AD' succeeded!
Group membership(s) - CN=Domain Users,CN=Users,DC=fortinet-fsso,DC=com
Domain of user is [Link]

config vpn ipsec phase1-interface

edit "IKEV2-PSK"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 [Link]
set proposal aes128gcm-prfsha256 aes256gcm-prfsha512 aes128-sha256 aes256-sha256
set negotiate-timeout 300
set dpd on-idle
set dhgrp 20
set eap enable
set eap-identity send-request
set wizard-type dialup-forticlient
set authusrgrp "VPN_Group"
set network-overlay enable
set network-id 4
set transport auto
set assign-ip-from name
set ipv4-name "IPsec_Tunnel_Add"
set ipv6-name "IPsec_Tunnel_Add6"
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC <pre-shared-key>
next
end

To verify the LDAP user login for IPsec IKEv2 VPN in the FortiClient GUI:

1. Go to Remote Accessand select your IPsec IKEv2 VPN from the list.
2. Connect to the IPsec IKEv2 VPN in the following ways:

FortiClient & FortiClient EMS 7.4 New Features Guide 88

Fortinet Inc.
l Enter the username in the User Principal Name (UPN) (username@[Link]) format:

The VPN connection is successful with the UPN displayed as the username.

FortiClient & FortiClient EMS 7.4 New Features Guide 89

Fortinet Inc.
l Enter the LDAP username as it is:

FortiClient & FortiClient EMS 7.4 New Features Guide 90

Fortinet Inc.
The VPN connection is successful with the LDAP username displayed.

FortiClient & FortiClient EMS 7.4 New Features Guide 91

Fortinet Inc.
l Enter the username in the Down-Level Logon name (DLLN) (domain\username) format:

FortiClient & FortiClient EMS 7.4 New Features Guide 92

Fortinet Inc.
The VPN connection is successful with the DLLN displayed as the username.

FortiClient & FortiClient EMS 7.4 New Features Guide 93

Fortinet Inc.
FortiClient & FortiClient EMS 7.4 New Features Guide 94
Fortinet Inc.
FortiClient EMS

ZTNA

MDM integration support for EMS HA, FortiClient Cloud,

and multitenancy
The following EMS setups now support mobile device management (MDM) integration:
l EMS in high availability (HA) mode
l FortiClient Cloud
l EMS with multitenancy enabled
You can now access System Settings > MDM Integration from the GUI in the aforementioned setups and
configure integration with Workspace ONE, Microsoft Intune, and Jamf in the same way as on the regular
on-premise EMS GUI.
The following shows the MDM Integration page in FortiClient Cloud as an example.

FortiClient & FortiClient EMS 7.4 New Features Guide 95

Fortinet Inc.
FortiClient EMS

ZTNA application catalog 7.4.1

This feature uses the Fortinet Security Fabric connector between EMS and FortiOS to detect and retrieve a
list of zero trust network access (ZTNA) applications. This connector allows EMS to automatically learn
which TCP forwarding or non-web ZTNA applications are configured on FortiGates and display them in a
prepopulated list. You can use this list to configure ZTNA profiles on EMS for these applications without
manually reentering the information, which is time-consuming and error-prone. Automating ZTNA
application list retrieval from FortiOS saves time and reduces administrative overhead. Ensuring
consistency in application configuration across endpoints is crucial to maintain security and operational
efficiency.
For more information about this feature, see ZTNA application catalog.

FortiClient & FortiClient EMS 7.4 New Features Guide 96

Fortinet Inc.
FortiClient EMS

FortiClient EMS auto-detects FortiGate configuration of

non-web ZTNA applications 7.4.1
FortiClient EMS uses its Fabric Connector to the FortiGate to retrieve non-web (TCP forwarding) ZTNA
applications configured on the FortiGate and adds them to its new ZTNA Applications Catalog. When the
EMS Administrator creates a ZTNA Remote Access profile, they can choose applications from the ZTNA
Applications Catalog, no longer needing to re-define them in EMS.

To auto-detect configuration of non-web ZTNA applications:

1. Configure the FortiGate ZTNA application rule:

2. Go to Policy & Objects > ZTNA > ZTNA Servers.

FortiOS should be on version 7.4.4 or above.

a. Click Create New.

b. Configure the ZTNA server.

c. Click OK.
3. Create the Fabric connection between the FortiGate and FortiClient EMS:
a. Go to Security Fabric > Fabric Connectors.
b. Select the FortiClient EMS card.
c. Enter the FortiClient EMS IP address and authorize the Fabric connection.

FortiClient & FortiClient EMS 7.4 New Features Guide 97

Fortinet Inc.
FortiClient EMS

d. On FortiClient EMS, go to Fabric & Connectors > Fabric Devices > Standalone devices. The FortiGate
Fabric connection is visible.

e. Go to Fabric & Connectors > ZTNA Applications Catalog. You can switch between Applications View
and Gateway View.
Applications View displays auto-detected and manually added ZTNA applications.

Gateway View displays ZTNA applications by ZTNA proxy gateway.

FortiClient & FortiClient EMS 7.4 New Features Guide 98

Fortinet Inc.
FortiClient EMS

4. Select which applications to provision as part of the ZTNA Destinations profile onto endpoint groups:
a. Go to Endpoint Profiles > ZTNA Destinations.
b. In the Default (Advanced) profile, under Rules, click Add.
c. Select the required applications in the ZTNA applications dialog.

d. Click Finish.

FortiClient & FortiClient EMS 7.4 New Features Guide 99

Fortinet Inc.
FortiClient EMS

e. Save the profile.

5. On the endpoint, in FortiClient, go to ZTNA Destination. The list of ZTNA applications learned from the
FortiGate through FortiClient EMS are populated.

FortiClient & FortiClient EMS 7.4 New Features Guide 100

Fortinet Inc.
FortiClient EMS

Security posture tags enhancements 7.4.3

The process for configuring security posture tags in EMS has been enhanced for easier management. You
can easily add descriptions for tags. Previously, the EMS GUI required you to manage tags and rules
separately. EMS 7.4.3 merges these management functions into a single page for simplicity.
The new Security Posture Tags > Tags page displays a list of configured tags. Hovering over the OS in the
OS and Rule Types column value for a tag displays the rule types for each OS that apply that tag.

Creating a tag requires you to configure a User Notification Message, where you can enter a message that
explains to the end user why FortiOS denied their access.
In FortiOS in Policy & Objects > ZTNA > Security Posture Tags, the Comments column displays the configured
user notification message for a tag.

The following shows a ZTNA Policy Denied page. It shows the user notification message in the Device Tags
field.

FortiClient & FortiClient EMS 7.4 New Features Guide 101

Fortinet Inc.
FortiClient EMS

You can import tagging rule sets from an older EMS version to EMS 7.4.3. If multiple tagging rule sets apply
the same tag to an endpoint, after import, EMS combines the entries into one in Tags. Upgrading or
migrating to EMS 7.4.3 from an older version automatically combines such tags.

To import tagging rule sets from an older EMS version:

1. In the older EMS version, go to Security Posture Tags > Security Posture Tagging Rules.
2. Click Export.

3. In EMS 7.4.3, go to Security Posture Tags > Tags.

4. Click More > Import tag configuration.
5. In the File field, upload the exported JSON file from step 2.
6. For On tag name conflict, select one of the following actions to take if the imported tag has the same
name as an existing security posture tag in EMS:

FortiClient & FortiClient EMS 7.4 New Features Guide 102

Fortinet Inc.
FortiClient EMS

Option Description

Rename Rename the imported tag. This option adds a -1 to the imported tag.
For example, if the existing and imported tags share the name AV-
Not-Installed, this option renames the imported tag to AV-Not-
Installed-1. If AV-Not-Installed-1 already exists as well, EMS renames
the imported tag AV-Not-Installed-2, and so on.

Overwrite Overwrite the existing tag with the imported tag. The overwritten tag
only contains the rules for the imported tag. Rules for the existing tag
are not retained.

Do not import Stop importing the new tag.

7. Click OK. After import, the rule sets that all applied RD_Endpoint_Compliance are combined into a single
entry for the RD_Endpoint_Compliance tag, with the multiple OSes displayed under the OS and Rule
Types column.

Upload custom certificate and private key for ZTNA 7.4.3

You can upload a custom intermediate root certificate and private keys to EMS to use for signing zero trust
network access (ZTNA) endpoint certificates instead of relying on the default EMS certificate, default_
[Link]. This provides flexibility for organizations that need custom certificate chains for
compliance or security reasons. It can also streamline the end user experience by helping to avoid
certificate trust issues.
When you upload a custom signing certificate to EMS, FortiOS retrieves it from EMS after the Fortinet
Security Fabric connection establishes. EMS uses this certificate to sign FortiClient client certificates. In the
FortiClient certificate's subject field, the common name (CN) is set to <fct_uid>, and two custom X.509
extensions are included:
l [Link].4.1.12356.[Link] (EMS serial number (SN))
l [Link].4.1.12356.[Link] (tenant ID)
FortiOS uses the downloaded signing certificate to validate the FortiClient certificate and extracts the
following details:
l FCT UID from the subject CN
l EMS SN from the X.509v3 extension [Link].4.1.12356.[Link]
l Tenant ID from the X.509v3 extension [Link].4.1.12356.[Link]

To upload a custom CA certificate:

1. In EMS, go to System Settings > EMS Settings.

2. Beside EMS CA Certificate (ZTNA), click Upload Custom CA Certificate.

FortiClient & FortiClient EMS 7.4 New Features Guide 103

Fortinet Inc.
FortiClient EMS

3. Click Update.
4. You can upload a PEM or PKCS12 certificate. Upload the desired certificate, then click OK.
5. Click Apply.
6. You can verify the certificate change on an endpoint using the FortiClient ID:
a. Go Endpoints > All Endpoints.
b. Select the desired endpoint.
c. Note the FortiClient ID.

d. On the endpoint device, open Manage user certificates.

e. Go to Certificates - Current User\Personal\Certificates.
f. Open the certificate that shows the FortiClient ID that you noted.
g. On the Details tab, confirm that the two X.509 extensions display:
l [Link].4.1.12356.[Link] (EMS serial number (SN))
l [Link].4.1.12356.[Link] (tenant ID)

FortiClient & FortiClient EMS 7.4 New Features Guide 104

Fortinet Inc.
FortiClient EMS

Removing support for legacy SKUs

EMS 7.4 does not support the following legacy licenses:
l FC1-15-EMS01-297-01-DD
l FC2-15-EMS01-297-01-DD
l FC3-15-EMS01-297-01-DD
l FC4-15-EMS01-297-01-DD
l FC1-15-EMS03-297-01-DD
l FC2-15-EMS03-297-01-DD
l FC1-15-EMS03-298-01-DD
l FC2-15-EMS03-298-01-DD
l FC1-15-EMS01-299-01-DD
l FC2-15-EMS01-299-01-DD
l FC3-15-EMS01-299-01-DD
When you attempt to upload a legacy license to EMS 7.4, EMS prevents its usage and shows an
Unsupported license type error.

You may be using the EMS migration tool to migrate your Windows Server-based EMS 7.2 to the Linux-
based EMS 7.4. If you attempt to migrate EMS 7.2 using a legacy license to EMS 7.4 using the migration tool,
the migration tool aborts the process and displays a Current EMS Windows license is not supported in
EMS Linux, migration is aborted message.

FortiClient & FortiClient EMS 7.4 New Features Guide 105

Fortinet Inc.
FortiClient EMS

FortiClient (Linux) installer creation support

EMS can create FortiClient (Linux) installers and deploy them to Linux endpoints. It can perform scheduled
or on-demand deployments for FortiClient (Linux) as required. This replaces the manual repackaging tool
used to add Linux installers to EMS as EMS adds the telemetry IP address to the installer during
deployment. You no longer have to download FortiClient (Linux) installers and perform manual installs.
This example creates an installer to upgrade FortiClient (Linux) 7.2.4 to 7.4.0.

To configure FortiClient (Linux) deployment in EMS:

1. In EMS, create the FortiClient (Linux) deployment package:

a. Go to Deployment & Installers > FortiClient Installer.
b. Click Add.
c. Under Installer Type, select Create installer.
d. From the Release dropdown list, select 7.4.
e. From the Patch dropdown list, select 7.4.0.

FortiClient & FortiClient EMS 7.4 New Features Guide 106

Fortinet Inc.
FortiClient EMS

f. Configure other options as desired, then click Finish.

2. Go to Deployment & Installers > Manage Deployment.
3. Click Add.
4. For Action, select Install.
5. From the Deployment Package dropdown list, select the deployment package that you created.

FortiClient & FortiClient EMS 7.4 New Features Guide 107

Fortinet Inc.
FortiClient EMS

6. Configure other options as desired, then click Save.

FortiClient & FortiClient EMS 7.4 New Features Guide 108

Fortinet Inc.
FortiClient EMS

FortiClient & FortiClient EMS 7.4 New Features Guide 109

Fortinet Inc.
FortiClient EMS

To verify FortiClient (Linux) deployment on the endpoint:

You can only view FortiClient (Linux) deployment progress from the CLI. You can refer to
/var/log/forticlient/.[Link] for deployment updates. The following shows the log for when
FortiClient (Linux) receives the upgrade notification from EMS:

20240405 [Link].376 TZ=-0700 [epctrl:DEBG] state_machine:904 REPLY=FCKARPLY:

CONT|1|EMSSN|FCTEMS123456:EMA-Linux-2|UPLD_PRT|8013|KA_INTERVAL|20|LIC_FEATS|14613503|LIC_
ED|1744700400|SNAPTIME|0|QUAR|0|AVTR|1|AV_SIG|92.3103|EMS_ONNET|0|RUN_SRV_CMD|4|UPGRADE_
PATH|[Link]:10443/installers/default/7.4.0%20GA/FortiClientSetup_7.[Link]|DEVICE_ID|4|SCH_
ID|1369|REBOOT_
PROMPT|1|AUTOREBOOT0USERS|1|REBOOTWHENNEEDED|1|UNATTENDED|0|FILESHA256|b3fa3da02d4dc6119ba910eb50a
4de4481ba199300c90b679b2fe1f48dc906b6|FILESIZE|281080740|TAGS|100000000000000000000000000000000000
000000000000000000000|SERIAL|abcdefg|TENANT|00000000000000000000000000000000|PROTO_
VERSION|1.0.0|PERCON|0|

FortiClient (Linux) downloads the deployment package from EMS:

20240405 [Link].550 TZ=-0700 [epctrl:INFO] deployment_checker:255 Sent current status to EMS:

Downloading
20240405 [Link].551 TZ=-0700 [epctrl:INFO] data_downloader:83 Added download: upgrade installer
20240405 [Link].551 TZ=-0700 [epctrl:INFO] data_downloader:126 Processing download: upgrade
installer
20240405 [Link].551 TZ=-0700 [epctrl:WARN] deployment:88 Unable to open file
/var/lib/forticlient/deploy/[Link]
20240405 [Link].551 TZ=-0700 [epctrl:INFO] data_downloader:193 Downloading data from
[Link]:10443/installers/default/7.4.0%20GA/FortiClientSetup_7.[Link]
20240405 [Link].577 TZ=-0700 [epctrl:DEBG] network_impl:351 Server certificate matches the
current fingerprint
20240405 [Link].105 TZ=-0700 [epctrl:DEBG] data_downloader:287 Downloaded from
[Link] [response: 200,
transferred: 281080740]
20240405 [Link].322 TZ=-0700 [epctrl:INFO] data_downloader:393 Upgrade installer successfully
downloaded

FortiClient (Linux) installs the deployment package:

20240405 [Link].386 TZ=-0700 [epctrl:INFO] deployment_checker:255 Sent current status to EMS:

Install Started
20240405 [Link].386 TZ=-0700 [epctrl:INFO] deployment_checker:281 Starting upgrade
20240405 [Link].386 TZ=-0700 [epctrl:INFO] deployment_impl:155 Detected OS: ubuntu
20240405 [Link].398 TZ=-0700 [epctrl:INFO] deployment_impl:165 Install package version:
7.4.0.1617
20240405 [Link].398 TZ=-0700 [epctrl:INFO] deployment_impl:167 Current package version:
7.2.4.0809
20240405 [Link].398 TZ=-0700 [epctrl:INFO] deployment_impl:170 Install command: DEBIAN_
FRONTEND=noninteractive /usr/bin/systemd-run --scope /usr/bin/apt-get --allow-downgrades --
reinstall -y install /var/lib/forticlient/deploy/[Link]
20240405 [Link].574 TZ=-0700 [epctrl:INFO] main:25 Starting endpoint control
20240405 [Link].574 TZ=-0700 [epctrl:DEBG] state_machine:146 In state: Initialize
20240405 [Link].575 TZ=-0700 [epctrl:INFO] epctrl_impl:184 Starting network monitor
20240405 [Link].582 TZ=-0700 [epctrl:INFO] endpoint_impl:889 Loading repackaged installer info
20240405 [Link].596 TZ=-0700 [epctrl:INFO] endpoint_impl:939 Loaded on-prem invitation info from

FortiClient & FortiClient EMS 7.4 New Features Guide 110

Fortinet Inc.
FortiClient EMS

installer
20240405 [Link].596 TZ=-0700 [epctrl:INFO] endpoint_impl:989 Loaded installer server info:
[Link]:8013 (Site: default)

Upon successful installation, /var/log/forticlient/[Link] is updated with the last deployment

statistics:

Running scope as unit: [Link]

Reading package lists...
Building dependency tree...
Reading state information...
The following packages will be upgraded:
forticlient
1 upgraded, 0 newly installed, 0 to remove and 30 not upgraded.
Need to get 0 B/281 MB of archives.
After this operation, 91.7 MB of additional disk space will be used.
Get:1 /var/lib/forticlient/deploy/[Link] forticlient amd64 7.4.0.1617 [281 MB]
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 193069 files and directories currently installed.)
Preparing to unpack .../deploy/[Link] ...
Module "FortiClient ZTNA" deleted from database.
Unpacking forticlient (7.4.0.1617) over (7.2.4.0809) ...
Setting up forticlient (7.4.0.1617) ...
gtk-update-icon-cache: Cache file created successfully.
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1ubuntu3) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu3) ...

In EMS, the endpoint details show that deployment finished and the new FortiClient version installed
successfully.

Linux-based EMS model

EMS 7.4.0 introduces a shift to a Linux-based model from the Windows Server-based model in earlier EMS
versions. This change provides numerous benefits, including improved architecture and flexibility.
See the following documents for information on this change:
l EMS 7.4 Install and Migration Guide
l Management capacity
l EMS 7.4.0 Release Notes

FortiClient & FortiClient EMS 7.4 New Features Guide 111

Fortinet Inc.
FortiClient EMS

Because implementing or migrating to EMS 7.4.0 on the Linux platform can be

complex, Fortinet highly recommends FortiClient Best Practices Service (BPS).
FortiClient BPS is an account-based annual subscription providing access to a
specialized team that delivers remote guidance on deployment, upgrades, and
operations. The service allows customers to share information about their
deployment, user requirements, resources, and other related items. Based on the
information provided, the BPS experts can provide recommended best practices,
sample code, links to tools, and other materials or assistance to speed adoption and
guide the customer towards best practice deployments. The team does not log into
customer devices to make changes for them. This is a consulting and guidance
service which may include sample configurations or playbooks. This is not an on-
site professional services offer.

Support for access key for Fortinet Security

Fabric devices to connect to FortiClient Cloud
FortiClient Cloud supports defining an access code to identify an instance. A Fabric device can establish
connection to a FortiClient Cloud instance by providing one of the following in the SNI:
l FortiCloud account ID. The connection succeeds if the FortiCloud account has only one FortiClient
Cloud instance and there is no organizational unit structure.
l FortiCloud account ID and FortiClient Cloud access key
This feature supports the following key types:
l EMS API access key. Only a primary account can create EMS API access keys. These keys do not
expire.
l FortiGate access key. This feature requires FortiOS 7.4.4 or later.

To create an EMS API access key:

1. In FortiClient Cloud, go to Access Key > EMS API Access.

2. Click Create New Key.
3. In the Name field, enter a unique name, then click OK.
4. Once the key is created, copy it to a safe location, as it does not display again after you close the
dialog. Click Close.

5. EMS API keys display in the EMS API Access table. Note that the key ID is not the same as the generated
API key that you copied in step 4. To view information about the keys, click How to Use this Key.

FortiClient & FortiClient EMS 7.4 New Features Guide 112

Fortinet Inc.
FortiClient EMS

To create a FortiGate access key:

1. In FortiClient Cloud, go to Access Key > FortiGate Access Key.

5. The FortiGate keys display in the FortiGate Access Key table. Note that the key ID is not the same as the
generated API key that you copied in step 4. To view information about the keys, click How to Use this
Key.

6. On the FortiGate, configure the key on the EMS Fabric connector:

config endpoint-control fctems

edit 1
set status enable
set name "ems-cloud"
set fortinetone-cloud-authentication enable
set cloud-authentication-access-key "<FortiGate key>"
next
end

7. In EMS, authorize the FortiGate to complete the connection. Standalone FortiGates or separate virtual
domains from the same FortiGate can establish Fabric connection with FortiClient Cloud.

On-fabric detection based on destination address

7.4.1

EMS adds on-fabric detection rules based on the following new detection types for destination addresses:
l DNS web request
l HTTP web request
l HTTPS web request
For more information about this feature, see On-fabric detection based on destination address.

FortiClient & FortiClient EMS 7.4 New Features Guide 113

Fortinet Inc.
FortiClient EMS

Auto upgrade EMS to latest patch release 7.4.1

Once a new EMS patch releases, EMS displays an upgrade prompt with the following options:
l Upgrade immediately
l Schedule the upgrade at a convenient time
For more information about this feature, see Auto upgrade EMS to latest patch release.

FortiClient hotfix deployment via EMS 7.4.1

You can deploy FortiClient hotfix installers from EMS. A hotfix contains a subset of the FortiClient binaries
to address a specific issue and reduces the risk of unintended side effects. Creating a hotfix installer
follows the same EMS process as creating any other installer.
Prior to this implementation, EMS was restricted to deploying only major and minor FortiClient versions,
such as 7.4.0 and 7.4.1. With this enhancement, if a bug is identified in any version, Fortinet can promptly
address it by deploying a hotfix, rather than waiting for the release of the next major or minor build.

To create a hotfix installer:

1. In EMS, go to Deployment & Installers > FortiClient Installer.

2. Click Add.
3. From the Release dropdown list, select the desired FortiClient version.
4. From the Patch release dropdown list, select the desired patch version.
5. If a hotfix is available for the selected patch, the Hotfix dropdown list appears. In the following example,
there are two hotfixes available for the selected version, 7.4.1.

FortiClient & FortiClient EMS 7.4 New Features Guide 114

Fortinet Inc.
FortiClient EMS

6. If desired, enable Auto update to the. When you select any of the following options, the installer
automatically updates. For example, consider that you create the installer with Latest Patch only
selected. When a new patch, 7.4.2, becomes available, EMS automatically updates the installer to
install 7.4.2. If the installer is configured in a deployment configuration, the configuration is updated
with the new installer, and if the configuration is enabled, EMS automatically deploys the updated
installer. The following options are available:
l Latest Patch only
l Latest Hotfix only
l Latest Patch and Hotfix

Select Latest Hotfix only or Latest Patch and Hotfix.

Hotfixes are specific to particular versions. You can only deploy a hotfix to an endpoint if it has the base
FortiClient already installed. For example, you can only deploy or install hotfix 1715:5372 on an endpoint
where FortiClient 7.4.1 build 1715 is installed. If an installer with Latest Patch and Hotfix selected is
deployed to an endpoint with FortiClient 7.4.0 installed and the latest hotfix available is 1715:5372, the
deployment first installs FortiClient 7.4.1 build 1715 on the endpoint, the installs the hotfix.
7. Continue configuring the installer as desired. After creation, you can view the installer in Deployment &
Installers > FortiClient Installer. Click Hotfix-Details to see the details of the bug or issue that this hotfix
addresses.

FortiClient & FortiClient EMS 7.4 New Features Guide 115

Fortinet Inc.
FortiClient EMS

To manually download and install a hotfix on an endpoint:

1. In EMS, go to Deployment & Installers > FortiClient Installer.

2. Click Download Link.

3. Provide the link to end users.

4. On the endpoint, go to the link.
5. The page includes the base installer and hotfix folder. If the endpoint already has the desired FortiClient
version installed, download just the hotfix installer, [Link].
6. Install the hotfix by doing one of the following:
l (Recommended) Use the command line to install the hotfix. In Command Prompt, run [Link] -
h to view available parameters. Installing the hotfix using the command line is recommended so
that you can use these parameters. For example, you may run [Link] --test to verify that the
installed FortiClient version is compatible with the hotfix. Run [Link] to install FortiClient.

l Double-click [Link].

To uninstall a hotfix, you can run [Link] -u in Command Prompt. This command only uninstalls the
hotfix and does not affect the FortiClient installation.

FortiClient & FortiClient EMS 7.4 New Features Guide 116

Fortinet Inc.
FortiClient EMS

Deploying EMS as a VM image 7.4.1

You can deploy EMS server as a virtual machine (VM) image. EMS supports the VMware ESXi and KVM
hypervisors and provides VM images for x86_64 and ARM architectures.

To deploy EMS on ESXi:

1. Click Create/Register VM.

2. Select Deploy a virtual machine from an OVF or OVA file. Click Next.

3. Enter the VM name and upload the OVA file. Click Next.

4. Configure the VM.

5. Click Finish.
6. Review the configuration and start the VM. When the VM boot completes, the OS logon page displays.

FortiClient & FortiClient EMS 7.4 New Features Guide 117

Fortinet Inc.
FortiClient EMS

7. Log in to the virtual machine.

The default credentials are:

l Username: ems

l Password: ems

8. Change the default password when prompted.

9. Access the FortiClient EMS GUI by the VM IP/FQDN address.

To deploy FortiClient EMS on KVM:

1. Set up QEMU/KVM on a Linux host.

2. Copy the forticlientems_vm qcow2 image under /var/lib/libvirt/images/.
3. Run the following command to initialize the virtual machine with the FortiClient EMS image:

sudo virt-install --name EMS_VM --memory 4096 --vcpus 2 --disk

path=/var/lib/libvirt/images/forticlientems_vm.[Link].qcow2,format=qcow2 --import
--os-variantgeneric --network bridge=virbr0 --graphics none

You can change the configuration in the command as needed.

FortiClient & FortiClient EMS 7.4 New Features Guide 118

Fortinet Inc.
FortiClient EMS

4. Log in to the virtual machine.

The default credentials are:

l Username: ems

l Password: ems

FortiClient & FortiClient EMS 7.4 New Features Guide 119

Fortinet Inc.
FortiClient EMS

5. Access the FortiClient EMS GUI by the VM IP/FQDN address.

To install FortiClient EMS on ARM processor:

1. Download the ARM EMS installer from the support portal. The installer file name is in the form
forticlientems_7.[Link].
2. Make the installer executable:

sudo chmod +x ./forticlientems_7.[Link]

3. Run the installer:

sudo ./forticlientems_7.[Link]

FortiClient GUI enhancement 7.4.1

The FortiClient GUI has been enhanced to be more accessible to user:

l The color contrast of text and icons has been increased.
l The GUI can be zoomed to 200%.

FortiClient & FortiClient EMS 7.4 New Features Guide 120

Fortinet Inc.
FortiClient EMS

l Support has been added for the NVDA screen reader.

l Date and time format is displayed based on the region when FortiClient is switched to any of the
supported languages. For example, when the endpoint language is changed to a European language,
such as French, the date format will change to ISO-8601 standard yyyy-mm-dd.
l Navigation between controls can be performed using only the keyboard. This includes the avatar, Zero
Trust Telemetry, endpoint profiles, Notifications, Settings, and About tabs.

Keyboard navigation
Keyboard navigation controls include the following:
l After navigating to the desired tab, press the Tab key to focus on elements in the page. Continuously
pressing Tab will shift the focus to the next element.

The direction that you traverse through the elements can be reversed by
pressing Shift + Tab.

l When you have identified the element you would like to interact with, press Enter to click or open the
element.
l Click the space bar to select or deselect a check box.
l Use the left, right, up, and down arrows to select different radio buttons.
l Press Esc to escape from recent settings pages, such as a dialog, dropdown menu, and so on. Where
pressing Tab will move focus from the navigation menu to the setting page, pressing Esc can return
focus to the navigation menu.
l Zoom in and out using Ctrl + I and Ctrl + O, respectively. Pressing Ctrl + R will reset the zoom.

When zoomed in, you can use the arrow keys to scroll vertically and horizontally.

l Press Alt + F, Alt + V, and Alt + H to open File, View, and Help, respectively.

Create connectors with OAuth 2.0 token-based

authentication 7.4.1
FortiClient EMS now supports a new type of connector that uses OAuth 2.0 token-based authentication.
Previously, only certificate-based authentication was supported. When the EMS administrator creates a
connector, FortiClient EMS generates a Client ID and Client Secret to be used by the product on the other
side of the connector. You can integrate with FortiADC, FortiAnalyzer, FortiEDR, FortiManager, FortiSIEM,
FortiToken Cloud, or FortiWeb.

FortiClient & FortiClient EMS 7.4 New Features Guide 121

Fortinet Inc.
FortiClient EMS

To create a connector with OAuth 2.0 token-based authentication:

1. Go to Fabric & Connectors > Fabric Devices.

2. Click Add. The Add OAuth 2.0 Fabric Connector dialog is displayed.
3. Select the Connector Type.

4. Enter the Serial Number.

5. Enter the VDOM, if desired.

6. Click Next.
7. Select the Role. These roles define which API connectors are authorized to access it.

FortiClient & FortiClient EMS 7.4 New Features Guide 122

Fortinet Inc.
FortiClient EMS

8. Enter the Token Lifetime.

After the Token Lifetime is expired, the token is can no longer be authorized. The
default value is 3600 seconds and the minimum value is 60 seconds.

9. Enter the Alias, if desired.

10. Click Finish. The Client ID and Client Secret are generated.

11. Copy the Client ID and Client Secret.

12. Click Close. A confirmation dialog is displayed.

FortiClient & FortiClient EMS 7.4 New Features Guide 123

Fortinet Inc.
FortiClient EMS

13. Click Yes.

The Client ID and Client Secret can be used by other Fortinet devices that support OAuth 2.0 Fabric
connector features to call FortiClient EMS APIs.

Assign AD and local Windows server groups to

roles 7.4.1
Instead of assigning users individually to roles in FortiClient EMS, users can now assign AD and local
Windows server groups to roles, and anyone in those groups has the access that is allowed by the role.
Previously, users were limited to a single SAML SSO configuration for admin logins, with only the username
assertion attribute available. Additionally, admin roles could only be assigned to individual users. Now, with
the introduction of the new SAML SSO feature, multiple identity providers (IdPs) can be configured. This
update includes the addition of Group name assertion attributes, allowing admin roles to be assigned to
groups as well.

To assign a group to a role:

1. Go to Administration > SAML SSO.

2. Click Add to create a new IdP:

FortiClient & FortiClient EMS 7.4 New Features Guide 124

Fortinet Inc.
FortiClient EMS

a. In Assertion Attributes, define a Username and Group name.

b. In Access Control, click Add to assign the roles for the group members:
i. Create a member with the Super Administrator role and the highest Priority.
ii. Assign the access of other group members.

In this example, the default Rule, which typically applies to everyone, is

disabled.

iii. For each Rule that is not assigned to a Super Administrator role, click Advanced Settings:
i. Configure domain access. This enabled finer control over the specific authorization levels
assigned to administrators.

FortiClient & FortiClient EMS 7.4 New Features Guide 125

Fortinet Inc.
FortiClient EMS

ii. Click Finish.

iv. Configure other settings as needed.
v. Click Save.
3. Access the FortiClient EMS login page.

4. Click Sign in with SSO.

5. Enter the email and EMS site name credentials.

FortiClient & FortiClient EMS 7.4 New Features Guide 126

Fortinet Inc.
FortiClient EMS

The email address domain should correspond to the domain specified in the
SAML SSO configuration page.

6. Click Sign in. You are redirected to the IdP page. Upon successful authentication by the IdP, access to
FortiClient EMS is granted based on the role previously defined.

FortiEndpoint (FortiClient integration of FortiEDR

agent) 7.4.1
A cloud-based software-as-a-service endpoint management service called FortiEndpoint is available. This
is a Fortinet-hosted EMS solution. FortiEndpoint provides the same features as FortiClient Cloud but with an
additional FortiEndpoint deployment feature.
See the FortiEndpoint Administration Guide for details.
When the EMS and FortiEDR systems are integrated, you can create a unified installer that installs
FortiClient and FortiEDR components on the endpoint. Because the FortiEDR installer is preconfigured, the
FortiClient installation experience is unchanged and no FortiEDR user prompts appear.

Example 1
The following example demonstrates installing FortiClient integrated with the FortiEDR agent using the
EMS-created installer. FortiEDR has not been installed beforehand.

The following are required:

l EMS requires a FortiEDR license to support the integration.

l FortiClient custom installers do not support FortiEDR. Only the installer from the
FDS can be enabled with the FortiEDR feature.
l Configure the endpoint DNS to point to cloud ENS before installing FortiClient.

To install FortiClient integrated with the FortiEDR agent:

1. Go to Endpoint Profiles > System Settings.

2. In Endpoint Control, enable Enable Endpoint Detection & Response.
3. Go to Deployment & Installers > FortiClient Installer.
4. Click Add.
5. Configure the General settings:
a. Enter the Online Installer Name.
b. Select the Release and Patch version.
c. Deselect Hotfix.

FortiClient & FortiClient EMS 7.4 New Features Guide 127

Fortinet Inc.
FortiClient EMS

d. Enter the Invitation.

e. Click Next.

6. Configure the Features:

a. Enable Endpoint Detection & Response.
b. Click Next.

7. Configure the EDR Feature settings:

FortiClient & FortiClient EMS 7.4 New Features Guide 128

Fortinet Inc.
FortiClient EMS

a. Select the EDR Engine Version.

b. Click Next.

8. Configure the Advanced features.

9. Click Finish. The FortiClient installer with the FortiEDR agent is displayed.
10. When the Status is Ready for deployment, click Generate Zip.

11. Click Confirm.

12. Click Download Zip.

13. Copy the FortiClient installer .zip file to a clean Windows machine, then extract the file and start the
installation process using .exe file.
FortiClient and the FortiEDR agent will be installed simultaneously. The FortiTray notification message
will be displayed as EDR State: Running once the FortiClient is registered with EMS.

FortiClient & FortiClient EMS 7.4 New Features Guide 129

Fortinet Inc.
FortiClient EMS

A new profile tab Detection and Response is added on the FortiClient console and shows the FortiEDR
agent status. FortiEDR Collector Service will be running along with the FortiClient.

Example 2
The following example demonstrates how FortiClient integrated with the FortiEDR agent can detect and
block malicious applications.

To leverage FortiClient integrates with FortiEDR:

1. Enable the FortiEDR feature:

2. Go to Endpoint Profiles > System Settings.
3. In Endpoint Control, enable Enable Endpoint Detection & Response. When enabled, the Detection &
Response tab will be displayed on the FortiClient with the status EDR Enabled. When the EDR agent
detects a malicious application, it blocks the application and shows a Block Event FortiTray notification
message.

FortiClient & FortiClient EMS 7.4 New Features Guide 130

Fortinet Inc.
FortiClient EMS

The Activity Log count on the Detection & Response page will be updated.
4. In Detection & Response, click the Activity Log count or the settings icon. EDR-blocked events will be
shown in the Activity Log table.
5. If available, click > on a detection event to see more details.

FortiClient & FortiClient EMS 7.4 New Features Guide 131

Fortinet Inc.
FortiClient EMS

EDR detection event logs can be seen on the endpoint at

C:\ProgramData\FortiEDR\Logs\Collector in the [Link] file.
FortiClient can also send EDR event for FortiClient EMS. These events are
displayed in the EDR Events tab.

Support forensic analysis reports on macOS

endpoints 7.4.1
Like for Microsoft Windows, forensic analysis reports are now supported on macOS endpoints.

To implement forensic analysis reports on macOS endpoints:

1. Download the macOS FortiClient installer DMG filt and proceed with the installation process.
The forensics engine is installed as part of FortiClient. The forensic engine and fortifs daemon can be
found in the /Library/Application Support/Fortinet/FortiClient/bin/ folder.
The version of the forensic engine can be viewed in the FortiClient About page.
2. On the FortiClient EMS endpoint, go to the endpoint in Endpoints > All Endpoints.
3. Click Request Analysis.
4. The forensic request will be generated for the forensics team to review. The download link can be
found in the /Library/Application\ Support/Fortinet/FortiClient/Logs/[Link] file after it is successfully
uploaded.
5. Go to Endpoints > All Endpoints and select the endpoint.
6. Agent Status displays the current state of the forensics agent:

FortiClient & FortiClient EMS 7.4 New Features Guide 132

Fortinet Inc.
FortiClient EMS

Pending The request is sent to FortiClient for log collection.

Running The forensic engine is currently collecting the logs.

Collection Completed The forensic engine finished collecting the logs.

Upload Started The Fortifs daemon is uploading the logs to server.

Upload Completed The FortiClient Fortifs daemon finished uploading the logs.

Upload Failed The FortiClient Fortifs daemon failed to upload the logs.

Add support for ManageEngine MDM 7.4.1

FortiClient EMS now supports an integration with ManageEngine Mobile Device Manager (MDM) Plus, to
deploy ZTNA certificates to iOS and Android devices.

Preparing for on-premise ManageEngine instances

FortiClient EMS must have an API key with the adequate privileges. If the privilege requirements are not
met, the integration test will fail with a detailed message indicating the missing privilege.

To retrieve the API key:

1. Log into the on-premise ManageEngine.

2. Select Admin.
3. Go to Integration > API Key Generation.
4. Click Generate key.
5. Select MDM Migration.
6. Click Generate Key.

To configure integration between on-premise ManageEngine and FortiClientEMS:

1. In FortiClient EMS, go to System Settings.

2. Select MDM Integration.
3. Click Enable MDM Integration.
4. Select ManageEngine MDM Plus from the Vendor dropdown list.
5. Set Deployment to On-Premise.
6. Enter the access information:
l URL: Enter the URL of your on-premise ManageEngine server.
l API key: Enter the API key you generated before.

FortiClient & FortiClient EMS 7.4 New Features Guide 133

Fortinet Inc.
FortiClient EMS

Preparing for cloud ManageEngine instances

For cloud ManageEngine instances, FortiClient EMS must have a Zoho OAuth client ID and client secret.

To retrieve the client ID and secret:

1. Log into the Zoho Developer's console at [Link]

2. In the Choose a Client Type page, select Self Client. A Client ID and Client Secret are provided.

To configure integration between cloud ManageEngine and FortiClientEMS:

1. In FortiClient EMS, go to System Settings.

2. Select MDM Integration.
3. Click Enable MDM Integration.
4. Select ManageEngine MDM Plus from the Vendor dropdown list.
5. Set Deployment to Cloud.
6. Enter the access information:
l Region: Enter the region of your cloud ManageEngine server.
l Client ID: Enter the client ID provided previously.
l Client Secret: Enter the client secret provided previously.

Enrolling the device and deploying FortiClient

To enroll the device to ManageEngine MDM and deploy FortiClient:

1. On the ManageEngine console page navigate to Mobile Device Mgmt.

2. Go to Enroll > Users.
3. Click Add Users.
4. Enter the details and enable Send an enrollment invite for the user to enroll the device.
5. Click Add user.

6. Click on the URL or scan the QR code sent in the invite code to download the profile
7. On iOS, install the MDM profile by navigating to Settings > General > VPN& Device Management.
8. Go to Management > Groups & Devices and create a new group.
9. Add the users created to the group.

FortiClient & FortiClient EMS 7.4 New Features Guide 134

Fortinet Inc.
FortiClient EMS

10. Click Create Group.

To configure integration between ManageEngine and FortiClient (iOS):

1. In ManageEngine Endpoint Central, go to Mobile Device Mgmt > Management > App Repository.
2. Under Apps, click Add App.
3. Select FortiClient (iOS).
4. Open a text editor and configure an XML file to upload to ManageEngine. The following provides an
example that only configures the manageengine_device_id key: manageengine_device_id
%devicename%|%udid%

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "[Link]
[Link]">
<plist version="1.0">
<dict>
<key>manageengine_device_id</key>
<string>%devicename%|%udid%</string>
</dict>
</plist>

5. Save the file as an XML file.

6. In ManageEngine, in the App Configurations field, upload the XML file.
7. Click Save.
8. Add the app to the group created previously.
9. When FortiClient starts on the device, it automatically connects to on-premise EMS or FortiClient Cloud,
depending on the configuration.

FortiClient & FortiClient EMS 7.4 New Features Guide 135

Fortinet Inc.
FortiClient EMS

To configure integration between ManageEngine and FortiClient (Android):

1. In ManageEngine Endpoint Central, go to Mobile Device Mgmt > Management > App Repository.
2. Under Apps, click Add App.
3. Select FortiClient (Android).
4. Configure the settings.

5. Click Save.
6. When FortiClient starts on the device, it automatically connects to on-premise EMS or FortiClient Cloud,
depending on the configuration.

FortiClient & FortiClient EMS 7.4 New Features Guide 136

Fortinet Inc.
FortiClient EMS

EMS VM image 7.4.1

You can deploy EMS as a virtual machine (VM) image like many other Fortinet products. EMS supports the
VMware ESXi and KVM hypervisors and provides VMs for x86_64 and ARM architectures.
The VM image include some OS hardening modifications as follows:
l Unneeded users are removed:
l games
l man
l news
l uucp
l proxy
l backup
l list
l irc
l gnats
l uuidd
l mail
l lp
l nobody
l tss
l landscape
l fwupd-efresh
l usbmux
l lxd
l forticlientems user, which runs EMS processes, has no login.
l Only ems user has SSH access.
l Firewall is enabled and only the following ports are enabled by default:

TCP port Usage

22 SSH access to EMS VM or server

4001 Send zero trust network access certificates to mobile device

management endpoints

8013 Telemetry

8015 Send updates to FortiOS

8443 Provision profiles to Chromebooks

8871 Connection to remote Active Directory connector

l 80 EMS GUI and APIs
l 443
l 10443

FortiClient & FortiClient EMS 7.4 New Features Guide 137

Fortinet Inc.
FortiClient EMS

TCP port Usage

l 9443

l On first login, EMS requires changing the password for the ems user.

EMS VMs run in standalone mode.

To deploy EMS on VMware ESXi:

1. In VMware ESXi, click Create/Register VM.

2. Select Deploy a virtual machine from an OVF or OVA file.

3. Click Next.
4. Enter the VM name and upload the OVA file.

FortiClient & FortiClient EMS 7.4 New Features Guide 138

Fortinet Inc.
FortiClient EMS

5. Click Next.
6. Configure the VM as desired.
7. Click Finish.
8. Review the configuration and start the VM. When the VM boot completes, the OS logon page displays.

9. Log in to the VM.

The default credentials are:

l Username: ems

l Password: ems
You will be required to change these credentials upon first log in.

10. Change the default password when prompted.

11. Access the EMS GUI using the VM IP address or FQDN. See Starting FortiClient & FortiClient EMS and
logging in.

To deploy FortiClient EMS on KVM:

1. Set up QEMU/KVM on a Linux host.

2. Copy the forticlientems_vm qcow2 image under /var/lib/libvirt/images/.
3. Run the following command to initialize the virtual machine with the FortiClient EMS image:

sudo virt-install --name EMS_VM --memory 4096 --vcpus 2 --disk

path=/var/lib/libvirt/images/forticlientems_vm.[Link].qcow2,format=qcow2 --import
--os-variant generic --network bridge=virbr0 --graphics none

You can change the configuration in the command as needed.

FortiClient & FortiClient EMS 7.4 New Features Guide 139

Fortinet Inc.
FortiClient EMS

4. Log in to the virtual machine.

The default credentials are:

l Username: ems

l Password: ems

FortiClient & FortiClient EMS 7.4 New Features Guide 140

Fortinet Inc.
FortiClient EMS

5. Access the EMS GUI using the VM IP address or FQDN. See Starting FortiClient & FortiClient EMS and
logging in.

To install FortiClient EMS on ARM processor:

1. Download the ARM EMS installer from the support portal. The installer file name is in the form
forticlientems_7.[Link].
2. Make the installer executable:

sudo chmod +x ./forticlientems_7.[Link]

3. Run the installer:

sudo ./forticlientems_7.[Link]

4. Access the EMS GUI using the VM IP address or FQDN. See Starting FortiClient & FortiClient EMS and
logging in.

FortiClient & FortiClient EMS 7.4 New Features Guide 141

Fortinet Inc.
FortiClient EMS

Consolidated endpoint events 7.4.3

There is a new Endpoints > All Events page available where you can view all events from all endpoints and
take actions as necessary.

For Web Filter events, only events of the Block and Warn categories are displayed
here. Events of the Allow and Monitor categories are not displayed.

If using on-premise EMS, this feature requires integrating EMS with an Elasticserver time-series database.
Otherwise, Endpoints > All Events is unavailable. If using FortiClient Cloud, this feature is available by
default.
If using on-premise EMS, see All Events for instructions on enabling the ES integration.

The top of the page contains the following charts:

Chart Description

Event Type Donut chart that shows the ratio of events by type, the total number of
events, and total number of each event type. You can click into a chart
section to filter only for the selected event type.

Top 10 Users with Most Events Bar chart that displays the endpoint users with the most endpoint events.

Top 10 Endpoints with Most Bar chart that displays the endpoints with the most events.
Events

The bottom of the page displays the endpoint event list. You can filter the list by the columns. For example,
you can filter the list for a specific start and end date to only view events that occurred during that time
range.

FortiClient & FortiClient EMS 7.4 New Features Guide 142

Fortinet Inc.
FortiClient EMS

Clicking a section of the donut chart filters the endpoint list by that event type. The following shows only
endpoint Vulnerability events for the selected time range:

You can also select the desired event type form the All Events dropdown menu on the right.
You can create, update, or delete an event view. An event view is a saved combination of filters for the
endpoint event list. When you save a view, you can simply select it later instead of reconfiguring the desired
filters.

FortiClient & FortiClient EMS 7.4 New Features Guide 143

Fortinet Inc.
FortiClient EMS

To create an event view:

1. In Endpoints > All Events, configure the desired filters.

2. Beside Unsaved View, click the save icon.
3. In the Create View pane, for Action, select Create View.
4. Configure other fields as desired, then click OK.

To export an event list:

1. In Endpoints > All Events, in the upper right corner, click Export.
2. Select CSV or JSON.
3. Export the file as desired.
When you select events in the event list, you can use the Actions dropdown list to apply actions to the
endpoints with the selected events. For descriptions of these actions, see Viewing the Endpoints pane.

Installing EMS with separate time series ES DB

7.4.3

You can install EMS to integrate with a separate time series Elastic Search (ES) database (DB) cluster to
support queries for events. This DB is necessary to view the consolidated endpoint events view in Endpoints
> All Events. See All Events.
This document does not provide instructions for configuring the ES DB cluster. It assumes that you have
already configured an ES DB cluster.
To install EMS with ES integration, you must use the following parameters:

Parameter Description
elastic_ca_path Path to the ES certificate authority certificate.
elastic_hosts ES server IP address and port that ES uses to communicate with EMS in
<ES server IP address:port> format.
elastic_password ES password.
elastic_user ES username.
enable_event_feature Enable event worker.
enable_remote_https Enable remote HTTPS access to EMS.

The following provides an example install command:

forticlientems_7.[Link] -- --enable_event_feature --elastic_hosts "[Link]:8000" --

elastic_user emai --elastic_password Fortinet123# --elastic_ca_path /home/emai/Desktop/[Link]

This feature adds a new fcems_event.service service:

FortiClient & FortiClient EMS 7.4 New Features Guide 144

Fortinet Inc.
FortiClient EMS

It also adds a new eventworker log file:

Syncing remote categories from imported FortiOS

or FortiManager Web Filter profile 7.4.3
Web Filter profiles imported from FortiOS or FortiManager to EMS now include FortiGuard Category Based
Filter > Remote Categories. Endpoints that are assigned this profile can follow this URL filter list to block
outbound connections to known malicious URLs and domains. In EMS, remote the remote categories display
the profile name, URL list, and the configured action for this URL list: allow, monitor, or block. Prior to this
enhancement, customers manually updated the FortiOS static URL filter list, which was time-consuming,
error-prone, and inconvenient.

To import a Web Filter profile with remote categories from FortiOS to EMS:

1. Configure the Web Filter profile in FortiOS:

a. Configure a FortiGuard category threat feed to populate the FortiGuard remote categories for the
desired Web Filter profile. See FortiGuard category threat feed.
b. Go to Security Profiles > Web Filter.
c. Create a new profile or edit an existing one.
d. Under FortiGuard Category Based Filter > Remote Categories, configure the desired actions for the
categories from the threat feed. If you set a category action to Disable, EMS does not import it.
Save.

FortiClient & FortiClient EMS 7.4 New Features Guide 145

Fortinet Inc.
FortiClient EMS

2. Import the profile to EMS and deploy it to endpoints:

a. In EMS, go to Endpoint Profiles > Web Filter.
b. Click Import > Import from FortiGate / FortiManager.
c. Configure the FortiGate fields as required, then click Next.
d. Select the desired profile to import. Click Next.
e. Select the desired synchronization mode for the profile. Click Import.
f. Edit the imported Web Filter profile. Confirm that Remote Categories displays with the same
categories and actions as seen in FortiOS. In this example, EMS did not import the own2 category
as its action is set to Disable in FortiOS. You can click the category name to view the associated
URLs.

FortiClient & FortiClient EMS 7.4 New Features Guide 146

Fortinet Inc.
FortiClient EMS

g. Go to Endpoint Policy & Components.

h. Create a new policy or edit an existing one.
i. From the Profile > WF dropdown list, select the imported profile. Save.
3. On an endpoint that received the updated profile, confirm that FortiClient applies the configured action
to a URL in the remote category list. The block page displays the category name.
4. On EMS, in Endpoints > All Endpoints, select the endpoint.
5. On the Web Filter Events tab, you can view the blocked URL events for that category.
6. If desired, in FortiOS, you can configure exempt URLs in a Web Filter profile under Static URL Filter.
7. After this profile is imported to EMS, you can view the exclusion list. You cannot modify it as it can only
be modified from FortiOS.

FortiClient & FortiClient EMS 7.4 New Features Guide 147

Fortinet Inc.
FortiClient EMS

To import a Web Filter profile with remote categories from FortiManager to EMS:

The procedure for importing a Web Filter profile with remote categories from FortiManager to EMS is almost
identical to importing such a profile from FortiOS.
1. In FortiManager, configure the following:
a. Configure a threat feed as Creating threat feed connectors describes. Use the following values:
i. For Type, select FortiGuard Category.
ii. For Update Method, select External Feed.
iii. In the URL of external resource field, enter a URL that points to a text file with the relevant URLs
listed.

b. Go to Policy & Objects > Security Profiles.

c. Create a Web Filter profile or edit an existing one.
d. Under FortiGuard Category Based Filter > Remote Categories, configure the desired actions for the
categories from the threat feed. If you set a category action to Disable, EMS does not import it.
Save.

FortiClient & FortiClient EMS 7.4 New Features Guide 148

Fortinet Inc.
FortiClient EMS

2. Import the profile to EMS and deploy it to endpoints:

a. In EMS, go to Endpoint Profiles > Web Filter.
b. Click Import > Import from FortiGate / FortiManager.
c. Configure the FortiManager fields as required, then click Next.
d. Select the desired profile to import. Click Next.

e. Select the desired synchronization mode for the profile. Click Import.

FortiClient & FortiClient EMS 7.4 New Features Guide 149

Fortinet Inc.
FortiClient EMS

f. Edit the imported Web Filter profile. Confirm that Remote Categories displays with the same
categories and actions as seen in FortiManager. You can click the category name to view the
associated URLs.
g. Go to Endpoint Policy & Components.
h. Create a new policy or edit an existing one.
i. From the Profile > WF dropdown list, select the imported profile. Save.
3. On an endpoint that received the updated profile, confirm that FortiClient applies the configured action
to a URL in the remote category list. The block page displays the category name.
4. On EMS, in Endpoints > All Endpoints, select the endpoint.
5. On the Web Filter Events tab, you can view the blocked URL events for that category.
6. If desired, in FortiManager, you can configure exempt URLs in a Web Filter profile under Static URL
Filter.
7. After this profile is imported to EMS, you can view the exclusion list. You cannot modify it as it can only
be modified from FortiManager.

Vulnerability detection popup 7.4.3

You can enable a new option, Show Vulnerabilities Popup, on the Vulnerability Scan profile in EMS. With this
feature enabled, when FortiClient completes a vulnerability scan on the endpoint, it displays a FortiClient
Vulnerabilities Scan Summary popup to the user. The user can click View All Vulnerabilities in the popup to
view the scan results.

To configure the vulnerabilities scan summary popup:

1. In EMS, go to Endpoint Profiles > Vulnerability Scan.

2. Create a new profile or edit an existing one.
3. Under Scanning, enable Show Vulnerabilities Popup. Save.
4. On an endpoint that received the profile changes, start a vulnerability scan.
5. Once FortiClient completes the scan, a FortiClient Vulnerabilities Scan Summary popup displays
onscreen. Click View All Vulnerabilities.

This opens the scan results page in FortiClient.

FortiClient & FortiClient EMS 7.4 New Features Guide 150

Fortinet Inc.
FortiClient EMS

EMS automatic upgrade improvements 7.4.3

EMS automatic upgrade has been improved as follows:

In System Settings > EMS Settings, you can toggle the Let EMS schedule automatic upgrade option to enable
or disable automatic upgrade behavior. EMS enables this option by default.

When an upgrade to the later patch of the current EMS version is available, EMS displays an upgrade
notification. By default, EMS schedules an upgrade at a date between 45 to 52 days in the future. Upgrades
to the latest version are distributed over a week to ensure that the impact of any issues can be minimized
and resolved without affecting all customers using that EMS version.

FortiClient & FortiClient EMS 7.4 New Features Guide 151

Fortinet Inc.
FortiClient EMS

EMS also shows an alert when the upgrade is available and scheduled. If you have configured email alerts,
EMS also sends email alerts regarding the upgrade.

If desired, you can click Schedule Upgrade in the notification to reschedule the upgrade up to 45 days of the
notification.

If you disable Let EMS schedule automatic upgrade, EMS removes any previously scheduled automatic
upgrade.

FortiClient & FortiClient EMS 7.4 New Features Guide 152

Fortinet Inc.
FortiClient EMS

If you disable automatic upgrade and manually schedule an upgrade, you can cancel the upgrade.
If you select Upgrade Now, EMS displays options to back up the EMS database (DB). After backing up the
DB, you can click Upgrade Now. EMS starts a five-minute countdown, after which it initiates the upgrade
procedure.

The prompt to back up the EMS DB only appears if you select Upgrade Now. Backing
up the EMS DB before upgrade, including scheduled upgrades, is recommended.

As the upgrade proceeds, EMS displays the progress. If the upgrade fails, EMS automatically reschedules
the upgrade to 24 hours after the original scheduled upgrade time.

If four consecutive upgrade attempts fail, EMS deletes the upgrade schedule. After an hour, EMS pulls the
version available from FortiGuard, and retries scheduling the upgrade again as if it were a fresh upgrade
attempt, 45 to 52 days in the future.

Add FortiAnalyzer Cloud entitlement for

FortiClient Cloud SKUs 7.4.3
The following FortiClient Cloud SKUs now also include FortiAnalyzer Cloud entitlement:

SKU License

FC2-10-EMS05-1048-02-12 Zero trust network access (ZTNA)/endpoint protection platform (EPP),

managed service, and FortiAnalyzer Cloud

FC2-10-EMS05-1047-02-12 ZTNA/EPP, Forensic analysis, and FortiAnalyzer Cloud

FC2-10-EMS05-1046-02-12 ZTNA/EPP and FortiAnalyzer Cloud

FortiClient & FortiClient EMS 7.4 New Features Guide 153

Fortinet Inc.
FortiClient EMS

SKU License

FC2-10-EMS05-1045-02-12 ZTNA and FortiAnalyzer Cloud

FC2-10-EMS05-1044-02-12 XDR (Protect, Discover, Respond), ZTNA/EPP, managed service, and

FortiAnalyzer Cloud

FC2-10-EMS05-1043-02-12 EDR Essential-Basic (Protect, Discover), ZTNA/EPP, managed service,

and FortiAnalyzer Cloud

FC2-10-EMS05-1042-02-12 XDR (Protect, Discover, Respond), ZTNA/EPP, Forensic analysis, and

FortiAnalyzer Cloud

FC2-10-EMS05-1041-02-12 XDR (Protect, Discover, Respond), ZTNA/EPP, and FortiAnalyzer Cloud

FC2-10-EMS05-1040-02-12 EDR Essential-Basic (Protect, Discover), ZTNA/EPP, and FortiAnalyzer

Cloud

You no longer need to obtain a separate FortiAnalyzer Cloud when obtaining one of these SKUs.
The Entitlement widget in Asset Management displays FortiAnalyzer Cloud as included:

EMS VM image support for Hyper-V and

VirtualBox 7.4.3
You can deploy EMS as a virtual machine (VM) image like many other Fortinet products. EMS adds support
for the Microsoft Hyper-V and Oracle VirtualBox hypervisors.

FortiClient & FortiClient EMS 7.4 New Features Guide 154

Fortinet Inc.
FortiClient EMS

To deploy EMS on Hyper-V:

1. Open the new VM wizard and define a name for the VM. Click Next.
2. In Specify Generation, select Generation 1. Click Next.

3. In Assign Memory, configure the required and memory settings.

4. In Connect Virtual Hard Disk, select Use an existing virtual hard disk. In Location, browse to and select the
forticlientems_vm.[Link] file. Click Finish. If desired, you can edit the configuration after the
VM is created, such as modifying the number of virtual processors.

FortiClient & FortiClient EMS 7.4 New Features Guide 155

Fortinet Inc.
FortiClient EMS

5. Start the VM.

6. After bootup, log in using the default credentials:
l Username: ems
l Password: ems

To deploy EMS on VirtualBox:

1. Open the new VM wizard and define a name for the VM. Click Next.
2. In Hardware, configure the required hardware settings.
3. In Hard Disk, select Use an Existing Virtual Hard Disk File. Browse to and select the forticlientems_
[Link] file. Click Finish. If desired, you can edit the configuration after the VM is created,
such as modifying the number of virtual processors.

FortiClient & FortiClient EMS 7.4 New Features Guide 156

Fortinet Inc.
FortiClient EMS

4. Start the VM.

5. After bootup, log in using the default credentials:
l Username: ems
l Password: ems

FortiClient & FortiClient EMS 7.4 New Features Guide 157

Fortinet Inc.
FortiClient EMS

Post-installation setup wizard 7.4.3

The post-installation setup wizard facilitates the rapid setup of EMS for users immediately following
installation, prioritizing license provisioning. You must have a license to proceed and use EMS.
EMS requires you to authenticate via FortiCloud for license entitlement immediately after installation. You
must log in to EMS, validate your FortiCloud account, and EMS must retrieve the license for you to proceed
further. Access to EMS is contingent on the validation and connection of your FortiCloud account
information.
In air-gapped instances, EMS allows you to upload a license file. However, this only applies in rare cases. In
the majority of deployments, you must provide FortiCloud account information and EMS retrieves the
license directly from FortiCloud.
The post-installation setup wizard streamlines the EMS post-installation setup process.

FortiClient & FortiClient EMS 7.4 New Features Guide 158

Fortinet Inc.
FortiClient EMS

To license EMS using the post-installation setup wizard:

1. After installing EMS, launch it for the first time. EMS displays a Welcome to EMS page that displays the
hardware ID of the machine that EMS is installed on. Registering and licensing EMS requires the
hardware ID. Do one of the following:
l If you have a registered license, click Start Journey.
l If you do not have a registered license, click Go to FortiCloud. This opens the FortiCloud website,
where you can register and license your EMS instance. See Licensing EMS by logging in to
FortiCloud for details on licensing EMS.
l To try EMS on a temporary basis, click Trial License in the bottom left. This prompts you to enter
your email address and password for trial license registration.
l If you are using an air-gapped system, click Is this an airgapped system? The wizard displays a page
where you can manually upload a license file to activate EMS.

2. On the Let's get you connected to your FortiCloud account page, do one of the following, then click Next:
l Enter your FortiCloud account credentials to retrieve your EMS license from FortiCloud.
l Activate your EMS using FortiFlex licensing by enabling Activate license through Flex-VM and
entering your FortiCloud account credentials and FortiFlex token.

FortiClient & FortiClient EMS 7.4 New Features Guide 159

Fortinet Inc.
FortiClient EMS

If you enter incorrect credentials or do not have licensing registered to your account, the install wizard
displays a page with Reset password and Create new FortiCloud account buttons. You can use these
buttons to access FortiCloud for assistance.
3. EMS connects to FortiCloud to retrieve the license. The wizard displays the retrieved license type and
entitlements and displays them. Click Next.

FortiClient & FortiClient EMS 7.4 New Features Guide 160

Fortinet Inc.
FortiClient EMS

4. The wizard prompts you to enter a preferred hostname for the EMS server. If desired, configure a
custom hostname, then click Next.
5. The wizard prompts you to enter a new admin username. Configure as desired, then click Next.
6. Configure a password for the new user. Click Finish. You can now access EMS with these credentials.

On-demand forensic artifact collection with

forensic engine 7.4.4
Fortinet forensic analysts can request additional files from the endpoint for analysis on a case-by-case
basis beyond the predefined set that the forensic engine collects. You can define the specific artifacts that
the forensic agent collects and sends to EMS on-demand. You and forensic analysts can review these
collected artifacts.
EMS must have the forensics license applied to use the forensic analysis feature and for the analyst to
request additional files.

To request forensic analysis for an endpoint:

1. Enable the forensic analysis feature:

a. In EMS, go to System Settings > Feature Select.
b. Enable FortiGuard Forensics Analysis.
c. Click Save.
2. Configure forensic analysis in a profile:
a. Go to Endpoint Profiles > System Settings.
b. Create a new profile or edit an existing one.
c. Under Endpoint Control, toggle Enable Forensics Feature on.
d. Click Save.
e. Include this profile in a policy, and apply the policy to the desired endpoint.
3. Go to System Settings > EMS Alerts.
4. Enable Forensics Analysis updated.
5. Request analysis:
a. Go to Endpoints > All Endpoints.
b. Select the desired endpoint.

FortiClient & FortiClient EMS 7.4 New Features Guide 161

Fortinet Inc.
FortiClient EMS

c. Under Forensic Analysis, click Request Analysis.

6. Complete the questionnaire:

a. In the Summary of the Issue field, enter a description of the issue that you are observing on the
endpoint.
b. In the Reason of Escalation field, select the reason that you are escalating this issue to the forensics
team.

FortiClient & FortiClient EMS 7.4 New Features Guide 162

Fortinet Inc.
FortiClient EMS

c. In the First Identified Activity field, enter the date that you first observed the issue.
d. In the Actions Taken to Date field, select any actions you took to resolve this issue.
e. In the Supplementary Logs field, enter the path to logs that you would like the analyst to review.
f. If desired, provide details in the Comment field.
Click Finish and Confirm. Once you submit the request, EMS notifies FortiClient and the forensics agent
on the endpoint starts collecting forensics logs. FortiClient uploads the logs to the cloud and shares a
link with the analyst. In EMS, you can see status of the analysis request in the endpoint summary
progress.
7. The forensic analyst verifies the files attached to your ticket. If they require additional files for analysis,
they will request more. Once they do so, the Ticket Status changes to Additional Files Requested in EMS.
The status may take up to an hour to update after the analyst submits the request on their end. Once
EMS receives the request, it uses the forensics agent to collect the requested files and submits them to
the analysis service. The Ticket Status updates to Additional Files Uploaded.

FortiClient & FortiClient EMS 7.4 New Features Guide 163

Fortinet Inc.
FortiClient EMS

8. Once the analysis is complete, you can click Download Report in the endpoint summary to view the
details. You can also view the verdict that the analyst arrived at. You can also filter the endpoint list
based on whether the forensics service is enabled, the status, and verdict.
9. If desired, you can access logs for on-demand forensic artifact collection on the endpoint in the fortiFS_
[Link] file in C:\Program Files\Fortinet\FortiClient\logs\trace. The following shows an example log
file:

[2025-04-01 [Link].4072463] [fortiFS] trace started -> pid: 4784 flag: 0x0000010f size: 16
[2025-04-01 [Link].4080551] [fortiFS] url: [Link]
[Link]/[Link]
[2025-04-01 [Link].4080977] [fortiFS] serial_number: FCT8000887468887
[2025-04-01 [Link].4081199] [fortiFS] token: ***
[2025-04-01 [Link].4090658] [fortiFS] temp directory:C:\Windows\TEMP
[2025-04-01 [Link].4091365] [fortiFS] Gob file is not existed, create forensics_collector
[2025-04-01 [Link].4094441] [fortiFS] Directory creat[Link]\Windows\TEMP\forensics_collector
[2025-04-01 [Link].2793892] [fortiFS] Authorization: Bearer ***
[2025-04-01 [Link].2794707] [fortiFS] Content-Type: multipart/form-data;
boundary=d902e7d5b9434f26a29925ee4cb31ea0a0479f9fa13cb51830fd32325240
[2025-04-01 [Link].1773403] [fortiFS] Response Status:200 OK
[2025-04-01 [Link].1774437] [fortiFS] Response Body:{"download_link":"https:\/\/2.zoppoz.workers.dev:443\/https\/forticlient-
[Link]\/downloadfiles\/FCT8000887468887\/forensics_collector.zip"}
[2025-04-01 [Link].1800704] [fortiFS] download_link:[Link]
[Link]/downloadfiles/FCT8000887468887/forensics_collector.zip
[2025-04-01 [Link].2161343] [fortiFS] trace stopped
[2025-04-01 [Link].7409150] [fortiFS] trace started -> pid: 6860 flag: 0x0000010f size: 16
[2025-04-01 [Link].7414763] [fortiFS] url: [Link]
[Link]/[Link]
[2025-04-01 [Link].7414928] [fortiFS] serial_number: FCT8000887468887
[2025-04-01 [Link].7414975] [fortiFS] token: ***

FortiClient & FortiClient EMS 7.4 New Features Guide 164

Fortinet Inc.
FortiClient EMS

[2025-04-01 [Link].7416051] [fortiFS] temp directory:C:\Windows\TEMP

[2025-04-01 [Link].7419743] [fortiFS] Gob file received, create forensics_collector_
additional
[2025-04-01 [Link].7421828] [fortiFS] Directory creat[Link]\Windows\TEMP\forensics_collector_
additional
[2025-04-01 [Link].3507275] [fortiFS] Authorization: Bearer ***
[2025-04-01 [Link].3507984] [fortiFS] Content-Type: multipart/form-data;
boundary=2d2688eb8631e17bdce84425cf155b1f2bfa735d39ebf3b51005b425280f
[2025-04-01 [Link].5297510] [fortiFS] Response Status:200 OK
[2025-04-01 [Link].5298790] [fortiFS] Response Body:{"download_link":"https:\/\/2.zoppoz.workers.dev:443\/https\/forticlient-
[Link]\/downloadfiles\/FCT8000887468887\/forensics_collector_
[Link]"}
[2025-04-01 [Link].5301006] [fortiFS] download_link:[Link]
[Link]/downloadfiles/FCT8000887468887/forensics_collector_additional.zip
[2025-04-01 [Link].5532758] [fortiFS] trace stopped

RADIUS server authentication for administrators

7.4.4

You can configure a RADIUS server as an authentication server for EMS administrators. EMS administrators
can log in to EMS with their RADIUS credentials. As RADIUS is one of the mostly widely used authentication
services, this helps to meet the needs of many customers who rely on RADIUS as their authentication
method. You can configure multiple RADIUS servers for one EMS instance, enabling users to authenticate
through various servers. This enhances redundancy and scalability in the authentication process.

To configure a RADIUS server as an authentication server for EMS administrators:

1. In EMS, go to Administration > RADIUS.

2. Click Add.
3. Configure the following fields for the RADIUS server:

Field Description

IP address/Hostname Enter the RADIUS server IP address or hostname.

Port Enter the port number for EMS to use to communicate with the
RADIUS server. Typically, RADIUS typically uses port 1812 for
authentication requests.

Client Secret Also known as the shred secret, this alphanumeric string is used to
encrypt and decrypt RADIUS messages between the client, EMS, and
the RADIUS server. Enter the client secret value. It must match the
secret configured on the RADIUS server.

Authentication Method Select the desired authentication method: PAP, CHAP, or EAP-MD5.

FortiClient & FortiClient EMS 7.4 New Features Guide 165

Fortinet Inc.
FortiClient EMS

Field Description

Realm Enter the unique identifier that the system uses to direct administrator
login attempts to the appropriate RADIUS server. This often resembles
an email domain, such as user@[Link], and helps in routing
authentication requests correctly.

Test Connection Click to confirm that EMS can communicate with the RADIUS server.

4. In Dictionary, configure this section if your RADIUS server is configured to handle specific attributes
during the authentication process. Contact your RADIUS server administrator regarding the supported
attributes.
5. In Access Control, optionally configure authorization rules to control user authorizations using RADIUS
attributes. Click Add to add a new rule, and configure the following:

Field Description

Attribute Enter the desired RADIUS attribute.

Attribute value Enter the desired value for the configured

RADIUS attribute.

Role From the dropdown list, select the desired

EMS admin role to assign to the RADIUS user
whose attributes match the rule configuration.

Advanced Settings Click to configure advanced settings for the

rule.

Domain Access Select or add access to a domain for a user

who matches this rule.

Allow all domains Allow a user who matches this rule access to
all domains connected to EMS.

Restrict Login to Trusted Hosts When this option is enabled, a user who
matches this rule can only use their RADIUS
account to log in to EMS from a trusted host
machine.

Trusted Hosts Enter a trusted host machine's IP address. Use

the + button to add multiple trusted host
machines.

Priority Displays the priority of this rule. You can click

Change Priority to reprioritize rules.
EMS evaluates the rules in order of priority.
This means that for a user that matches
multiple rules, EMS applies the matching rule
with the highest priority (with 1 being the
highest priority level).

FortiClient & FortiClient EMS 7.4 New Features Guide 166

Fortinet Inc.
FortiClient EMS

Field Description

In this example, the user-specific rule for

Anton takes precedence over the group-based
rule, which in turn takes precedence over the
default rule. This ensures that Anton receives
super admin rights, other ems-admin group
members receive restricted admin access, and
all other authenticated users are limited to
read-only access.

Enabled Enable the rule.

Delete Delete the rule.

6. Click Save.
7. Log in to EMS as a RADIUS user:
a. Log out of EMS.
b. Reload the EMS login page.
c. Click Sign in with RADIUS.
d. Provide valid RADIUS credentials. You must provide the username in the format realm\username for
the RADIUS server to authenticate.
e. Click Sign in With RADIUS.

EMS VM CLI enhancements 7.4.4

EMS 7.4.4 introduces several system administration tools directly into EMS VM deployment, significantly
reducing the need for EMS administrators to possess deep Ubuntu expertise or access the underlying shell.
The implemented features are designed to simplify management, improve system security, and ensure
configuration consistency, similar to the management experience that FortiGate VM and FortiAnalyzer VM
offer. The following features have been added:

Feature Description

Network interface Shell interface to configure the VM’s network interfaces. Ubuntu uses
configuration Netplan for network management, which not all users are familiar with.
This feature allows you to easily configure networking without needing to
understand or manually edit Netplan configuration files.

FortiClient & FortiClient EMS 7.4 New Features Guide 167

Fortinet Inc.
FortiClient EMS

Feature Description

External PostgreSQL Dedicated utility to simplify the configuration of external Postgres

(Postgres) configuration database (DB) connections. This removes the complexity of manually
utility setting up DB connections, ensuring correct and consistent
configurations.

Operating system (OS) patch Update the OS via the CLI while preventing unintended updates to
management controls untested or unsupported patch levels. This safeguards system stability
and ensures compatibility with validated EMS versions.

OS hardening The system is automatically hardened by removing unused packages and

disabling unnecessary services. This reduces the attack surface,
improves security posture, and minimizes resource consumption.

The overall objective of these enhancements is to deliver a fully integrated appliance-like EMS VM
experience. By consolidating administration into the shell and providing restricted simplified CLI access,
these features reduce administrative overhead, lower the risk of misconfiguration, and improve overall user
experience.
After deploying the EMS VM, all access to the VM will be conducted through emscli. Once logged in, you no
longer have access to the underlying Linux shell. The following shows the CLI after deployment and login to
the EMS VM:

When using the EMS CLI, entering -h or help shows available commands.
The following shows examples of useful EMS CLI commands that you can use. For more information about
EMS CLI commands, see EMS CLI Reference.

FortiClient & FortiClient EMS 7.4 New Features Guide 168

Fortinet Inc.
FortiClient EMS

To get system information:

To get system information such as the RAM, CPU, disk, and network information, run the following:

system get info

To set EMS network settings:

Set network adapter parameters such as the IP address or DNS server.

system set network --adapter="ens160" --ip="[Link]/24" --dns="[Link]" --gateway="[Link]"

To check network connectivity:

execute ping [Link]

To back up the EMS DB:

execute backup --[Link]="test" --[Link]="test_backup"

Endpoint health check 7.4.4

In Endpoints > All Endpoints, the endpoint summary includes a new Endpoint Health section, which replaces
the previous Features section. While the Features section reported whether a feature, such as Web Filter,
was installed, activated, or disabled, Endpoint Health provides a comprehensive view of feature statuses,
such as whether a feature is installed, not installed, enabled, or disabled. It also reports any warnings or
error messages associated with a feature. For example, if FortiClient cannot connect to VPN, an error
displays under Remote Access. This enhanced visibility significantly improves the ability to diagnose and
troubleshoot feature-related issues. You can effectively identify and resolve problems specifically linked to
endpoint feature configurations and statuses.

FortiClient & FortiClient EMS 7.4 New Features Guide 169

Fortinet Inc.
FortiClient EMS

A feature may have one of the following statuses:

l OK
l Warning
l Error
l Disabled
l Not Installed
Clicking the status opens a slide-in with detailed information about the status. For the Warning and Error
statuses, the Description may provide details to explain the cause, which you can investigate.

EMS upgrade notification improvement 7.4.4

EMS displays a notification in the header when there is a newer EMS version available to upgrade to. The
notification has been improved in the following ways:
l Identifies the version available for upgrade
l Identifies whether the version available for upgrade is a Feature or Mature release
l Includes information on vulnerabilities that the upgrade fixes
l Includes other information regarding the release, such as increased management capacity or removal
of support for legacy FortiClient versions
If an SMTP server is configured on EMS, you can receive the information in the upgrade notification as an
email. The EMS/FCT upgrade & compatibility matrix must be downloaded to EMS for the improved upgrade
notification to be visible.
The following shows examples of the improved notifications:

FortiClient & FortiClient EMS 7.4 New Features Guide 170

Fortinet Inc.
FortiClient EMS

Custom invitation email template for on-premise

EMS 7.4.4
In on-premise EMS, you can create custom invitation email templates to send to users. For each template,
you can define a custom subject line and email body. You can include your organization logo and a URL to
download the installer from.

FortiClient & FortiClient EMS 7.4 New Features Guide 171

Fortinet Inc.
FortiClient EMS

The following instructions assume that EMS already has an SMTP server configured.

To create a custom invitation email template:

1. Go to System Settings > Invitation Email Template.

2. Click Create new.
3. In the Template Name field, enter a unique name to identify the template by in EMS.
4. In the Email Subject field, enter the email subject line to display to email recipients.
5. Under HTML Preview and Edit, the right panel displays the customization fields, while the left panel
previews the email as they appear to the user. In the right pane, configure the email as desired. To add
images to the email, upload them to a URL, then add the link in an <img src> field. To add a link to an
installer, replace {{installerDownloadLinks...}} with the desired URL. For example, to add a link to
the iOS App Store to download FortiClient (iOS), replace {{[Link]}} with the link.
6. Click OK.

To create an invitation based on the template:

1. Go to Invitations.
2. Click Add.
3. In the Email Recipients field, enter the desired recipients' email addresses.
4. From the Invitation Email Template dropdown list, select the email template that you created.
5. Configure other fields as desired, then click Save. EMS sends the invitation email based on the
configured invitation email template. The following shows an example of how the example configuration
appears to the end user. The subject line is Welcome to try new FCT, instead of the default subject line,
Invitation to join EMS. The invitation also shows a custom image, a flower, instead of the EMS logo
banner.

FortiClient & FortiClient EMS 7.4 New Features Guide 172

Fortinet Inc.
FortiClient EMS

FortiClient and EMS upgrade and compatibility

matrix signature 7.4.4
EMS can download a new signature, the EMS/FCT upgrade & compatibility matrix signature, from FortiGuard.
This signature provides the following information to EMS:

FortiClient & FortiClient EMS 7.4 New Features Guide 173

Fortinet Inc.
FortiClient EMS

l Operating system support information for FortiClient versions. EMS uses this information and only
pushes deployment to endpoints with an OS that supports the FortiClient version deployed.
l Notification text to display in the EMS GUI and notification email when a new EMS version to upgrade to
is available
l Notification text to display in the notification email when a new FortiClient version to deploy is available
l Upgrade matrix for EMS, including OS support and EMS version available to upgrade to.
For example, consider that you have an endpoint running Windows 7, which FortiClient 7.4.4 does not
support. If your EMS has the EMS/FCT upgrade & compatibility matrix and you create a deployment
configuration to deploy FortiClient 7.4.4 to the endpoint, EMS does not deploy FortiClient 7.4.4 to that
endpoint.

To verify that your EMS has the EMS/FCT upgrade & compatibility matrix signature:

1. In EMS, go to System Settings > FortiGuard Services.

2. Under FortiGuard, click View Signature List.

FortiClient & FortiClient EMS 7.4 New Features Guide 174

Fortinet Inc.
FortiClient EMS

3. Confirm that EMS/FCT upgrade & compatibility matrix displays in the list, then click Close.

FortiClient & FortiClient EMS 7.4 New Features Guide 175

Fortinet Inc.
FortiClient EMS

Support FortiClient ARM installer creation and

deployment 7.4.4
EMS supports creating and deploying an ARM installer to a Windows endpoint. You can also upload a
repackaged ARM installer file to EMS.

To create an ARM installer:

1. Go to Deployment & Installers > FortiClient Installer.

2. Click Add.
3. On the General tab, under Repackaged Installer Files, select ARM Installer and Include Windows ARM
Installer.

4. Finish configuring the installer as desired.

5. When the installer status updates to Ready for deployment, click the download link. There is a
FortiClientSetup_X.X.X_arm64.exe file in the directory. When you deploy this installer to an ARM
endpoint, FortiClient installs successfully and automatically connects to EMS.

FortiClient & FortiClient EMS 7.4 New Features Guide 176

Fortinet Inc.
Firmware maturity levels 7.4.4
Starting with FortiClient and EMS 7.4.4, released firmware images use tags to indicate the following
maturity levels:
l The Feature (F) tag indicates that the firmware release includes new features. It can also include bug
fixes and vulnerability patches where applicable.
l The Mature (M) tag indicates that the firmware release includes no new major features. Mature firmware
contains bug fixes and vulnerability patches where applicable.
You can use the tags to identify the maturity level of the current firmware in the GUI or CLI.
You can view the maturity level of each firmware image that is available for upgrade in the EMS upgrade
notification.
The FortiClient and EMS installer file names include the letter F or M following the build number to indicate
whether the release is Feature or Mature. For example, if 7.4.4 is a Feature release, an example EMS 7.4.4
installer file name is forticlientems_7.[Link]. If 7.4.5 is a Mature release, an example
FortiClient (Windows) installer file name is FortiClientSetup_7.[Link].M_x64.zip.
In the FortiClient GUI, the Feature or Mature tag displays on the top banner beside the build number.

In the EMS GUI, when an EMS upgrade is available, the upgrade notification displays whether the new
version to upgrade to is a Mature or Feature release.

You can also check whether your EMS version is a Feature or Mature release in the CLI.

FortiClient & FortiClient EMS 7.4 New Features Guide 177

Fortinet Inc.
Firmware maturity levels 7.4.4

To check whether your EMS version maturity level in the CLI:

emscli system get info

EMS Version: [Link] Feature

FortiClient & FortiClient EMS 7.4 New Features Guide 178

Fortinet Inc.
Index
The following index provides a list of all new features added to FortiClient and EMS 7.4. The index allows
you to quickly identify the version where the feature first became available in FortiClient and EMS.
Select a version number to navigate in the index to the new features available for that patch:
l 7.4.0 on page 179
l 7.4.1 on page 180
l 7.4.3 on page 181
l 7.4.4 on page 181

7.4.0

ZTNA
Endpoint: Fabric Agent l JWT support for ZTNA UID and tag sharing on page 6
l Transparent FortiClient upgrade on page 8

Other l Zero Trust tag renamed to security posture tag on page 10

FortiClient EMS
ZTNA l MDM integration support for EMS HA, FortiClient Cloud, and
multitenancy on page 95

Other l Removing support for legacy SKUs on page 105

l FortiClient (Linux) installer creation support on page 106
l Linux-based EMS model on page 111
l Support for access key for Fortinet Security Fabric devices to
connect to FortiClient Cloud on page 112

FortiClient & FortiClient EMS 7.4 New Features Guide 179

Fortinet Inc.
Index

7.4.1

ZTNA
Endpoint: Fabric Agent l Support security posture rules based on CrowdStrike ZTA score
7.4.1 on page 11
l FortiTray icons for On-Fabric and VPN connection status 7.4.1 on
page 13
l Sending email events from the Microsoft Exchange server 7.4.1 on
page 17
l Support ZTNA destinations over UDP 7.4.1 on page 17

Endpoint: Remote Access l IPsec VPN over TCP on Windows, macOS, and Linux 7.4.1 on page 43
l Configure IPsec IKEv2 on multiple protocols 7.4.1 on page 62
l IKEv2 session resumption 7.4.1 on page 64

FortiClient EMS
ZTNA l ZTNA application catalog 7.4.1 on page 96
l FortiClient EMS auto-detects FortiGate configuration of non-web
ZTNA applications 7.4.1 on page 97

Other l On-fabric detection based on destination address 7.4.1 on page 113

l Auto upgrade EMS to latest patch release 7.4.1 on page 114
l FortiClient hotfix deployment via EMS 7.4.1 on page 114
l Deploying EMS as a VM image 7.4.1 on page 117
l FortiClient GUI enhancement 7.4.1 on page 120
l Create connectors with OAuth 2.0 token-based authentication 7.4.1
on page 121
l Assign AD and local Windows server groups to roles 7.4.1 on page
124
l FortiEndpoint (FortiClient integration of FortiEDR agent) 7.4.1 on
page 127
l Support forensic analysis reports on macOS endpoints 7.4.1 on page
132
l Add support for ManageEngine MDM 7.4.1 on page 133
l EMS VM image 7.4.1 on page 137

FortiClient & FortiClient EMS 7.4 New Features Guide 180

Fortinet Inc.
Index

7.4.3

ZTNA
Endpoint: Fabric Agent l ZTNA automatic login using Microsoft Entra ID 7.4.3 on page 19
l FortiPAM agent for macOS 7.4.3 on page 25
l FortiAnalyzer Cloud configuration improvements 7.4.3 on page 27
l Video Filter support for macOS and Linux 7.4.3 on page 28

Endpoint: Remote Access l EAP-TTLS support for IPsec VPN 7.4.3 on page 66
l Support LB IPsec VPN gateways with a single FQDN 7.4.3 on page 68
l Security posture tag enforcement during VPN connection 7.4.3 on
page 75

Other l Zero Trust tag renamed to security posture tag on page 10

FortiClient EMS
ZTNA l Security posture tags enhancements 7.4.3 on page 101
l Upload custom certificate and private key for ZTNA 7.4.3 on page
103

Other l Consolidated endpoint events 7.4.3 on page 142

l Installing EMS with separate time series ES DB 7.4.3 on page 144
l Syncing remote categories from imported FortiOS or FortiManager
Web Filter profile 7.4.3 on page 145
l Vulnerability detection popup 7.4.3 on page 150
l EMS automatic upgrade improvements 7.4.3 on page 151
l Add FortiAnalyzer Cloud entitlement for FortiClient Cloud SKUs 7.4.3
on page 153
l EMS VM image support for Hyper-V and VirtualBox 7.4.3 on page
154
l Post-installation setup wizard 7.4.3 on page 158

7.4.4

ZTNA
Endpoint: Fabric Agent l FSSOMA connectivity status 7.4.4 on page 28

FortiClient & FortiClient EMS 7.4 New Features Guide 181

Fortinet Inc.
Index

l FortiDeceptor integration 7.4.4 on page 31

l FortiData integration 7.4.4 on page 35

Endpoint: Remote Access l Dual IPsec VPN tunnel support 7.4.4 on page 76
l LDAP support for IPsec IKEv2 VPN 7.4.4 on page 85

FortiClient EMS
Other l On-demand forensic artifact collection with forensic engine 7.4.4 on
page 161
l RADIUS server authentication for administrators 7.4.4 on page 165
l EMS VM CLI enhancements 7.4.4 on page 167
l Endpoint health check 7.4.4 on page 169
l EMS upgrade notification improvement 7.4.4 on page 170
l Custom invitation email template for on-premise EMS 7.4.4 on page
171
l FortiClient and EMS upgrade and compatibility matrix signature 7.4.4
on page 173
l Support FortiClient ARM installer creation and deployment 7.4.4 on
page 176

Other
Other Firmware maturity levels 7.4.4 on page 177

FortiClient & FortiClient EMS 7.4 New Features Guide 182

Fortinet Inc.
Change log

Date Change description

2024-06-03 Initial release.

2024-06-04 Updated Linux-based EMS model on page 111.

2024-06-17 Updated:
l FortiClient EMS on page 95

l FortiClient EMS on page 179

2024-07-09 Updated Linux-based EMS model on page 111.

2024-07-12 Added Support for access key for Fortinet Security Fabric devices to connect to
FortiClient Cloud on page 112.

2024-11-01 Added for 7.4.1 release:

l Support security posture rules based on CrowdStrike ZTA score 7.4.1 on page 11

l IPsec VPN over TCP on Windows, macOS, and Linux 7.4.1 on page 43

l ZTNA application catalog 7.4.1 on page 96

l On-fabric detection based on destination address 7.4.1 on page 113

l Auto upgrade EMS to latest patch release 7.4.1 on page 114

l FortiClient hotfix deployment via EMS 7.4.1 on page 114

l FortiTray icons for On-Fabric and VPN connection status 7.4.1 on page 13

l Sending email events from the Microsoft Exchange server 7.4.1 on page 17

l FortiClient EMS auto-detects FortiGate configuration of non-web ZTNA

applications 7.4.1 on page 97

l Deploying EMS as a VM image 7.4.1 on page 117

l FortiClient GUI enhancement 7.4.1 on page 120

l Create connectors with OAuth 2.0 token-based authentication 7.4.1 on page 121

l Assign AD and local Windows server groups to roles 7.4.1 on page 124

l Support ZTNA destinations over UDP 7.4.1 on page 17

l Configure IPsec IKEv2 on multiple protocols 7.4.1 on page 62

l FortiEndpoint (FortiClient integration of FortiEDR agent) 7.4.1 on page 127

l Support forensic analysis reports on macOS endpoints 7.4.1 on page 132

2024-11-04 Added:
l Add support for ManageEngine MDM 7.4.1 on page 133

l IKEv2 session resumption 7.4.1 on page 64

2024-11-06 Updated Deploying EMS as a VM image 7.4.1 on page 117.

2024-11-20 Updated FortiEndpoint (FortiClient integration of FortiEDR agent) 7.4.1 on page 127.

2024-12-31 Updated Deploying EMS as a VM image 7.4.1 on page 117.

2025-01-06 Updated Support ZTNA destinations over UDP 7.4.1 on page 17.

FortiClient & FortiClient EMS 7.4 New Features Guide 183

Fortinet Inc.
Change log

Date Change description

2025-01-08 Updated IKEv2 session resumption 7.4.1 on page 64.

2025-01-24 Updated Deploying EMS as a VM image 7.4.1 on page 117.

2025-01-28 Updated Deploying EMS as a VM image 7.4.1 on page 117.

2025-03-20 l ZTNA automatic login using Microsoft Entra ID 7.4.3 on page 19

l FortiPAM agent for macOS 7.4.3 on page 25
l FortiAnalyzer Cloud configuration improvements 7.4.3 on page 27
l EAP-TTLS support for IPsec VPN 7.4.3 on page 66
l Support LB IPsec VPN gateways with a single FQDN 7.4.3 on page 68
l Security posture tags enhancements 7.4.3 on page 101
l Upload custom certificate and private key for ZTNA 7.4.3 on page 103
l Consolidated endpoint events 7.4.3 on page 142
l Installing EMS with separate time series ES DB 7.4.3 on page 144
l Syncing remote categories from imported FortiOS or FortiManager Web Filter
profile 7.4.3 on page 145
l Vulnerability detection popup 7.4.3 on page 150
l EMS automatic upgrade improvements 7.4.3 on page 151
l Add FortiAnalyzer Cloud entitlement for FortiClient Cloud SKUs 7.4.3 on page 153

2025-03-21 Added Video Filter support for macOS and Linux 7.4.3 on page 28.

2025-03-24 Added EMS VM image support for Hyper-V and VirtualBox 7.4.3 on page 154.

2025-07-25 Updated EAP-TTLS support for IPsec VPN 7.4.3 on page 66.

2025-08-21 Added Security posture tag enforcement during VPN connection 7.4.3 on page 75 and
updated IPsec VPN over TCP on Windows, macOS, and Linux 7.4.1 on page 43.

2025-08-27 Updated Consolidated endpoint events 7.4.3 on page 142.

2025-09-09 Added 7.4.4 on page 181.

2025-09-16 Updated LDAP support for IPsec IKEv2 VPN 7.4.4 on page 85.

FortiClient & FortiClient EMS 7.4 New Features Guide 184

Fortinet Inc.
[Link]

Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other
Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables,
different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all
warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly
warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly
identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s
internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiClient & FortiClient EMS 7.4 New Features Guide
No ratings yet
FortiClient & FortiClient EMS 7.4 New Features Guide
84 pages
FortiClient & FortiClient EMS 7.2 New Features Guide
No ratings yet
FortiClient & FortiClient EMS 7.2 New Features Guide
250 pages
FortiOS 7.0.0 New - Features - Guide 360 499
No ratings yet
FortiOS 7.0.0 New - Features - Guide 360 499
140 pages
7.0 Ztna
100% (1)
7.0 Ztna
16 pages
FortiOS 7.0.0 New Features Guide
No ratings yet
FortiOS 7.0.0 New Features Guide
836 pages
FortiClient EMS 7.4.0 Administration Guide
No ratings yet
FortiClient EMS 7.4.0 Administration Guide
519 pages
FortiClient EMS 7.4.1 Administration Guide
No ratings yet
FortiClient EMS 7.4.1 Administration Guide
578 pages
FortiOS 7.4.0 New - Features - Guide401 450
No ratings yet
FortiOS 7.4.0 New - Features - Guide401 450
50 pages
FortiClient EMS 6.4 Features Overview
No ratings yet
FortiClient EMS 6.4 Features Overview
57 pages
ZTNA
No ratings yet
ZTNA
3 pages
ZTNA For Web Applications-7.2.5-Deployment Guide
No ratings yet
ZTNA For Web Applications-7.2.5-Deployment Guide
36 pages
FortiClient EMS Course Notes
No ratings yet
FortiClient EMS Course Notes
174 pages
FortiClient EMS 7.4.3 Administration Guide
No ratings yet
FortiClient EMS 7.4.3 Administration Guide
693 pages
FortiClient EMS 7.2.9 Administration Guide
No ratings yet
FortiClient EMS 7.2.9 Administration Guide
557 pages
FortiOS 7.2 ZTNA Guide
No ratings yet
FortiOS 7.2 ZTNA Guide
12 pages
Renforcer La Posture ZTNA Dec 2023
No ratings yet
Renforcer La Posture ZTNA Dec 2023
30 pages
FCP FCT AD-7.2-Demo
No ratings yet
FCP FCT AD-7.2-Demo
7 pages
FortiOS-7.2.0-New Features Guide PDF
No ratings yet
FortiOS-7.2.0-New Features Guide PDF
523 pages
FCP - FCT - AD-7.2 Questions
No ratings yet
FCP - FCT - AD-7.2 Questions
7 pages
Forticlient
No ratings yet
Forticlient
11 pages
Forticlient
No ratings yet
Forticlient
11 pages
Forticlient
No ratings yet
Forticlient
11 pages
FortiOS 7.0.0 New Features Guide
No ratings yet
FortiOS 7.0.0 New Features Guide
694 pages
FortiOS 7.4 ZTNA Reference Guide
No ratings yet
FortiOS 7.4 ZTNA Reference Guide
15 pages
FortiClient EMS 7.0.0 Admin Guide
No ratings yet
FortiClient EMS 7.0.0 Admin Guide
260 pages
Lab Guide - FortiClientEMS+FortiEDR
No ratings yet
Lab Guide - FortiClientEMS+FortiEDR
101 pages
Ztna Ordering Guide
No ratings yet
Ztna Ordering Guide
3 pages
FortiClient EMS 7.0.0 Administration Guide
No ratings yet
FortiClient EMS 7.0.0 Administration Guide
261 pages
FortiClient EMS 7.2 Administrator Study Guide
No ratings yet
FortiClient EMS 7.2 Administrator Study Guide
385 pages
Forticlient Ems 7.2.5 Release Notes
No ratings yet
Forticlient Ems 7.2.5 Release Notes
25 pages
2021-Fortinet-ZTNA-Securely Deliver Your Cloud Applications To The New Hybrid Workforce
No ratings yet
2021-Fortinet-ZTNA-Securely Deliver Your Cloud Applications To The New Hybrid Workforce
21 pages
FortiOS 7.6.0 New Features Guide
No ratings yet
FortiOS 7.6.0 New Features Guide
671 pages
NSE Insider - ZTNA Webinar & Demo, August 19, 2021
No ratings yet
NSE Insider - ZTNA Webinar & Demo, August 19, 2021
28 pages
FortiOS 7.0.0 New Features Guide
No ratings yet
FortiOS 7.0.0 New Features Guide
355 pages
FortiOS-7.2.0-New Features Guide
No ratings yet
FortiOS-7.2.0-New Features Guide
650 pages
Forticlient Ems 7.2.9 Release Notes
No ratings yet
Forticlient Ems 7.2.9 Release Notes
20 pages
FortiClient 7.0.0 Administration Guide
No ratings yet
FortiClient 7.0.0 Administration Guide
104 pages
Fort I Client
No ratings yet
Fort I Client
4 pages
FCP FCT Ad-7.2
100% (1)
FCP FCT Ad-7.2
42 pages
FortiClient EMS 6.4.8 Admin Guide
No ratings yet
FortiClient EMS 6.4.8 Admin Guide
258 pages
Zero Trust Network Access Evolution
No ratings yet
Zero Trust Network Access Evolution
29 pages
Zero Trust Network Access: Hands On Lab
No ratings yet
Zero Trust Network Access: Hands On Lab
63 pages
Zero Trust Network Access-7.0-Deployment Guide
No ratings yet
Zero Trust Network Access-7.0-Deployment Guide
38 pages
Ztna Guide
No ratings yet
Ztna Guide
38 pages
FortiClient EMS 7.0.7 Administration Guide
No ratings yet
FortiClient EMS 7.0.7 Administration Guide
316 pages
Forticlient: 7.0 Visibility and Controls For Zero Trust Network Access (Ztna) and Secure Access Service Edge (Sase)
No ratings yet
Forticlient: 7.0 Visibility and Controls For Zero Trust Network Access (Ztna) and Secure Access Service Edge (Sase)
6 pages
Fortinet FortiClient EMS Study Guide
No ratings yet
Fortinet FortiClient EMS Study Guide
348 pages
FortiOS 7.4.0 New Features Guide
No ratings yet
FortiOS 7.4.0 New Features Guide
936 pages
FortiOS 7.4.0 New - Features - Guide1 50
No ratings yet
FortiOS 7.4.0 New - Features - Guide1 50
50 pages
Fort I Client
No ratings yet
Fort I Client
12 pages
FortiOS 6.2.0 New Features Guide
No ratings yet
FortiOS 6.2.0 New Features Guide
398 pages
Forticlient 7.2.0 Windows Release Notes
No ratings yet
Forticlient 7.2.0 Windows Release Notes
27 pages
Fortinet ZTNA
No ratings yet
Fortinet ZTNA
3 pages
ZTNA HOL Guide 7.2.5 v1.0.0
No ratings yet
ZTNA HOL Guide 7.2.5 v1.0.0
138 pages
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
100% (1)
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
247 pages
FortiSASE-24.1-SPA Using ZTNA Deployment Guide
No ratings yet
FortiSASE-24.1-SPA Using ZTNA Deployment Guide
30 pages
FortiSASE: Secure Hybrid Workforce Solutions
No ratings yet
FortiSASE: Secure Hybrid Workforce Solutions
27 pages
FortiClient 7.4.0 Administration Guide
No ratings yet
FortiClient 7.4.0 Administration Guide
168 pages
Networkinterface
No ratings yet
Networkinterface
2 pages
Gemini For Workspace Prompt Guide October 2024 Digital Final
No ratings yet
Gemini For Workspace Prompt Guide October 2024 Digital Final
68 pages
Manual Siza GPON OP15X Series
No ratings yet
Manual Siza GPON OP15X Series
38 pages
Manual Chapa Be469zp - Zwave
No ratings yet
Manual Chapa Be469zp - Zwave
5 pages
Dama Phoenix Dmbok2
50% (2)
Dama Phoenix Dmbok2
50 pages
Filip Turek - Facebook Screenshots
No ratings yet
Filip Turek - Facebook Screenshots
42 pages
Understanding the World Wide Web
No ratings yet
Understanding the World Wide Web
9 pages
GateHub Wallet Review - All-In-One Wallet
No ratings yet
GateHub Wallet Review - All-In-One Wallet
7 pages
ML Alpha 7400 ServiceManual R01
No ratings yet
ML Alpha 7400 ServiceManual R01
96 pages
Final IGNOU SYNOPSIS BCSP64
100% (3)
Final IGNOU SYNOPSIS BCSP64
24 pages
PGCL Gas Bill App Overview
No ratings yet
PGCL Gas Bill App Overview
20 pages
EO 4GL Developer Guide
No ratings yet
EO 4GL Developer Guide
69 pages
Bivariate Correlation Numerical Examples
No ratings yet
Bivariate Correlation Numerical Examples
4 pages
RR 5700. Medidas y Especificaciones
No ratings yet
RR 5700. Medidas y Especificaciones
6 pages
sns-en-IPSec VPN Authentication Certificates Technical Note
No ratings yet
sns-en-IPSec VPN Authentication Certificates Technical Note
18 pages
Getting Started NOVA
No ratings yet
Getting Started NOVA
238 pages
Machine Learning (ML) in Medicine - Review, Applications, and Challenges PDF
No ratings yet
Machine Learning (ML) in Medicine - Review, Applications, and Challenges PDF
52 pages
Amit QA
No ratings yet
Amit QA
1 page
Visual Pinmame
No ratings yet
Visual Pinmame
4 pages
Viavi Calibration Cycles Services en
No ratings yet
Viavi Calibration Cycles Services en
2 pages
Java Classes and Objects Exercises
No ratings yet
Java Classes and Objects Exercises
2 pages
Lenovo V15 G2 ITL Spec
No ratings yet
Lenovo V15 G2 ITL Spec
7 pages
Answers For Systems Analysis and Design 12th Edition Scott Tilley
No ratings yet
Answers For Systems Analysis and Design 12th Edition Scott Tilley
315 pages
Ecosia: Search to Plant Trees
No ratings yet
Ecosia: Search to Plant Trees
9 pages
Design and Implementation of A Computer Based Marketing Information System
No ratings yet
Design and Implementation of A Computer Based Marketing Information System
28 pages
Unit V PLC Notes
No ratings yet
Unit V PLC Notes
13 pages
Ping Pong Game
No ratings yet
Ping Pong Game
4 pages
Facebook Fancy
No ratings yet
Facebook Fancy
22 pages
Top 100 JavaScript Interview Questions and Answers
No ratings yet
Top 100 JavaScript Interview Questions and Answers
29 pages
Cisco 8000 Series Upgrade MOP 753
No ratings yet
Cisco 8000 Series Upgrade MOP 753
12 pages
Tidt 369 B
No ratings yet
Tidt 369 B
28 pages
Class 3 - Network Layer and Subnetting-B
No ratings yet
Class 3 - Network Layer and Subnetting-B
51 pages
Python Pr-Set3
No ratings yet
Python Pr-Set3
26 pages
Practical User Research: Everything You Need To Know To Integrate User Research To Your Product Development 1st Edition Emmanuelle Savarit
No ratings yet
Practical User Research: Everything You Need To Know To Integrate User Research To Your Product Development 1st Edition Emmanuelle Savarit
52 pages
CNC Lathe Programming Guide
No ratings yet
CNC Lathe Programming Guide
43 pages