Configuring firewall policies Firewall Policy
FortiGate Version 4.0 Administration Guide
336 01-400-89802-20090424
http://docs.fortinet.com/ • Feedback
Endpoint Compliance Check options
You can require users of a firewall policy to have FortiClient Endpoint Security software
installed. Optionally, you can also require that the antivirus signatures are up-to-date and
check for the presence of specific applications on the computer. You can quarantine non-
compliant users to a web portal, from which they can download the FortiClient installer or
update their antivirus signatures. For more information about configuring the Endpoint
Control feature and monitoring endpoints, see “Endpoint control” on page 641.
In a new or existing firewall policy, the following options configure the Endpoint
Compliance Check:
Figure 199: Endpoint Compliance firewall policy options
Traffic Shaping The traffic shaping configuration for this policy.
For more information, see “Traffic Shaping” on page 423.
Log Traffic If the Log Allowed Traffic option is selected when adding an identity-
based policy, a green check mark appears. Otherwise, a white cross
mark appears.
Delete icon Select to delete this policy.
Edit icon Select to edit this policy.
Move Up or Move Down Select to move the policy in the list. Firewall policy order affects policy
matching. You can arrange the firewall policy list to influence the order
in which policies are evaluated for matches with user groups.
Tip: If you select NAT, the IP address of the outgoing interface of the FortiGate unit is used
as the source address for new sessions started by SSL VPN.
Note: The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN traffic,
but has no effect on web-mode SSL VPN traffic.
Enable Endpoint
Compliance Check
Check that the source hosts of this firewall policy have FortiClient
Endpoint Security software installed. Make sure that all of these hosts
are capable of installing the software.
You cannot enable Endpoint Compliance Check in firewall policies if
Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in
User > Options > Authentication.
Enforce FortiClient AV
Up-to-date
Check that the FortiClient Endpoint Security application has the
antivirus (real-time protection) feature enabled and is using the latest
version of the antivirus signatures available from FortiGuard Services.
Collect System
Information from the
Endpoints
Collect information about the host computer, its operating system and
specific installed applications. This information is displayed in the
Endpoints list. See “Monitoring endpoints” on page 644.
Redirect
Non-conforming
Clients to Download
Portal
The non-compliant user sees a web page that explains why they are
non-compliant. The page also provides links to download a FortiClient
application installer. To edit this web page go to System > Config >
Replacement Messages and edit the Endpoint Control Download
Portal replacement message.
If the redirect is not enabled, the non-compliant user simply has no
network access.
To Next Page
Loading...