0% found this document useful (0 votes)

193 views84 pages

FortiClient & FortiClient EMS 7.4 New Features Guide

The FortiClient & FortiClient EMS 7.4 New Features Guide outlines enhancements and new features, including support for JWT in ZTNA UID and tag sharing, transparent upgrades without system reboots, and the renaming of Zero Trust tags to security posture tags. It details configuration steps for various features, such as IPsec VPN over TCP and CrowdStrike ZTA score-based tagging rules. The guide serves as a comprehensive resource for understanding and implementing the latest functionalities in FortiClient and FortiClient EMS.

Uploaded by

Dodo Baby

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

193 views84 pages

FortiClient & FortiClient EMS 7.4 New Features Guide

Uploaded by

Dodo Baby

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 84

New Features Guide

FortiClient & FortiClient EMS 7.4

FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

January 08, 2025

FortiClient & FortiClient EMS 7.4 New Features Guide
04-740-1010608-20250108
TABLE OF CONTENTS

Overview 5
ZTNA 6
Endpoint: Fabric Agent 6
JWT support for ZTNA UID and tag sharing 6
Transparent FortiClient upgrade 8
Zero Trust tag renamed to security posture tag 10
Support security posture rules based on CrowdStrike ZTA score 7.4.1 11
FortiTray icons for On-Fabric and VPN connection status 7.4.1 13
Sending email events from the Microsoft Exchange server 7.4.1 17
Support ZTNA destinations over UDP 7.4.1 17
Endpoint: Remote Access 19
IPsec VPN over TCP 7.4.1 19
Configure IPsec IKEv2 on multiple protocols 7.4.1 36
IKEv2 session resumption 7.4.1 38
FortiClient EMS 41
ZTNA 41
MDM integration support for EMS HA, FortiClient Cloud, and multitenancy 41
ZTNA application catalog 7.4.1 42
FortiClient EMS auto-detects FortiGate configuration of non-web ZTNA applications
7.4.1 42
Removing support for legacy SKUs 46
FortiClient (Linux) installer creation support 47
Linux-based EMS model 52
Support for access key for Fortinet Security Fabric devices to connect to FortiClient
Cloud 53
On-fabric detection based on destination address 7.4.1 54
Auto upgrade EMS to latest patch release 7.4.1 54
FortiClient hotfix deployment via EMS 7.4.1 54
Deploy the FortiClient EMS server as a virtual machine image 7.4.1 57
FortiClient GUI enhancement 7.4.1 60
Keyboard navigation 61
Create connectors with OAuth 2.0 token-based authentication 7.4.1 61
Assign AD and local Windows server groups to roles 7.4.1 64
FortiEndpoint (FortiClient integration of FortiEDR agent) 7.4.1 66
Example 1 67
Example 2 70
Support forensic analysis reports on macOS endpoints 7.4.1 71
Add support for ManageEngine MDM 7.4.1 72
Preparing for on-premise ManageEngine instances 72
Preparing for cloud ManageEngine instances 72
Enrolling the device and deploying FortiClient 73
EMS VM image 7.4.1 76

FortiClient & FortiClient EMS 7.4 New Features Guide 3

Fortinet Inc.
Index 81
7.4.0 81
ZTNA 81
FortiClient EMS 81
7.4.1 81
ZTNA 81
FortiClient EMS 82
Change log 83

FortiClient & FortiClient EMS 7.4 New Features Guide 4

Fortinet Inc.
Overview

This guide provides details of new features introduced in FortiClient & FortiClient EMS 7.4. For each feature, the guide
provides detailed information on configuration, requirements, and limitations, as applicable. The guide organizes
features into the following sections:
l ZTNA on page 6
l Endpoint: Fabric Agent on page 6

l FortiClient EMS on page 41

l ZTNA on page 41

For a list of all features organized by the version number that they were introduced, see Index on page 81.

FortiClient & FortiClient EMS 7.4 New Features Guide 5

Fortinet Inc.
ZTNA

Endpoint: Fabric Agent

JWT support for ZTNA UID and tag sharing

As an enhancement to security posture tag sharing in the Fortinet Security Fabric connection between EMS and
FortiOS, EMS now also sends security posture tags to FortiClient in JSON web token (JWT) format. You can install
JWTs on endpoints. A browser on an endpoint can use JWTs to share endpoint identity and tags with FortiOS directly.
This feature makes security posture tag sharing more resilient, resulting in a more fault-tolerant zero trust network
access (ZTNA) connection between the endpoint and ZTNA server. This feature makes it possible for endpoints to
access remote resources via the ZTNA server in the event of EMS, FortiClient, and FortiOS network loss or connection
interruption.
Prior to the addition of JWT support, in the event of connection loss between FortiClient and EMS or a Fabric connection
issue between EMS and FortiOS, legitimate endpoints could not access remote resources via a ZTNA server.
This feature has the following limitations:
l Endpoint default gateway must be the ZTNA server.
l The FortiGate only receives tokens on physical interfaces.
l ZTNA server configuration only uses TCP forwarding.

To configure JWT support for ZTNA UID and tag sharing:

1. Configure the feature in EMS:

a. Configure EMS Settings:
i. Go to System Settings > EMS Settings.
ii. Click Enable ZTNA token.
iii. In the ZTNA token timeout field, enter the JWT expiry time in minutes. The minimum and default value is
60 minutes. When the expiry time is reached, EMS generates a new JWT and sends it to endpoints.

FortiClient & FortiClient EMS 7.4 New Features Guide 6

Fortinet Inc.
ZTNA

Configure other fields as desired, then save.

b. Go to Endpoint Profiles > ZTNA Destinations.

c. Create a new profile or edit an existing one.
d. Enable Destinations.
e. Add a remote resource and ZTNA server address to the profile. Configure other fields as desired, then save.
f. Go to Administration > Fabric Devices.
g. Confirm that EMS has authorized the FortiGate which acts as the ZTNA server. This FortiGate must also be the
default gateway for endpoints that use the JWT.
h. Go to Security Posture Tags > Security Posture Tagging Rules.
i. Configure tags and tagging rules as desired. The JWT and FortiGate ZTNA server use these tags to allow
traffic to remote resources if the ZTNA policy matches with the tags. For example, you could create a security
posture tagging rule that tags endpoints as win10 if they have Windows 10 installed.
2. In FortiOS, go to Policy & Objects > Proxy Policy.
3. Create a new policy or edit an existing one.
4. For Type, select ZTNA.
5. Under Security Posture Tag, select the tags that you configured in EMS.

FortiClient & FortiClient EMS 7.4 New Features Guide 7

Fortinet Inc.
ZTNA

6. Configure other fields as desired, then click OK.

7. After FortiClient receives the profile changes from EMS, in FortiClient, go to the ZTNA Destination tab to view the
ZTNA destination received from EMS.
8. To ensure EMS successfully pushed the generated JWT to FortiClient, in Registry Editor, view Computer\HKEY_
LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_ESNAC\ztna_token.
9. To verify that FortiClient maintains ZTNA connection with the ZTNA server to access remote resources in the event
of EMS network connection loss or Fabric connection interruption, disable EMS interfaces to simulate the network
connection loss. Confirm that FortiClient can still access a remote resource via the ZTNA server, for example an
SSH server that runs in a different subnet.

Transparent FortiClient upgrade

You can now upgrade FortiClient to the latest version without needing a system reboot if there are no changes in the
driver version. This improvement ensures a smoother upgrade process, reducing interruptions and allowing users to
continue their work without unnecessary reboots.

FortiClient & FortiClient EMS 7.4 New Features Guide 8

Fortinet Inc.
ZTNA

If drivers are removed or added due to disabling or enabling features in the deployment package, FortiClient still requires
a system reboot.

To deploy FortiClient upgrade:

1. In EMS, go to Deployment & Installers > FortiClient Installer.

2. Click Add.
3. Create a deployment package for FortiClient 7.4.0 with auto registration enabled.

4. Go to Deployment & Installers > Manage Deployment.

5. Create a deployment configuration.
6. From the Deployment Package dropdown list, select the FortiClient 7.4.0 deployment package.
7. Enable Reboot When Needed.
8. Configure other fields as desired, then click Save.
9. On a FortiClient registered to EMS, after the profile updates synchronize, FortiClient displays a notification that an
upgrade is available.

The endpoint details page in EMS shows that the deployment process has started on the endpoint. On the endpoint,
a FortiTray icon displays for the upgrade. Click it to open the FortiClient Setup dialog. Click OK to start the upgrade
at the scheduled time.

FortiClient & FortiClient EMS 7.4 New Features Guide 9

Fortinet Inc.
ZTNA

You can monitor the upgrade process in the FortiClient Setup dialog. The FortiClient upgrade succeeds without
requiring a system reboot in this case because the upgraded version's driver versions are the same as the previous
version's. FortiClient autoconnects to EMS after the upgrade and shows the latest version on the About tab. The
endpoint details page in EMS shows that deployment is complete on that endpoint.

Zero Trust tag renamed to security posture tag

In FortiClient & FortiClient EMS 7.4.0, "Zero Trust tags" have been renamed to "security posture tags". This change
reflects that these tags are not exclusively used for the zero trust network access (ZTNA) use case. You can use these
tags for grouping and classifying endpoints for various use cases, including IP or MAC address-based access control on
FortiOS, ZTNA proxy posture check, and other Fortinet Security Fabric devices doing network access control.
The use of "Zero Trust tags" has been updated to use "security posture tags" across the FortiClient & FortiClient EMS
GUIs. The following screenshots show some examples of where the changes have been made.
On the FortiClient avatar page, Security Posture Tags replaces Zero Trust Tags.

FortiClient & FortiClient EMS 7.4 New Features Guide 10

Fortinet Inc.
ZTNA

In EMS, Security Posture Tags, Security Posture Tagging Rules, and Security Posture Tag Monitor replace Zero Trust
Tags, Zero Trust Tagging Rules, and Zero Trust Tag Monitor on the left pane. The top navigation pane and category
name are also updated to use Security Posture instead of Zero Trust.

Support security posture rules based on CrowdStrike ZTA score 7.4.1

The CrowdStrike agent performs a zero trust assessment (ZTA) and stores the result on the host. This information is
directly available to other software that runs on the host, such as FortiClient. The ZTA generates a score between 1 to
100. You can create a security posture tagging rule to tag endpoints based on their ZTA score.

To create the ZTA tagging rule:

1. In EMS, go to Security Posture Tags > Tagging Rules.

2. Click Add.
3. In the Tag Endpoint As field, enter the desired name. This example uses a tag named crowd_equalto_75.
4. Click Add Rule.
5. For OS, select Windows.
6. From the Rule Type dropdown list, select CrowdStrike ZTA Score.
7. In the CrowdStrike ZTA Score field, you can configure comparative operators =, >, <, >=, and <=. For example, you
can configure a tagging rule for endpoints that have a ZTA score equal to or greater than 75. In this example, the
rule tags endpoints that have a ZTA score equal to 75.

FortiClient & FortiClient EMS 7.4 New Features Guide 11

Fortinet Inc.
ZTNA

8. Click Save.
9. Configure other fields as desired, then click Save.

To verify the rule configuration:

1. On an endpoint with a ZTA score of 75, click the FortiClient user avatar. For Security Posture Tags, the crowd_
equalto_75 tag displays.

2. In EMS, you can verify the tagged endpoint in Security Posture Tags > Tag Monitor and Security Posture Tags in
the endpoint summary in Endpoints.

FortiClient & FortiClient EMS 7.4 New Features Guide 12

Fortinet Inc.
ZTNA

3. If EMS is part of a Fortinet Security Fabric with a FortiGate, verify that FortiOS displays the tags in Policy & Objects
> ZTNA > Security Posture Tags > Security Posture IP Tag.

FortiTray icons for On-Fabric and VPN connection status - 7.4.1

FortiTray, visible in the Windows System Tray, now shows different icons to represent FortiClient's On-Fabric and VPN
connection status. Likewise, hovering over the tray icon will display a message that describes the current status.

To review the connection status in FortiTray:

a. In the endpoint, connect to FortiClient EMS and ensure it is reachable through both Wi-Fi and Ethernet.
b. In FortiClient EMS, create an On-Fabric Detection Rule and assign it to the configured profile.

FortiClient & FortiClient EMS 7.4 New Features Guide 13

Fortinet Inc.
ZTNA

c. Review the status:

l If the endpoint is connected to the network through Ethernet alone, the Status should display Off-fabric and the
FortiTray logo will have a gray icon.

Hovering over the icon will display an off-fabric message.

FortiClient & FortiClient EMS 7.4 New Features Guide 14

Fortinet Inc.
ZTNA

l If the endpoint is connected to the network through Wi-Fi alone, the Status should display On-fabric and the
FortiTray logo will have a green icon. Hovering over the icon will display an on-fabric message.

Connecting to a VPN tunnel will then result in an orange icon and an updated status message.

FortiClient & FortiClient EMS 7.4 New Features Guide 15

Fortinet Inc.
ZTNA

If FortiClient disconnects from the VPN tunnel and attempts to reestablish the connection, the icon will display
arrows

FortiClient & FortiClient EMS 7.4 New Features Guide 16

Fortinet Inc.
ZTNA

Sending email events from the Microsoft Exchange server - 7.4.1

FortiClient can be configured to send email events from Microsoft Exchange server. These events can contain metadata
such as the email sender, email recipient, date/time, subject, size, IP address, and so on. This metadata can be used by
a SOAR or SIEM to correlate with security events.

To send email events from the Microsoft Exchange server to FortiAnalyzer:

1. In FortiClient EMS, edit the XML settings to enable send_ms_exch_events and define the interval.

2. Set the following registry to true:

Path Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_
DBLOG

Value name send_exch_events

Value TRUE

3. Configure the exchange server.

4. In FortiAnalyzer, verify that the Exchange server event was transmitted from FortiClient in Log View > Fabric using
the filter Host OS Family=MS Exchange.

Support ZTNA destinations over UDP - 7.4.1

ZTNA destinations are now supported over UDP. Previously ZTNA destinations only supported TCP.

Though FortiClient supports ZTNA over UDP, it also depends on if the individual application is
using UDP protocol to transfer network traffic at that time.

FortiClient & FortiClient EMS 7.4 New Features Guide 17

Fortinet Inc.
ZTNA

To configure a ZTNA destination over UDP:

1. On the FortiGate, configure H3 support:

config firewall vip
edit "ZTNA-Server"
set type access-proxy
set server-type https
set extip 10.152.35.188
set h3-support enable
set extintf "port1"
set extport 8445
set ssl-certificate "Fortinet_Factory"
next
end

2. In FortiClient EMS, Go to Fabric & Connectors > ZTNA Applications Catalog.

3. Locate the ZTNA applications synchronized from the FortiGate configuration as a result of establishing telemetry
connections between the FortiGate and FortiClient EMS.
4. Switch to Gateway View.
5. Configure the FQDN for the ZTNA proxy gateway.
6. Add the ZTNA destination from the FortiClient EMS endpoint:
a. Go to ZTNA Destinations.
b. Add a ZTNA destination that supports ZTNA over UDP.
c. Click Save.
d. Go to the XML tab and set the <enable_udp> tag to 1 under the ZTNA rule that was added:
<?xml version="1.0" ?>
<forticlient_configuration>
<ztna>
<enabled>1</enabled>
<notify_on_error>1</notify_on_error>
<portals_enabled>1</portals_enabled>
<web_proxy_rules>
<web_proxy_rule>
<gateway>fgt2.bala.com</gateway>
<gateway_ip>10.152.35.188:8445</gateway_ip>
</web_proxy_rule>
</web_proxy_rules>
<gateways_enabled>1</gateways_enabled>
<allow_personal_rules>1</allow_personal_rules>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<rules>
<rule uid="00000000">
<name>8.8.8.8/255.255.255.255</name>
<enable_udp>1</enable_udp>
<type>private</type>
<app_uid>00000000</app_uid>
<allow_all_gateways>1</allow_all_gateways>
<mask>255.255.255.255</mask>
<encryption>0</encryption>
<mode>transparent</mode>
<destination>8.8.8.8</destination>
<gateway>fgt2.bala.com:8445</gateway>

FortiClient & FortiClient EMS 7.4 New Features Guide 18

Fortinet Inc.
ZTNA

Endpoint: Remote Access

IPsec VPN over TCP 7.4.1

IPsec VPN, dependent on UDP, can now run over TCP. IPsec over TCP can help VPN traffic pass through restrictive
firewalls, especially when only TCP-based traffic is allowed. You can configure an IPsec VPN tunnel to use UDP or TCP
exclusively or automatically switch to TCP mode if the firewall blocks UDP mode. In high latency or congested networks,
UDP-based VPN connections may experience packet loss or degradation in performance. TCP's built-in mechanisms for
error correction and retransmission can improve the reliability and stability of the VPN connection in these conditions.
IPsec over TCP is especially useful in mobile or dynamic environments (e.g., public Wi-Fi, hotel networks, or cellular
data) where the network conditions or restrictions can vary significantly. It allows for more seamless and stable VPN
connectivity in a wider range of scenarios.

To configure this feature:

1. FortiOS 7.4.5 and 7.6 use IKE ports 500 and 4500 for UDP and TCP, respectively, for NAT traversal. You can
configure custom ports as follows:
config system settings
set ike-port 5000
set ike-tcp-port 5500
end

2. In EMS, you can configure this feature using <transport_mode>. The following summarizes the available values
for this element:

Value Description
0 UDP transport mode. This is the default and used for most VPN connections.
1 TCP transport mode. This is recommended for use in restrictive networks.
2 Auto mode. FortiOS dynamically selects the transport mode.

You can also configure custom ports using the <tcp_port> and <udp_port> elements. The following provides
an example of the <transport_mode> and <udp_port> elements. This example does not include all elements
required for a functioning VPN connection:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<connections>
<connection>
<transport_mode>1</transport_mode>
<tcp_port>5500</tcp_port>
</connection>

FortiClient & FortiClient EMS 7.4 New Features Guide 19

Fortinet Inc.
ZTNA

</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>

The following describes configuring IPsec VPN for UDP, TCP, or auto mode.

Example: Configuring UDP transport mode

UDP is the standard IPsec VPN transport mode that encapsulates IPsec VPN traffic within UDP packets.

To configure UDP transport mode:

1. In FortiOS, configure an IPsec VPN IKEv2 tunnel:

config vpn ipsec phase1-interface
edit "v2_psk-120"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set localid "120"
set comments "VPN: v2_psk-120 (Created by VPN wizard)"
set eap enable
set eap-identity send-request
set authusrgrp "IPSEC"
set transport udp
set ipv4-start-ip 9.5.6.7
set ipv4-end-ip 9.5.6.70
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
STwYpf2ddbBq+9YPcCGIFoBBk4N7lbCV1CtQ43ABjxb3RalrZrmrUv0lyYCaqrpy9ReJb4pj98coVdNtSd9PrWWz
hwk3TA6AhbQqdDpierIe+WgNYOlPCrVkTMJXOMC+EGo0/Bk5q/othaLhIQNWeyaZcjFiwNYv4Eq8kjsPxIWguopa
aGd4yhaSxO+cWxxdDwehLVlmMjY3dkVA
next
end

2. In EMS, go to Endpoint Profiles > Remote Access.

FortiClient & FortiClient EMS 7.4 New Features Guide 20

Fortinet Inc.
ZTNA

<dnscache_service_control>0</dnscache_service_control>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<disallow_invalid_server_certificate>0</disallow_invalid_server_
certificate>
<negative_split_tunnel_metric/>
<enabled>1</enabled>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<no_dns_registration>0</no_dns_registration>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
<block_ipv6>1</block_ipv6>
<show_auth_cert_only>0</show_auth_cert_only>
<use_gui_saml_auth>0</use_gui_saml_auth>
</options>
</sslvpn>
<ipsecvpn>
<connections>
<connection>
<name>v2_psk_120</name>
<uid>FE3DDC0A-C4D4-48CB-8FF6-3B88EED55A03</uid>
<machine>0</machine>
<keep_running>0</keep_running>
<disclaimer_msg/>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<ui>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<show_passcode>1</show_passcode>
<save_username>1</save_username>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<ike_settings>
<server>10.152.35.150</server>
<authentication_method>Preshared Key</authentication_method>
<transport_mode>0</transport_mode>
<udp_port>5000</udp_port>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid>120</localid>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>

FortiClient & FortiClient EMS 7.4 New Features Guide 21

Fortinet Inc.
ZTNA

<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>1</enable_local_lan>
<enable_ike_fragmentation>1</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<run_fcauth_system>1</run_fcauth_system>
<sso_enabled>0</sso_enabled>
<auth_data>
<preshared_key>Enc
56ab85d0afa80ae6acb61fdfc19dc33b917298bf68f004a3e49a2e0684c4</preshared_key>
</auth_data>
<xauth_timeout>120</xauth_timeout>
<dhgroup>5</dhgroup>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<android_cert_path/>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<on_connect>
<script>
<os>windows</os>
<script/>

FortiClient & FortiClient EMS 7.4 New Features Guide 22

Fortinet Inc.
ZTNA

</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<enabled>0</enabled>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
<uselocalcert>0</uselocalcert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<check_for_cert_private_key>0</check_for_cert_private_key>
<disable_default_route>0</disable_default_route>
<disallow_invalid_server_certificate>0</disallow_invalid_server_
certificate>
<usewincert>1</usewincert>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<use_win_current_user_cert>1</use_win_current_user_cert>
<no_dns_registration>0</no_dns_registration>
<block_ipv6>1</block_ipv6>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<show_auth_cert_only>0</show_auth_cert_only>
</options>
</ipsecvpn>
<lockdown>
<exceptions>
<ips/>
<icdb_domains/>
<domains/>
<apps/>
</exceptions>

FortiClient & FortiClient EMS 7.4 New Features Guide 23

Fortinet Inc.
ZTNA

<grace_period>120</grace_period>
<max_attempts>3</max_attempts>
<enabled>0</enabled>
</lockdown>
<options>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_windows_credentials>0</use_windows_credentials>
<certs_require_keyspec>0</certs_require_keyspec>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<secure_remote_access>0</secure_remote_access>
<on_os_start_connect/>
<allow_personal_vpns>1</allow_personal_vpns>
<show_negotiation_wnd>0</show_negotiation_wnd>
<suppress_vpn_notification>0</suppress_vpn_notification>
<autoconnect_on_install>0</autoconnect_on_install>
<keep_running_max_tries>0</keep_running_max_tries>
<disable_connect_disconnect>0</disable_connect_disconnect>
<after_logon_saml_auth>0</after_logon_saml_auth>
<minimize_window_on_connect>1</minimize_window_on_connect>
</options>
</vpn>
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>
</ui>
</endpoint_control>
</forticlient_configuration>

5. In FortiClient, connect to the tunnel.

6. In FortiOS, run diagnose vpn ike gateway list to verify the IPsec VPN tunnel status. Note addr shows the
UDP custom port value and transport shows UDP:
vd: root/0
name: v2_psk-120_0
version: 2

FortiClient & FortiClient EMS 7.4 New Features Guide 24

Fortinet Inc.
ZTNA

interface: port1 3
addr: 10.152.35.150:5000 -> 10.152.35.193:5000
tun_id: 9.5.6.7/::10.0.0.22
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 169.254.1.1 -> 169.254.1.1
created: 633s ago
eap-user: ipsec
2FA: no
peer-id: 120
peer-id-auth: no
FortiClient UID: B70BAD123010487E86DB102969115E99
assigned IPv4 address: 9.5.6.7/255.255.255.255
nat: peer
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 20/20/20 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 22 e14bbad06bc282a3/fd72048d5f1911d7
direction: responder
status: established 633-633s ago = 20ms
proposal: aes256-sha256
child: no
SK_ei: 7cf79efa1dd1964a-98692d8f641b6624-be5dd5c659abccc9-b79d6391beb1af0e
SK_er: 73cf8cf9ec463dee-a7d2cf4acfa23cf9-2428429fbfd88dd9-faf6261916aa13c5
SK_ai: 81037c42a5f9e571-0eafd0157a02a501-948abb44f1f23603-3b9b5553a08aa135
SK_ar: 7ddb59bdbffab109-76bc5dfb810f7707-54fb81094e46345a-0b9b4ad5dc49c8d3
PPK: no
message-id sent/recv: 0/132
QKD: no
lifetime/rekey: 86400/85496
DPD sent/recv: 00000000/00000000
peer-id: 120

Example: Configuring TCP transport mode

TCP mode ensures VPN traffic can pass through restrictive firewalls that block UDP traffic but allow TCP, such as port
443 (HTTPS). You can specify a custom port to avoid conflict with the management port on the FortiGate.

To configure UDP transport mode:

1. In FortiOS, configure an IPsec VPN IKEv2 tunnel:

FortiClient & FortiClient EMS 7.4 New Features Guide 25

Fortinet Inc.
ZTNA

chacha20poly1305-prfsha256
set localid "120"
set comments "VPN: v2_psk-120 (Created by VPN wizard)"
set eap enable
set eap-identity send-request
set authusrgrp "IPSEC"
set transport tcp
set ipv4-start-ip 9.5.6.7
set ipv4-end-ip 9.5.6.70
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
STwYpf2ddbBq+9YPcCGIFoBBk4N7lbCV1CtQ43ABjxb3RalrZrmrUv0lyYCaqrpy9ReJb4pj98coVdNtSd9PrWWz
hwk3TA6AhbQqdDpierIe+WgNYOlPCrVkTMJXOMC+EGo0/Bk5q/othaLhIQNWeyaZcjFiwNYv4Eq8kjsPxIWguopa
aGd4yhaSxO+cWxxdDwehLVlmMjY3dkVA
next
end

2. In EMS, go to Endpoint Profiles > Remote Access.

3. Select an existing profile or create a new one.
4. Click XML, then Edit. The following provides an example XML configuration for the feature:
<?xml version="1.0" ?>
<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<sslvpn>
<connections/>
<options>
<dnscache_service_control>0</dnscache_service_control>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<disallow_invalid_server_certificate>0</disallow_invalid_server_
certificate>
<negative_split_tunnel_metric/>
<enabled>1</enabled>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<no_dns_registration>0</no_dns_registration>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
<block_ipv6>1</block_ipv6>
<show_auth_cert_only>0</show_auth_cert_only>
<use_gui_saml_auth>0</use_gui_saml_auth>
</options>
</sslvpn>
<ipsecvpn>
<connections>
<connection>
<name>v2_psk_120</name>
<uid>FE3DDC0A-C4D4-48CB-8FF6-3B88EED55A03</uid>
<machine>0</machine>
<keep_running>0</keep_running>
<disclaimer_msg/>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<ui>
<show_remember_password>1</show_remember_password>

FortiClient & FortiClient EMS 7.4 New Features Guide 26

Fortinet Inc.
ZTNA

<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<show_passcode>1</show_passcode>
<save_username>1</save_username>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<ike_settings>
<server>10.152.35.150</server>
<authentication_method>Preshared Key</authentication_method>
<transport_mode>1</transport_mode>
<tcp_port>5500</tcp_port>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid>120</localid>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>1</enable_local_lan>
<enable_ike_fragmentation>1</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<run_fcauth_system>1</run_fcauth_system>
<sso_enabled>0</sso_enabled>
<auth_data>
<preshared_key>Enc
56ab85d0afa80ae6acb61fdfc19dc33b917298bf68f004a3e49a2e0684c4</preshared_key>
</auth_data>
<xauth_timeout>120</xauth_timeout>
<dhgroup>5</dhgroup>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>

FortiClient & FortiClient EMS 7.4 New Features Guide 27

Fortinet Inc.
ZTNA

<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<android_cert_path/>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<enabled>0</enabled>

FortiClient & FortiClient EMS 7.4 New Features Guide 28

Fortinet Inc.
ZTNA

FortiClient & FortiClient EMS 7.4 New Features Guide 29

Fortinet Inc.
ZTNA

</ui>
</endpoint_control>
</forticlient_configuration>

5. In FortiClient, connect to the tunnel.

6. In FortiOS, run diagnose vpn ike gateway list to verify the IPsec VPN tunnel status. Note addr shows the
TCP custom port value and transport shows TCP:
vd: root/0
name: v2_psk-120_0
version: 2
interface: port1 3
addr: 10.152.35.150:5500 -> 10.152.35.193:54854
tun_id: 9.5.6.7/::10.0.0.23
remote_location: 0.0.0.0
network-id: 0
transport: TCP
virtual-interface-addr: 169.254.1.1 -> 169.254.1.1
created: 592s ago
eap-user: ipsec
2FA: no
peer-id: 120
peer-id-auth: no
FortiClient UID: B70BAD123010487E86DB102969115E99
assigned IPv4 address: 9.5.6.7/255.255.255.255
nat: me peer
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 80/80/80 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 23 93b6803bff7cff00/f89d6f9965fbf3a7
direction: responder
status: established 592-592s ago = 80ms
proposal: aes256-sha256
child: no
SK_ei: f93108f3f8d9a94e-3e0a78289defb329-4d1ae67365f2cb56-e0d471a57ccb4f8d
SK_er: 58b37cf4d2e96cb3-cb7e334a48905459-ac8e4ff743c86e5c-630454f2e35b97e6
SK_ai: fc83b139808121a2-1dd68396d804e28d-bd619c0c4778dbda-9a1eb9e6fdf13808
SK_ar: edad89ee56bf9ecc-81443426c00c78f5-0574d6b71163a43b-d9ebf04c3ae4b87f
PPK: no
message-id sent/recv: 0/124
QKD: no
lifetime/rekey: 86400/85537
DPD sent/recv: 00000000/00000000
peer-id: 120

Example: Configuring auto transport mode

In auto mode, the FortiGate dynamically selects the best mode based on the network conditions. If UDP traffic is
blocked, it will switch to TCP transport mode automatically.
This provides flexibility to the VPN connection, ensuring the best possible transport method is used for stable and
reliable connectivity.

FortiClient & FortiClient EMS 7.4 New Features Guide 30

Fortinet Inc.
ZTNA

To configure UDP transport mode:

1. In FortiOS, configure an IPsec VPN IKEv2 tunnel:

config vpn ipsec phase1-interface
edit "v2_psk-120"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384
chacha20poly1305-prfsha256
set localid "120"
set comments "VPN: v2_psk-120 (Created by VPN wizard)"
set eap enable
set eap-identity send-request
set authusrgrp "IPSEC"
set transport udp-fallback-tcp
set ipv4-start-ip 9.5.6.7
set ipv4-end-ip 9.5.6.70
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC
STwYpf2ddbBq+9YPcCGIFoBBk4N7lbCV1CtQ43ABjxb3RalrZrmrUv0lyYCaqrpy9ReJb4pj98coVdNtSd9PrWWz
hwk3TA6AhbQqdDpierIe+WgNYOlPCrVkTMJXOMC+EGo0/Bk5q/othaLhIQNWeyaZcjFiwNYv4Eq8kjsPxIWguopa
aGd4yhaSxO+cWxxdDwehLVlmMjY3dkVA
next
end

2. In EMS, go to Endpoint Profiles > Remote Access.

FortiClient & FortiClient EMS 7.4 New Features Guide 31

Fortinet Inc.
ZTNA

</sslvpn>
<ipsecvpn>
<connections>
<connection>
<name>v2_psk_120</name>
<uid>FE3DDC0A-C4D4-48CB-8FF6-3B88EED55A03</uid>
<machine>0</machine>
<keep_running>0</keep_running>
<disclaimer_msg/>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<ui>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<show_passcode>1</show_passcode>
<save_username>1</save_username>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<ike_settings>
<server>10.152.35.150</server>
<authentication_method>Preshared Key</authentication_method>
<transport_mode>2</transport_mode>
<tcp_port>5500</tcp_port>
<udp_port>5000</udp_port>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid>120</localid>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>1</enable_local_lan>
<enable_ike_fragmentation>1</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<run_fcauth_system>1</run_fcauth_system>
<sso_enabled>0</sso_enabled>
<xauth_timeout>120</xauth_timeout>
<auth_data>
<preshared_key>Enc

FortiClient & FortiClient EMS 7.4 New Features Guide 32

Fortinet Inc.
ZTNA

56ab85d0afa80ae6acb61fdfc19dc33b917298bf68f004a3e49a2e0684c4</preshared_key>
</auth_data>
<dhgroup>5</dhgroup>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>
<network>
<addr>::/0</addr>
<mask>::/0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<android_cert_path/>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<on_connect>
<script>
<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_connect>
<on_disconnect>
<script>

FortiClient & FortiClient EMS 7.4 New Features Guide 33

Fortinet Inc.
ZTNA

<os>windows</os>
<script/>
</script>
<script>
<os>MacOSX</os>
<script/>
</script>
<script>
<os>linux</os>
<script/>
</script>
</on_disconnect>
<traffic_control>
<enabled>0</enabled>
<mode>1</mode>
</traffic_control>
</connection>
</connections>
<options>
<uselocalcert>0</uselocalcert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<check_for_cert_private_key>0</check_for_cert_private_key>
<disable_default_route>0</disable_default_route>
<disallow_invalid_server_certificate>0</disallow_invalid_server_
certificate>
<usewincert>1</usewincert>
<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<use_win_current_user_cert>1</use_win_current_user_cert>
<no_dns_registration>0</no_dns_registration>
<block_ipv6>1</block_ipv6>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<show_auth_cert_only>0</show_auth_cert_only>
</options>
</ipsecvpn>
<lockdown>
<exceptions>
<ips/>
<icdb_domains/>
<domains/>
<apps/>
</exceptions>
<grace_period>120</grace_period>
<max_attempts>3</max_attempts>
<enabled>0</enabled>
</lockdown>
<options>
<show_vpn_before_logon>0</show_vpn_before_logon>
<use_windows_credentials>0</use_windows_credentials>
<certs_require_keyspec>0</certs_require_keyspec>
<on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
<secure_remote_access>0</secure_remote_access>

FortiClient & FortiClient EMS 7.4 New Features Guide 34

Fortinet Inc.
ZTNA

<on_os_start_connect/>
<allow_personal_vpns>1</allow_personal_vpns>
<show_negotiation_wnd>0</show_negotiation_wnd>
<suppress_vpn_notification>0</suppress_vpn_notification>
<autoconnect_on_install>0</autoconnect_on_install>
<keep_running_max_tries>0</keep_running_max_tries>
<disable_connect_disconnect>0</disable_connect_disconnect>
<after_logon_saml_auth>0</after_logon_saml_auth>
<minimize_window_on_connect>1</minimize_window_on_connect>
</options>
</vpn>
<endpoint_control>
<ui>
<display_vpn>1</display_vpn>
</ui>
</endpoint_control>
</forticlient_configuration>

5. In FortiClient, connect to the tunnel. If the network blocks UDP, the connection switches to TCP transport mode
automatically.
6. In FortiOS, run diagnose vpn ike gateway list to verify the IPsec VPN tunnel status. Note addr shows the
TCP custom port value and transport shows TCP if the network blocks UDP:
vd: root/0
name: v2_psk-120_0
version: 2
interface: port1 3
addr: 10.152.35.150:5500 -> 10.152.35.193:54854
tun_id: 9.5.6.7/::10.0.0.23
remote_location: 0.0.0.0
network-id: 0
transport: TCP
virtual-interface-addr: 169.254.1.1 -> 169.254.1.1
created: 592s ago
eap-user: ipsec
2FA: no
peer-id: 120
peer-id-auth: no
FortiClient UID: B70BAD123010487E86DB102969115E99
assigned IPv4 address: 9.5.6.7/255.255.255.255
nat: me peer
pending-queue: 0
PPK: no
IKE SA: created 1/1 established 1/1 time 80/80/80 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

FortiClient & FortiClient EMS 7.4 New Features Guide 35

Fortinet Inc.
ZTNA

message-id sent/recv: 0/124

QKD: no
lifetime/rekey: 86400/85537
DPD sent/recv: 00000000/00000000
peer-id: 120

Configure IPsec IKEv2 on multiple protocols - 7.4.1

Previously IPsec VPNs exclusively used UDP. Now an IPsec IKEv2 tunnel can be configured to use TCP, Auto, or UDP.
The advantage of using TCP is that the network traffic can use port 443, normally already opened on the firewall.

To configure IKEv2 protocol in the FortiClient EMS GUI:

1. In FortiClient EMS, go to Endpoint Profiles > Remote Access.

2. Create a new IPsec VPN tunnel.
3. In VPN Settings, Set IKE to Version 2.
4. Select the Encapsulation mode:
l IKE UDP Port

l IPsec over TCP

FortiClient & FortiClient EMS 7.4 New Features Guide 36

Fortinet Inc.
ZTNA

l Auto

To view and modify the IKEv2 protocol in the XML editor:

1. In Endpoint Profiles > Remote Access, select the VPN tunnel and click Edit.
2. Edit the <transport_mode> tag:
l For UDP, set 0.
l For TCP, set 1.
l For Auto, set 2.

To configure IKEv2 protocol in the FortiClient GUI:

1. Go to Remote Access.
2. Create a new VPN connection.

FortiClient & FortiClient EMS 7.4 New Features Guide 37

Fortinet Inc.
ZTNA

3. In Advanced Settings > VPN Settings:

a. Set IKE to Version 2.
b. Select the Encapsulation mode.
c. Click Save.

IKEv2 session resumption - 7.4.1

IKEv2 session resumption enhances IPsec with session resumption capabilities, allowing clients to quickly reconnect to
VPN gateways without needing to restart the full negotiation process. This feature is beneficial in mobile environments or
high-availability scenarios, where users frequently switch networks or face network outages.

This feature requires one of the following FortiOS versions:

l 7.4.4 and later

l 7.6

To configure IKEv2 session resumption:

1. On the FortiGate, enable client resume functionality:

FortiClient & FortiClient EMS 7.4 New Features Guide 38

Fortinet Inc.
ZTNA

chacha20poly1305-prfsha256
set localid "120"
set dpd on-idle
set comments "VPN: v2_psk-120 (Created by VPN wizard)"
set eap enable
set eap-identity send-request
set authusrgrp "IPSEC"
set client-resume enable
set client-resume-interval 120
...
next
end

This configuration allows a 120 second window for session resumption.

2. On the FortiClient EMS, configure <session_resume>:
<?xml version="1.0" ?>
<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<ipsecvpn>
<connections>
<connection>
<name>IPsec_VPN_session resumption</name>
...
<ike_settings>
<server>10.152.35.150</server>
<authentication_method>Preshared Key</authentication_method>
<transport_mode>2</transport_mode>
<tcp_port>4500</tcp_port>
<udp_port>500</udp_port>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid>120</localid>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<nat_alive_freq>5</nat_alive_freq>
<enable_local_lan>1</enable_local_lan>
<enable_ike_fragmentation>1</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<run_fcauth_system>1</run_fcauth_system>
<sso_enabled>0</sso_enabled>
<session_resume>1</session_resume>
<networkid>0</networkid>

FortiClient & FortiClient EMS 7.4 New Features Guide 39

Fortinet Inc.
ZTNA

...
</ike_settings>
...

3. If the network connection is lost or the client device goes to sleep, the FortiGate starts a client-resume sleep period.
When the network connectivity is restored or the device wakes up, FortiClient will attempt to resume the session.
l If FortiClient resumes within the set interval (120 seconds), the FortiGate detects that the client has resumed
and the existing session is maintained, as is displayed in this example debug log:
ike V=root:0:v2_psk-120_0: starting client-resume sleep period 120 sec (1)
ike V=root:0: comes 172.19.200.112:64917-
>10.152.35.150:4500,ifindex=4,vrf=0,len=84....
ike V=root:0: IKEv2 exchange=INFORMATIONAL
id=f92b4d7d59bca602/c38e3c8ae542e2c1:00000008 len=80
ike 0: in
F92B4D7D59BCA602C38E3C8AE542E2C12E202508000000080000005000000034F2CBE78DC8ACBDE5D79B
36F2B7
C03321B73F8829E4964786BE4C057209F43AA7A64139F193A7DB3692C4E12F91D2B05E
ike V=root:0:v2_psk-120_0: client has resumed (1)
ike 0:v2_psk-120_0:2433: out
...

l If FortiClient doesn't resume within the set interval, the session expired on the FortiGate and the tunnel is
deleted. FortiClient must initiate a new full IKEv2 negotiation for reconnection.

FortiClient & FortiClient EMS 7.4 New Features Guide 40

Fortinet Inc.
FortiClient EMS

ZTNA

MDM integration support for EMS HA, FortiClient Cloud, and multitenancy

The following EMS setups now support mobile device management (MDM) integration:
l EMS in high availability (HA) mode
l FortiClient Cloud
l EMS with multitenancy enabled
You can now access System Settings > MDM Integration from the GUI in the aforementioned setups and configure
integration with Workspace ONE, Microsoft Intune, and Jamf in the same way as on the regular on-premise EMS GUI.
The following shows the MDM Integration page in FortiClient Cloud as an example.

FortiClient & FortiClient EMS 7.4 New Features Guide 41

Fortinet Inc.
FortiClient EMS

ZTNA application catalog - 7.4.1

This feature uses the Fortinet Security Fabric connector between EMS and FortiOS to detect and retrieve a list of zero
trust network access (ZTNA) applications. This connector allows EMS to automatically learn which TCP forwarding/non-
web ZTNA applications are configured on FortiGates and display them in a prepopulated list. You can use this list to
configure ZTNA profiles on EMS for these applications without manually reentering the information, which is time-
consuming and error-prone. Automating the retrieval of ZTNA application lists from FortiOS saves time and reduces
administrative overhead. Ensuring consistency in application configuration across endpoints is crucial to maintain
security and operational efficiency.
For more information about this feature, see ZTNA application catalog.

FortiClient EMS auto-detects FortiGate configuration of non-web ZTNA applications

- 7.4.1

FortiClient EMS uses its Fabric Connector to the FortiGate to retrieve non-web (TCP forwarding) ZTNA applications
configured on the FortiGate and adds them to its new ZTNA Applications Catalog. When the EMS Administrator creates
a ZTNA Remote Access profile, they can choose applications from the ZTNA Applications Catalog, no longer needing to
re-define them in EMS.

To auto-detect configuration of non-web ZTNA applications:

1. Configure the FortiGate ZTNA application rule:

2. Go to Policy & Objects > ZTNA > ZTNA Servers.

FortiOS should be on version 7.4.4 or above.

a. Click Create New.

b. Configure the ZTNA server.

FortiClient & FortiClient EMS 7.4 New Features Guide 42

Fortinet Inc.
FortiClient EMS

c. Click OK.
3. Create the Fabric connection between the FortiGate and FortiClient EMS:
a. Go to Security Fabric > Fabric Connectors.
b. Select the FortiClient EMS card.
c. Enter the FortiClient EMS IP address and authorize the Fabric connection.

d. On FortiClient EMS, go to Fabric & Connectors > Fabric Devices > Standalone devices. The FortiGate Fabric
connection is visible.

FortiClient & FortiClient EMS 7.4 New Features Guide 43

Fortinet Inc.
FortiClient EMS

e. Go to Fabric & Connectors > ZTNA Applications Catalog. You can switch between Applications View and
Gateway View.
Applications View displays auto-detected and manually added ZTNA applications.

Gateway View displays ZTNA applications by ZTNA proxy gateway.

4. Select which applications to provision as part of the ZTNA Destinations profile onto endpoint groups:
a. Go to Endpoint Profiles > ZTNA Destinations.
b. In the Default (Advanced) profile, under Rules, click Add.
c. Select the required applications in the ZTNA applications dialog.

FortiClient & FortiClient EMS 7.4 New Features Guide 44

Fortinet Inc.
FortiClient EMS

d. Click Finish.

e. Save the profile.

5. On the endpoint, in FortiClient, go to ZTNA Destination. The list of ZTNA applications learned from the FortiGate
through FortiClient EMS are populated.

FortiClient & FortiClient EMS 7.4 New Features Guide 45

Fortinet Inc.
FortiClient EMS

Removing support for legacy SKUs

EMS 7.4 does not support the following legacy licenses:

l FC1-15-EMS01-297-01-DD
l FC2-15-EMS01-297-01-DD
l FC3-15-EMS01-297-01-DD
l FC4-15-EMS01-297-01-DD
l FC1-15-EMS03-297-01-DD
l FC2-15-EMS03-297-01-DD
l FC1-15-EMS03-298-01-DD
l FC2-15-EMS03-298-01-DD
l FC1-15-EMS01-299-01-DD
l FC2-15-EMS01-299-01-DD
l FC3-15-EMS01-299-01-DD
When you attempt to upload a legacy license to EMS 7.4, EMS prevents its usage and shows an Unsupported license
type error.

FortiClient & FortiClient EMS 7.4 New Features Guide 46

Fortinet Inc.
FortiClient EMS

You may be using the EMS migration tool to migrate your Windows Server-based EMS 7.2 to the Linux-based EMS 7.4.
If you attempt to migrate EMS 7.2 using a legacy license to EMS 7.4 using the migration tool, the migration tool aborts
the process and displays a Current EMS Windows license is not supported in EMS Linux,
migration is aborted message.

FortiClient (Linux) installer creation support

EMS can create FortiClient (Linux) installers and deploy them to Linux endpoints. It can perform scheduled or on-
demand deployments for FortiClient (Linux) as required. This replaces the manual repackaging tool used to add Linux
installers to EMS as EMS adds the telemetry IP address to the installer during deployment. You no longer have to
download FortiClient (Linux) installers and perform manual installs.
This example creates an installer to upgrade FortiClient (Linux) 7.2.4 to 7.4.0.

To configure FortiClient (Linux) deployment in EMS:

1. In EMS, create the FortiClient (Linux) deployment package:

a. Go to Deployment & Installers > FortiClient Installer.
b. Click Add.
c. Under Installer Type, select Create installer.
d. From the Release dropdown list, select 7.4.

FortiClient & FortiClient EMS 7.4 New Features Guide 47

Fortinet Inc.
FortiClient EMS

e. From the Patch dropdown list, select 7.4.0.

f. Configure other options as desired, then click Finish.

2. Go to Deployment & Installers > Manage Deployment.
3. Click Add.
4. For Action, select Install.
5. From the Deployment Package dropdown list, select the deployment package that you created.

FortiClient & FortiClient EMS 7.4 New Features Guide 48

Fortinet Inc.
FortiClient EMS

6. Configure other options as desired, then click Save.

FortiClient & FortiClient EMS 7.4 New Features Guide 49

Fortinet Inc.
FortiClient EMS

FortiClient & FortiClient EMS 7.4 New Features Guide 50

Fortinet Inc.
FortiClient EMS

To verify FortiClient (Linux) deployment on the endpoint:

You can only view FortiClient (Linux) deployment progress from the CLI. You can refer to
/var/log/forticlient/.epctrl.log for deployment updates. The following shows the log for when FortiClient
(Linux) receives the upgrade notification from EMS:
20240405 14:59:04.376 TZ=-0700 [epctrl:DEBG] state_machine:904 REPLY=FCKARPLY:
CONT|1|EMSSN|FCTEMS123456:EMA-Linux-2|UPLD_PRT|8013|KA_INTERVAL|20|LIC_FEATS|14613503|LIC_
ED|1744700400|SNAPTIME|0|QUAR|0|AVTR|1|AV_SIG|92.3103|EMS_ONNET|0|RUN_SRV_CMD|4|UPGRADE_
PATH|10.1.1.8:10443/installers/default/7.4.0%20GA/FortiClientSetup_7.4.0.deb|DEVICE_
ID|4|SCH_ID|1369|REBOOT_
PROMPT|1|AUTOREBOOT0USERS|1|REBOOTWHENNEEDED|1|UNATTENDED|0|FILESHA256|b3fa3da02d4dc6119ba91
0eb50a4de4481ba199300c90b679b2fe1f48dc906b6|FILESIZE|281080740|TAGS|100000000000000000000000
000000000000000000000000000000000|SERIAL|abcdefg|TENANT|00000000000000000000000000000000|PRO
TO_VERSION|1.0.0|PERCON|0|

FortiClient (Linux) downloads the deployment package from EMS:

20240405 14:59:26.550 TZ=-0700 [epctrl:INFO] deployment_checker:255 Sent current status to
EMS: Downloading
20240405 14:59:26.551 TZ=-0700 [epctrl:INFO] data_downloader:83 Added download: upgrade
installer
20240405 14:59:26.551 TZ=-0700 [epctrl:INFO] data_downloader:126 Processing download:
upgrade installer
20240405 14:59:26.551 TZ=-0700 [epctrl:WARN] deployment:88 Unable to open file
/var/lib/forticlient/deploy/forticlient.deb
20240405 14:59:26.551 TZ=-0700 [epctrl:INFO] data_downloader:193 Downloading data from
10.1.1.8:10443/installers/default/7.4.0%20GA/FortiClientSetup_7.4.0.deb
20240405 14:59:26.577 TZ=-0700 [epctrl:DEBG] network_impl:351 Server certificate matches the
current fingerprint
20240405 14:59:27.105 TZ=-0700 [epctrl:DEBG] data_downloader:287 Downloaded from
https://10.1.1.8:10443/installers/default/7.4.0%20GA/FortiClientSetup_7.4.0.deb [response:
200, transferred: 281080740]
20240405 14:59:27.322 TZ=-0700 [epctrl:INFO] data_downloader:393 Upgrade installer
successfully downloaded

FortiClient (Linux) installs the deployment package:

20240405 14:59:27.386 TZ=-0700 [epctrl:INFO] deployment_checker:255 Sent current status to
EMS: Install Started
20240405 14:59:27.386 TZ=-0700 [epctrl:INFO] deployment_checker:281 Starting upgrade
20240405 14:59:27.386 TZ=-0700 [epctrl:INFO] deployment_impl:155 Detected OS: ubuntu
20240405 14:59:27.398 TZ=-0700 [epctrl:INFO] deployment_impl:165 Install package version:
7.4.0.1617
20240405 14:59:27.398 TZ=-0700 [epctrl:INFO] deployment_impl:167 Current package version:
7.2.4.0809
20240405 14:59:27.398 TZ=-0700 [epctrl:INFO] deployment_impl:170 Install command: DEBIAN_
FRONTEND=noninteractive /usr/bin/systemd-run --scope /usr/bin/apt-get --allow-downgrades --
reinstall -y install /var/lib/forticlient/deploy/forticlient.deb
20240405 14:59:38.574 TZ=-0700 [epctrl:INFO] main:25 Starting endpoint control
20240405 14:59:38.574 TZ=-0700 [epctrl:DEBG] state_machine:146 In state: Initialize
20240405 14:59:38.575 TZ=-0700 [epctrl:INFO] epctrl_impl:184 Starting network monitor
20240405 14:59:38.582 TZ=-0700 [epctrl:INFO] endpoint_impl:889 Loading repackaged installer
info
20240405 14:59:38.596 TZ=-0700 [epctrl:INFO] endpoint_impl:939 Loaded on-prem invitation
info from installer
20240405 14:59:38.596 TZ=-0700 [epctrl:INFO] endpoint_impl:989 Loaded installer server info:
10.1.1.8:8013 (Site: default)

FortiClient & FortiClient EMS 7.4 New Features Guide 51

Fortinet Inc.
FortiClient EMS

Upon successful installation, /var/log/forticlient/deploy.log is updated with the last deployment statistics:
Running scope as unit: run-r39d2deba500f46c3bd3f2d2db4695278.scope
Reading package lists...
Building dependency tree...
Reading state information...
The following packages will be upgraded:
forticlient
1 upgraded, 0 newly installed, 0 to remove and 30 not upgraded.
Need to get 0 B/281 MB of archives.
After this operation, 91.7 MB of additional disk space will be used.
Get:1 /var/lib/forticlient/deploy/forticlient.deb forticlient amd64 7.4.0.1617 [281 MB]
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 193069 files and directories currently installed.)
Preparing to unpack .../deploy/forticlient.deb ...
Module "FortiClient ZTNA" deleted from database.
Unpacking forticlient (7.4.0.1617) over (7.2.4.0809) ...
Setting up forticlient (7.4.0.1617) ...
gtk-update-icon-cache: Cache file created successfully.
Processing triggers for hicolor-icon-theme (0.17-2) ...
Processing triggers for gnome-menus (3.36.0-1ubuntu3) ...
Processing triggers for mailcap (3.70+nmu1ubuntu1) ...
Processing triggers for desktop-file-utils (0.26-1ubuntu3) ...

In EMS, the endpoint details show that deployment finished and the new FortiClient version installed successfully.

Linux-based EMS model

EMS 7.4.0 introduces a shift to a Linux-based model from the Windows Server-based model in earlier EMS versions.
This change provides numerous benefits, including improved architecture and flexibility.
See the following documents for information on this change:
l EMS 7.4 Install and Migration Guide
l Management capacity
l EMS 7.4.0 Release Notes

Because implementing or migrating to EMS 7.4.0 on the Linux platform can be complex,
Fortinet highly recommends FortiClient Best Practices Service (BPS).
FortiClient BPS is an account-based annual subscription providing access to a specialized
team that delivers remote guidance on deployment, upgrades, and operations. The service
allows customers to share information about their deployment, user requirements, resources,
and other related items. Based on the information provided, the BPS experts can provide
recommended best practices, sample code, links to tools, and other materials or assistance to
speed adoption and guide the customer towards best practice deployments. The team does
not log into customer devices to make changes for them. This is a consulting and guidance
service which may include sample configurations or playbooks. This is not an on-site
professional services offer.

FortiClient & FortiClient EMS 7.4 New Features Guide 52

Fortinet Inc.
FortiClient EMS

Support for access key for Fortinet Security Fabric devices to

connect to FortiClient Cloud

FortiClient Cloud supports defining an access code to identify an instance. A Fabric device can establish connection to a
FortiClient Cloud instance by providing one of the following in the SNI:
l FortiCloud account ID. The connection succeeds if the FortiCloud account has only one FortiClient Cloud instance
and there is no organizational unit structure.
l FortiCloud account ID and FortiClient Cloud access key
This feature supports the following key types:
l EMS API access key. Only a primary account can create EMS API access keys. These keys do not expire.
l FortiGate access key. This feature requires FortiOS 7.4.4 or later.

To create an EMS API access key:

1. In FortiClient Cloud, go to Access Key > EMS API Access.

2. Click Create New Key.
3. In the Name field, enter a unique name, then click OK.
4. Once the key is created, copy it to a safe location, as it does not display again after you close the dialog. Click Close.

5. EMS API keys display in the EMS API Access table. Note that the key ID is not the same as the generated API key
that you copied in step 4. To view information about the keys, click How to Use this Key.

To create a FortiGate access key:

1. In FortiClient Cloud, go to Access Key > FortiGate Access Key.

5. The FortiGate keys display in the FortiGate Access Key table. Note that the key ID is not the same as the generated
API key that you copied in step 4. To view information about the keys, click How to Use this Key.

FortiClient & FortiClient EMS 7.4 New Features Guide 53

Fortinet Inc.
FortiClient EMS

6. On the FortiGate, configure the key on the EMS Fabric connector:

config endpoint-control fctems
edit 1
set status enable
set name "ems-cloud"
set fortinetone-cloud-authentication enable
set cloud-authentication-access-key "<FortiGate key>"
next
end

7. In EMS, authorize the FortiGate to complete the connection. Standalone FortiGates or separate virtual domains
from the same FortiGate can establish Fabric connection with FortiClient Cloud.

On-fabric detection based on destination address - 7.4.1

EMS adds on-fabric detection rules based on the following new detection types for destination addresses:
l DNS web request
l HTTP web request
l HTTPS web request
For more information about this feature, see On-fabric detection based on destination address.

Auto upgrade EMS to latest patch release - 7.4.1

Once a new EMS patch releases, EMS displays an upgrade prompt with the following options:
l Upgrade immediately
l Schedule the upgrade at a convenient time
For more information about this feature, see Auto upgrade EMS to latest patch release.

FortiClient hotfix deployment via EMS - 7.4.1

You can deploy FortiClient hotfix installers from EMS. A hotfix contains a subset of the FortiClient binaries to address a
specific issue and reduces the risk of unintended side effects. Creating a hotfix installer follows the same EMS process
as creating any other installer.

FortiClient & FortiClient EMS 7.4 New Features Guide 54

Fortinet Inc.
FortiClient EMS

Prior to this implementation, EMS was restricted to deploying only major and minor FortiClient versions, such as 7.4.0
and 7.4.1. With this enhancement, if a bug is identified in any version, Fortinet can promptly address it by deploying a
hotfix, rather than waiting for the release of the next major or minor builds.

To create a hotfix installer:

1. In EMS, go to Deployment & Installers > FortiClient Installer.

2. Click Add.
3. From the Release dropdown list, select the desired FortiClient version.
4. From the Patch release dropdown list, select the desired patch version.
5. If a hotfix is available for the selected patch, the Hotfix dropdown list appears. In the following example, there are
two hotfixes available for the selected version, 7.4.1.

6. If desired, enable Auto update to the. When you select any of the following options, the installer automatically
updates. For example, consider that you create the installer with Latest Patch only selected. When a new patch,
7.4.2, becomes available, EMS automatically updates the installer to install 7.4.2. If the installer is configured in a
deployment configuration, the configuration is updated with the new installer, and if the configuration is enabled,
EMS automatically deploys the updated installer. The following options are available:
l Latest Patch only

l Latest Hotfix only

l Latest Patch and Hotfix

Select Latest Hotfix only or Latest Patch and Hotfix.

Hotfixes are specific to particular versions. You can only deploy a hotfix to an endpoint if it has the base FortiClient
already installed. For example, you can only deploy or install hotfix 1715:5372 on an endpoint where FortiClient
7.4.1 build 1715 is installed. If an installer with Latest Patch and Hotfix selected is deployed to an endpoint with
FortiClient 7.4.0 installed and the latest hotfix available is 1715:5372, the deployment first installs FortiClient 7.4.1
build 1715 on the endpoint, the installs the hotfix.
7. Continue configuring the installer as desired. After creation, you can view the installer in Deployment & Installers >

FortiClient & FortiClient EMS 7.4 New Features Guide 55

Fortinet Inc.
FortiClient EMS

FortiClient Installer. Click Hotfix-Details to see the details of the bug or issue that this hotfix addresses.

To manually download and install a hotfix on an endpoint:

1. In EMS, go to Deployment & Installers > FortiClient Installer.

2. Click Download Link.

3. Provide the link to end users.

4. On the endpoint, go to the link.
5. The page includes the base installer and hotfix folder. If the endpoint already has the desired FortiClient version
installed, download just the hotfix installer, hotfix.exe.
6. Install the hotfix by doing one of the following:
l (Recommended) Use the command line to install the hotfix. In Command Prompt, run hotfix.exe -h to

view available parameters. Installing the hotfix using the command line is recommended so that you can use
these parameters. For example, you may run hotfix.exe --test to verify that the installed FortiClient
version is compatible with the hotfix. Run hotfix.exe to install FortiClient.

l Double-click hotfix.exe.

FortiClient & FortiClient EMS 7.4 New Features Guide 56

Fortinet Inc.
FortiClient EMS

To uninstall a hotfix, you can run hotfix.exe -u in Command Prompt. This command only uninstalls the hotfix and
does not affect the FortiClient installation.

Deploy the FortiClient EMS server as a virtual machine image - 7.4.1

The FortiClient EMS server can now be easily deployed as a Virtual Machine (VM) image like many other Fortinet
products. In this release, we support the VMware ESXi and KVM hypervisors and provide VMs for both x86_64 and ARM
architectures.

To deploy FortiClient EMS on ESXi:

1. Click Create/Register VM.

2. Select Deploy a virtual machine from an OVF or OVA file.

3. Click Next.
4. Enter the VM name and upload the OVA file.

FortiClient & FortiClient EMS 7.4 New Features Guide 57

Fortinet Inc.
FortiClient EMS

5. Click Next.
6. Configure the virtual machine.
7. Click Finish.
8. Review the configuration and start the VM. When the VM boot is complete, the OS log on page is displayed.

9. Log in to the virtual machine.

The default credentials are:

l Username: ems

l Password: ems

10. Change the default password when prompted.

11. Access the FortiClient EMS GUI by the VM IP/FQDN address.

FortiClient & FortiClient EMS 7.4 New Features Guide 58

Fortinet Inc.
FortiClient EMS

To deploy FortiClient EMS on KVM:

1. Set up QEMU/KVM on a Linux host.

2. Copy the forticlientems_vm qcow2 image under /var/lib/libvirt/images/.
3. Run the following command to initialize the virtual machine with the FortiClient EMS image:
sudo virt-install --name EMS_VM --memory 4096 --vcpus 2 --disk
path=/var/lib/libvirt/images/forticlientems_vm.7.4.1.1862.interim.qcow2,format=qcow2 --
import --os-variantgeneric --network bridge=virbr0 --graphics none

You can change the configuration in the command as needed.

4. Log in to the virtual machine.

The default credentials are:

l Username: ems

l Password: ems

FortiClient & FortiClient EMS 7.4 New Features Guide 59

Fortinet Inc.
FortiClient EMS

5. Access the FortiClient EMS GUI by the VM IP/FQDN address.

To install FortiClient EMS on ARM processor:

1. Download the ARM EMS installer from the support portal. The installer file name is in the form forticlientems_
7.4.1.1867.interim.arm64.bin.
2. Make the installer executable:
sudo chmod +x ./forticlientems_7.4.1.1867.interim.arm64.bin

3. Run the installer:

sudo ./forticlientems_7.4.1.1867.interim.arm64.bin

FortiClient GUI enhancement - 7.4.1

The FortiClient GUI has been enhanced to be more accessible to user:

l The color contrast of text and icons has been increased.
l The GUI can be zoomed to 200%.
l Support has been added for the NVDA screen reader.

FortiClient & FortiClient EMS 7.4 New Features Guide 60

Fortinet Inc.
FortiClient EMS

l Date and time format is displayed based on the region when FortiClient is switched to any of the supported
languages. For example, when the endpoint language is changed to a European language, such as French, the
date format will change to ISO-8601 standard yyyy-mm-dd.
l Navigation between controls can be performed using only the keyboard. This includes the avatar, Zero Trust
Telemetry, endpoint profiles, Notifications, Settings, and About tabs.

Keyboard navigation

Keyboard navigation controls include the following:

l After navigating to the desired tab, press the Tab key to focus on elements in the page. Continuously pressing Tab
will shift the focus to the next element.

The direction that you traverse through the elements can be reversed by pressing Shift
+ Tab.

l When you have identified the element you would like to interact with, press Enter to click or open the element.
l Click the space bar to select or deselect a check box.
l Use the left, right, up, and down arrows to select different radio buttons.
l Press Esc to escape from recent settings pages, such as a dialog, dropdown menu, and so on. Where pressing Tab
will move focus from the navigation menu to the setting page, pressing Esc can return focus to the navigation menu.
l Zoom in and out using Ctrl + I and Ctrl + O, respectively. Pressing Ctrl + R will reset the zoom.

When zoomed in, you can use the arrow keys to scroll vertically and horizontally.

l Press Alt + F, Alt + V, and Alt + H to open File, View, and Help, respectively.

Create connectors with OAuth 2.0 token-based authentication - 7.4.1

FortiClient EMS now supports a new type of connector that uses OAuth 2.0 token-based authentication. Previously, only
certificate-based authentication was supported. When the EMS administrator creates a connector, FortiClient EMS
generates a Client ID and Client Secret to be used by the product on the other side of the connector. You can integrate
with FortiADC, FortiAnalyzer, FortiEDR, FortiManager, FortiSIEM, FortiToken Cloud, or FortiWeb.

To create a connector with OAuth 2.0 token-based authentication:

1. Go to Fabric & Connectors > Fabric Devices.

FortiClient & FortiClient EMS 7.4 New Features Guide 61

Fortinet Inc.
FortiClient EMS

2. Click Add. The Add OAuth 2.0 Fabric Connector dialog is displayed.
3. Select the Connector Type.

4. Enter the Serial Number.

5. Enter the VDOM, if desired.

6. Click Next.
7. Select the Role. These roles define which API connectors are authorized to access it.

FortiClient & FortiClient EMS 7.4 New Features Guide 62

Fortinet Inc.
FortiClient EMS

8. Enter the Token Lifetime.

After the Token Lifetime is expired, the token is can no longer be authorized. The default
value is 3600 seconds and the minimum value is 60 seconds.

9. Enter the Alias, if desired.

10. Click Finish. The Client ID and Client Secret are generated.

11. Copy the Client ID and Client Secret.

12. Click Close. A confirmation dialog is displayed.

13. Click Yes.

The Client ID and Client Secret can be used by other Fortinet devices that support OAuth 2.0 Fabric connector
features to call FortiClient EMS APIs.

FortiClient & FortiClient EMS 7.4 New Features Guide 63

Fortinet Inc.
FortiClient EMS

Assign AD and local Windows server groups to roles - 7.4.1

Instead of assigning users individually to roles in FortiClient EMS, users can now assign AD and local Windows server
groups to roles, and anyone in those groups has the access that is allowed by the role.
Previously, users were limited to a single SAML SSO configuration for admin logins, with only the username assertion
attribute available. Additionally, admin roles could only be assigned to individual users. Now, with the introduction of the
new SAML SSO feature, multiple identity providers (IdPs) can be configured. This update includes the addition of Group
name assertion attributes, allowing admin roles to be assigned to groups as well.

To assign a group to a role:

1. Go to Administration > SAML SSO.

2. Click Add to create a new IdP:
a. In Assertion Attributes, define a Username and Group name.

b. In Access Control, click Add to assign the roles for the group members:
i. Create a member with the Super Administrator role and the highest Priority.
ii. Assign the access of other group members.

FortiClient & FortiClient EMS 7.4 New Features Guide 64

Fortinet Inc.
FortiClient EMS

In this example, the default Rule, which typically applies to everyone, is disabled.

iii. For each Rule that is not assigned to a Super Administrator role, click Advanced Settings:
i. Configure domain access. This enabled finer control over the specific authorization levels assigned to
administrators.

ii. Click Finish.

iv. Configure other settings as needed.
v. Click Save.
3. Access the FortiClient EMS login page.

FortiClient & FortiClient EMS 7.4 New Features Guide 65

Fortinet Inc.
FortiClient EMS

4. Click Sign in with SSO.

5. Enter the email and EMS site name credentials.

The email address domain should correspond to the domain specified in the SAML SSO
configuration page.

6. Click Sign in. You are redirected to the IdP page. Upon successful authentication by the IdP, access to FortiClient
EMS is granted based on the role previously defined.

FortiEndpoint (FortiClient integration of FortiEDR agent) - 7.4.1

A cloud-based software-as-a-service endpoint management service called FortiEndpoint is available. This is a Fortinet-
hosted EMS solution. FortiEndpoint provides the same features as FortiClient Cloud but with an additional FortiEndpoint
deployment feature.
See the FortiEndpoint Administration Guide for details.
When the FortiClient EMS and FortiEDR systems are integrated, the EMS Administrator can create a "unified installer"
that installs both the FortiClient and FortiEDR components on the endpoint. Because the FortiEDR installer is pre-
configured, the FortiClient installation experience is unchanged and no FortiEDR user prompts appear.

FortiClient & FortiClient EMS 7.4 New Features Guide 66

Fortinet Inc.
FortiClient EMS

Example 1

The following example demonstrates installing FortiClient integrated with the FortiEDR agent using the EMS-create
installer. FortiEDR has not been installed beforehand.

The following are required:

l FortiClient EMS requires a FortiEDR license to support the integration.

l FortiClient custom installers do not support this FortiEDR feature. Only the installer from
the FDS can be enabled with the FortiEDR feature.
l Configure the endpoint DNS to point to cloud ENS before installing FortiClient.

To install FortiClient integrated with the FortiEDR agent:

1. Go to Endpoint Profiles > System Settings.

2. In Endpoint Control, enable Enable Endpoint Detection & Response.
3. Go to Deployment & Installers > FortiClient Installer.
4. Click Add.
5. Configure the General settings:
a. Enter the Online Installer Name.
b. Select the Release and Patch version.
c. Deselect Hotfix.
d. Enter the Invitation.
e. Click Next.

6. Configure the Features:

a. Enable Endpoint Detection & Response.
b. Click Next.

FortiClient & FortiClient EMS 7.4 New Features Guide 67

Fortinet Inc.
FortiClient EMS

7. Configure the EDR Feature settings:

a. Select the EDR Engine Version.
b. Click Next.

8. Configure the Advanced features.

9. Click Finish. The FortiClient installer with the FortiEDR agent is displayed.
10. When the Status is Ready for deployment, click Generate Zip.

FortiClient & FortiClient EMS 7.4 New Features Guide 68

Fortinet Inc.
FortiClient EMS

11. Click Confirm.

12. Click Download Zip.

13. Copy the FortiClient installer .zip file to a clean Windows machine, then extract the file and start the installation
process using .exe file.
FortiClient and the FortiEDR agent will be installed simultaneously. The FortiTray notification message will be
displayed as EDR State: Running once the FortiClient is registered with EMS.

A new profile tab Detection and Response is added on the FortiClient console and shows the FortiEDR agent
status. FortiEDR Collector Service will be running along with the FortiClient.

FortiClient & FortiClient EMS 7.4 New Features Guide 69

Fortinet Inc.
FortiClient EMS

Example 2

The following example demonstrates how FortiClient integrated with the FortiEDR agent can detect and block malicious
applications.

To leverage FortiClient integrates with FortiEDR:

1. Enable the FortiEDR feature:

2. Go to Endpoint Profiles > System Settings.
3. In Endpoint Control, enable Enable Endpoint Detection & Response. When enabled, the Detection & Response tab
will be displayed on the FortiClient with the status EDR Enabled. When the EDR agent detects a malicious
application, it blocks the application and shows a Block Event FortiTray notification message.

The Activity Log count on the Detection & Response page will be updated.
4. In Detection & Response, click the Activity Log count or the settings icon. EDR-blocked events will be shown in the
Activity Log table.

FortiClient & FortiClient EMS 7.4 New Features Guide 70

Fortinet Inc.
FortiClient EMS

5. If available, click > on a detection event to see more details.

EDR detection event logs can be seen on the endpoint at

C:\ProgramData\FortiEDR\Logs\Collector in the BlockLog.bin file.
FortiClient can also send EDR event for FortiClient EMS. These events are displayed in
the EDR Events tab.

Support forensic analysis reports on macOS endpoints - 7.4.1

Like for Microsoft Windows, forensic analysis reports are now supported on macOS endpoints.

To implement forensic analysis reports on macOS endpoints:

1. Download the macOS FortiClient installer DMG filt and proceed with the installation process.
The forensics engine is installed as part of FortiClient. The forensic engine and fortifs daemon can be found in the
/Library/Application Support/Fortinet/FortiClient/bin/ folder.
The version of the forensic engine can be viewed in the FortiClient About page.
2. On the FortiClient EMS endpoint, go to the endpoint in Endpoints > All Endpoints.
3. Click Request Analysis.
4. The forensic request will be generated for the forensics team to review. The download link can be found in the
/Library/Application\ Support/Fortinet/FortiClient/Logs/FortiFS.log file after it is successfully uploaded.
5. Go to Endpoints > All Endpoints and select the endpoint.
6. Agent Status displays the current state of the forensics agent:

FortiClient & FortiClient EMS 7.4 New Features Guide 71

Fortinet Inc.
FortiClient EMS

Pending The request is sent to FortiClient for log collection.

Running The forensic engine is currently collecting the logs.

Collection Completed The forensic engine finished collecting the logs.

Upload Started The Fortifs daemon is uploading the logs to server.

Upload Completed The FortiClient Fortifs daemon finished uploading the logs.

Upload Failed The FortiClient Fortifs daemon failed to upload the logs.

Add support for ManageEngine MDM - 7.4.1

FortiClient EMS now supports an integration with ManageEngine Mobile Device Manager (MDM) Plus, to deploy ZTNA
certificates to iOS and Android devices.

Preparing for on-premise ManageEngine instances

FortiClient EMS must have an API key with the adequate privileges. If the privilege requirements are not met, the
integration test will fail with a detailed message indicating the missing privilege.

To retrieve the API key:

1. Log into the on-premise ManageEngine.

2. Select Admin.
3. Go to Integration > API Key Generation.
4. Click Generate key.
5. Select MDM Migration.
6. Click Generate Key.

To configure integration between on-premise ManageEngine and FortiClientEMS:

1. In FortiClient EMS, go to System Settings.

2. Select MDM Integration.
3. Click Enable MDM Integration.
4. Select ManageEngine MDM Plus from the Vendor dropdown list.
5. Set Deployment to On-Premise.
6. Enter the access information:
l URL: Enter the URL of your on-premise ManageEngine server.
l API key: Enter the API key you generated before.

Preparing for cloud ManageEngine instances

For cloud ManageEngine instances, FortiClient EMS must have a Zoho OAuth client ID and client secret.

FortiClient & FortiClient EMS 7.4 New Features Guide 72

Fortinet Inc.
FortiClient EMS

To retrieve the client ID and secret:

1. Log into the Zoho Developer's console at https://accounts.zoho.com/developerconsole.

2. In the Choose a Client Type page, select Self Client. A Client ID and Client Secret are provided.

To configure integration between cloud ManageEngine and FortiClientEMS:

1. In FortiClient EMS, go to System Settings.

2. Select MDM Integration.
3. Click Enable MDM Integration.
4. Select ManageEngine MDM Plus from the Vendor dropdown list.
5. Set Deployment to Cloud.
6. Enter the access information:
l Region: Enter the region of your cloud ManageEngine server.
l Client ID: Enter the client ID provided previously.
l Client Secret: Enter the client secret provided previously.

Enrolling the device and deploying FortiClient

To enroll the device to ManageEngine MDM and deploy FortiClient:

1. On the ManageEngine console page navigate to Mobile Device Mgmt.

2. Go to Enroll > Users.
3. Click Add Users.
4. Enter the details and enable Send an enrollment invite for the user to enroll the device.
5. Click Add user.

6. Click on the URL or scan the QR code sent in the invite code to download the profile
7. On iOS, install the MDM profile by navigating to Settings > General > VPN& Device Management.
8. Go to Management > Groups & Devices and create a new group.
9. Add the users created to the group.

FortiClient & FortiClient EMS 7.4 New Features Guide 73

Fortinet Inc.
FortiClient EMS

10. Click Create Group.

To configure integration between ManageEngine and FortiClient (iOS):

1. In ManageEngine Endpoint Central, go to Mobile Device Mgmt > Management > App Repository.
2. Under Apps, click Add App.
3. Select FortiClient (iOS).
4. Open a text editor and configure an XML file to upload to ManageEngine. The following provides an example that
only configures the manageengine_device_id key: manageengine_device_id %devicename%|%udid%
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>manageengine_device_id</key>
<string>%devicename%|%udid%</string>
</dict>
</plist>

5. Save the file as an XML file.

6. In ManageEngine, in the App Configurations field, upload the XML file.
7. Click Save.
8. Add the app to the group created previously.
9. When FortiClient starts on the device, it automatically connects to on-premise EMS or FortiClient Cloud, depending

FortiClient & FortiClient EMS 7.4 New Features Guide 74

Fortinet Inc.
FortiClient EMS

on the configuration.

To configure integration between ManageEngine and FortiClient (Android):

1. In ManageEngine Endpoint Central, go to Mobile Device Mgmt > Management > App Repository.
2. Under Apps, click Add App.
3. Select FortiClient (Android).
4. Configure the settings.

5. Click Save.
6. When FortiClient starts on the device, it automatically connects to on-premise EMS or FortiClient Cloud, depending
on the configuration.

FortiClient & FortiClient EMS 7.4 New Features Guide 75

Fortinet Inc.
FortiClient EMS

EMS VM image - 7.4.1

You can deploy EMS as a virtual machine (VM) image like many other Fortinet products. EMS supports the VMware
ESXi and KVM hypervisors and provides VMs for x86_64 and ARM architectures.
The VM image include some OS hardening modifications as follows:
l Unneeded users are removed:
l games

l man

l news

l uucp

l proxy

l backup

l list

l irc

l gnats

l uuidd

l mail

l lp

l nobody

l tss

l landscape

l fwupd-efresh

l usbmux

l lxd

l forticlientems user, which runs EMS processes, has no login.

l Only ems user has SSH access.
l Firewall is enabled and only the following ports are enabled by default:

Port Usage

22 SSH access to EMS VM or server

4001 Send zero trust network access certificates to mobile device management
endpoints

8013 Telemetry

8015 Send updates to FortiOS

8443 Provision profiles to Chromebooks

8871 Connection to remote Active Directory connector

l 80 EMS GUI and APIs
l 443
l 10443
l 9443

l On first login, EMS requires changing the password for the ems user.

FortiClient & FortiClient EMS 7.4 New Features Guide 76

Fortinet Inc.
FortiClient EMS

EMS VMs run in standalone mode.

To deploy EMS on VMware ESXi:

1. In VMware ESXi, click Create/Register VM.

2. Select Deploy a virtual machine from an OVF or OVA file.

3. Click Next.
4. Enter the VM name and upload the OVA file.

5. Click Next.
6. Configure the VM as desired.
7. Click Finish.
8. Review the configuration and start the VM. When the VM boot completes, the OS logon page displays.

FortiClient & FortiClient EMS 7.4 New Features Guide 77

Fortinet Inc.
FortiClient EMS

9. Log in to the VM.

The default credentials are:

l Username: ems

l Password: ems
You will be required to change these credentials upon first log in.

10. Change the default password when prompted.

11. Access the FortiClient & FortiClient EMS GUI by the VM IP/FQDN address.

To deploy FortiClient EMS on KVM:

1. Set up QEMU/KVM on a Linux host.

You can change the configuration in the command as needed.

FortiClient & FortiClient EMS 7.4 New Features Guide 78

Fortinet Inc.
FortiClient EMS

4. Log in to the virtual machine.

The default credentials are:

l Username: ems

l Password: ems

FortiClient & FortiClient EMS 7.4 New Features Guide 79

Fortinet Inc.
FortiClient EMS

5. Access the FortiClient & FortiClient EMS GUI by the VM IP/FQDN address.

To install FortiClient EMS on ARM processor:

3. Run the installer:

sudo ./forticlientems_7.4.1.1867.interim.arm64.bin

FortiClient & FortiClient EMS 7.4 New Features Guide 80

Fortinet Inc.
Index

The following index provides a list of all new features added to FortiClient and EMS 7.4. The index allows you to quickly
identify the version where the feature first became available in FortiClient and EMS.
Select a version number to navigate in the index to the new features available for that patch:
l 7.4.0 on page 81
l 7.4.1 on page 81

7.4.0

ZTNA

Endpoint: Fabric Agent l JWT support for ZTNA UID and tag sharing on page 6
l Transparent FortiClient upgrade on page 8

Other l Zero Trust tag renamed to security posture tag on page 10

FortiClient EMS

ZTNA l MDM integration support for EMS HA, FortiClient Cloud, and multitenancy on
page 41

Other l Removing support for legacy SKUs on page 46

l FortiClient (Linux) installer creation support on page 47
l Linux-based EMS model on page 52
l Support for access key for Fortinet Security Fabric devices to connect to
FortiClient Cloud on page 53

7.4.1

ZTNA

Endpoint: Fabric Agent l Support security posture rules based on CrowdStrike ZTA score 7.4.1 on
page 11
l FortiTray icons for On-Fabric and VPN connection status 7.4.1 on page 13
l Sending email events from the Microsoft Exchange server 7.4.1 on page 17
l Support ZTNA destinations over UDP 7.4.1 on page 17

FortiClient & FortiClient EMS 7.4 New Features Guide 81

Fortinet Inc.
Index

Endpoint: Remote Access l IPsec VPN over TCP 7.4.1 on page 19

l Configure IPsec IKEv2 on multiple protocols 7.4.1 on page 36
l IKEv2 session resumption 7.4.1 on page 38

FortiClient EMS

ZTNA l ZTNA application catalog 7.4.1 on page 42

l FortiClient EMS auto-detects FortiGate configuration of non-web ZTNA
applications 7.4.1 on page 42

Other l On-fabric detection based on destination address 7.4.1 on page 54

l Auto upgrade EMS to latest patch release 7.4.1 on page 54
l FortiClient hotfix deployment via EMS 7.4.1 on page 54
l Deploy the FortiClient EMS server as a virtual machine image 7.4.1 on page
57
l FortiClient GUI enhancement 7.4.1 on page 60
l Create connectors with OAuth 2.0 token-based authentication 7.4.1 on page
61
l Assign AD and local Windows server groups to roles 7.4.1 on page 64
l FortiEndpoint (FortiClient integration of FortiEDR agent) 7.4.1 on page 66
l Support forensic analysis reports on macOS endpoints 7.4.1 on page 71
l Add support for ManageEngine MDM 7.4.1 on page 72
l EMS VM image 7.4.1 on page 76

FortiClient & FortiClient EMS 7.4 New Features Guide 82

Fortinet Inc.
Change log

Date Change description

2024-06-03 Initial release.

2024-06-04 Updated Linux-based EMS model on page 52.

2024-06-17 Updated:
l FortiClient EMS on page 41

l FortiClient EMS on page 81

2024-07-09 Updated Linux-based EMS model on page 52.

2024-07-12 Added Support for access key for Fortinet Security Fabric devices to connect to FortiClient
Cloud on page 53.

2024-11-01 Added for 7.4.1 release:

l Support security posture rules based on CrowdStrike ZTA score 7.4.1 on page 11

l IPsec VPN over TCP 7.4.1 on page 19

l ZTNA application catalog 7.4.1 on page 42

l On-fabric detection based on destination address 7.4.1 on page 54

l Auto upgrade EMS to latest patch release 7.4.1 on page 54

l FortiClient hotfix deployment via EMS 7.4.1 on page 54

l FortiTray icons for On-Fabric and VPN connection status 7.4.1 on page 13

l Sending email events from the Microsoft Exchange server 7.4.1 on page 17

l FortiClient EMS auto-detects FortiGate configuration of non-web ZTNA applications 7.4.1

on page 42
l Deploy the FortiClient EMS server as a virtual machine image 7.4.1 on page 57

l FortiClient GUI enhancement 7.4.1 on page 60

l Create connectors with OAuth 2.0 token-based authentication 7.4.1 on page 61

l Assign AD and local Windows server groups to roles 7.4.1 on page 64

l Support ZTNA destinations over UDP 7.4.1 on page 17

l Configure IPsec IKEv2 on multiple protocols 7.4.1 on page 36

l FortiEndpoint (FortiClient integration of FortiEDR agent) 7.4.1 on page 66

l Support forensic analysis reports on macOS endpoints 7.4.1 on page 71

2024-11-04 Added:
l Add support for ManageEngine MDM 7.4.1 on page 72

l IKEv2 session resumption 7.4.1 on page 38

2024-11-06 Updated Deploy the FortiClient EMS server as a virtual machine image 7.4.1 on page 57.

2024-11-20 Updated FortiEndpoint (FortiClient integration of FortiEDR agent) 7.4.1 on page 66.

2024-12-31 Updated Deploy the FortiClient EMS server as a virtual machine image 7.4.1 on page 57.

2025-01-06 Updated Support ZTNA destinations over UDP 7.4.1 on page 17.

2025-01-08 Updated IKEv2 session resumption 7.4.1 on page 38.

FortiClient & FortiClient EMS 7.4 New Features Guide 83

Fortinet Inc.
www.fortinet.com

Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FCP - FCT - AD-7.2 Questions
No ratings yet
FCP - FCT - AD-7.2 Questions
7 pages
09 - Good Girls Go To Heaven (Bad Girls Go Everywhere)
0% (1)
09 - Good Girls Go To Heaven (Bad Girls Go Everywhere)
2 pages
Zero Trust Network Access: Hands On Lab
No ratings yet
Zero Trust Network Access: Hands On Lab
63 pages
03 - Rock and Roll Dreams Come Through
No ratings yet
03 - Rock and Roll Dreams Come Through
2 pages
FortiOS 7.0.0 New - Features - Guide 360 499
No ratings yet
FortiOS 7.0.0 New - Features - Guide 360 499
140 pages
7.0 Ztna
No ratings yet
7.0 Ztna
16 pages
FCP FCT AD-7.2-Demo
No ratings yet
FCP FCT AD-7.2-Demo
7 pages
FortiOS 7.0.0 New Features Guide
No ratings yet
FortiOS 7.0.0 New Features Guide
836 pages
FortiClient EMS 7.4.0 Administration Guide
No ratings yet
FortiClient EMS 7.4.0 Administration Guide
519 pages
FortiClient EMS 7.4.1 Administration Guide
No ratings yet
FortiClient EMS 7.4.1 Administration Guide
578 pages
ZTNA For Web Applications-7.2.5-Deployment Guide
No ratings yet
ZTNA For Web Applications-7.2.5-Deployment Guide
36 pages
FortiOS 7.4.0 New - Features - Guide401 450
No ratings yet
FortiOS 7.4.0 New - Features - Guide401 450
50 pages
FortiClient EMS Course Notes
No ratings yet
FortiClient EMS Course Notes
174 pages
Forticlient Ems 7.2.0 Release Notes
No ratings yet
Forticlient Ems 7.2.0 Release Notes
25 pages
Forticlient Ems 7.2.0 Release Notes
No ratings yet
Forticlient Ems 7.2.0 Release Notes
25 pages
FortiOS-7.2-ZTNA Reference Guide
No ratings yet
FortiOS-7.2-ZTNA Reference Guide
12 pages
Forticlient Ems 7.2.0 Release Notes
No ratings yet
Forticlient Ems 7.2.0 Release Notes
25 pages
ZTNA
No ratings yet
ZTNA
3 pages
FortiClient EMS 7.0 Course Description 2
No ratings yet
FortiClient EMS 7.0 Course Description 2
2 pages
Forticlient 7.2.0 Windows Release Notes
No ratings yet
Forticlient 7.2.0 Windows Release Notes
27 pages
FortiOS 7.4 ZTNA Reference Guide
No ratings yet
FortiOS 7.4 ZTNA Reference Guide
15 pages
FortiClient & FortiClient EMS 6.4 New Features Guide
No ratings yet
FortiClient & FortiClient EMS 6.4 New Features Guide
57 pages
Renforcer La Posture ZTNA Dec 2023
No ratings yet
Renforcer La Posture ZTNA Dec 2023
30 pages
FortiClient EMS 7.0.0 Administration Guide
No ratings yet
FortiClient EMS 7.0.0 Administration Guide
260 pages
FCP FCT Ad-7.2
No ratings yet
FCP FCT Ad-7.2
42 pages
Ztna Ordering Guide
No ratings yet
Ztna Ordering Guide
3 pages
FortiClient EMS 7.0.0 Administration Guide
No ratings yet
FortiClient EMS 7.0.0 Administration Guide
261 pages
FortiOS 7.0.0 New Features Guide
No ratings yet
FortiOS 7.0.0 New Features Guide
694 pages
Zero Trust Network Access-7.0-Deployment Guide
No ratings yet
Zero Trust Network Access-7.0-Deployment Guide
38 pages
Ztna Guide
No ratings yet
Ztna Guide
38 pages
Forticlient Ems 7.0.9 Release Notes
No ratings yet
Forticlient Ems 7.0.9 Release Notes
22 pages
Forticlient Ems 7.2.4 Release Notes
100% (1)
Forticlient Ems 7.2.4 Release Notes
22 pages
Forticlient Ems 7.4.3 Release Notes
No ratings yet
Forticlient Ems 7.4.3 Release Notes
19 pages
Fortinet FortiClient EMS Lab Guide For FortiClient EMS 7.0
No ratings yet
Fortinet FortiClient EMS Lab Guide For FortiClient EMS 7.0
110 pages
Forticlient
No ratings yet
Forticlient
11 pages
Forticlient
No ratings yet
Forticlient
11 pages
Forticlient
No ratings yet
Forticlient
11 pages
FortiOS 7.6.0 New Features Guide
No ratings yet
FortiOS 7.6.0 New Features Guide
671 pages
FortiOS-7.2.0-New Features Guide PDF
No ratings yet
FortiOS-7.2.0-New Features Guide PDF
523 pages
Lab Guide - FortiClientEMS+FortiEDR
No ratings yet
Lab Guide - FortiClientEMS+FortiEDR
101 pages
Forticlient Ems 7.2.2 Release Notes
No ratings yet
Forticlient Ems 7.2.2 Release Notes
26 pages
FortiClient EMS 7.0.7 Administration Guide
No ratings yet
FortiClient EMS 7.0.7 Administration Guide
316 pages
2021-Fortinet-ZTNA-Securely Deliver Your Cloud Applications To The New Hybrid Workforce
No ratings yet
2021-Fortinet-ZTNA-Securely Deliver Your Cloud Applications To The New Hybrid Workforce
21 pages
FortiClient EMS 7.2 Administrator Course Description
No ratings yet
FortiClient EMS 7.2 Administrator Course Description
2 pages
NSE Insider - ZTNA Webinar & Demo, August 19, 2021
No ratings yet
NSE Insider - ZTNA Webinar & Demo, August 19, 2021
28 pages
FortiOS 7.0.0 New Features Guide
No ratings yet
FortiOS 7.0.0 New Features Guide
355 pages
Forticlient Ems 7.0.7 Release Notes
No ratings yet
Forticlient Ems 7.0.7 Release Notes
24 pages
Fortinet ZTNA
No ratings yet
Fortinet ZTNA
29 pages
Forticlient Ems 7.4.1 Release Notes
No ratings yet
Forticlient Ems 7.4.1 Release Notes
19 pages
Fortinet ZTNA
No ratings yet
Fortinet ZTNA
3 pages
FortiSASE-24.1-SPA Using ZTNA Deployment Guide
No ratings yet
FortiSASE-24.1-SPA Using ZTNA Deployment Guide
30 pages
FortiClient 7.0.0 Administration Guide
No ratings yet
FortiClient 7.0.0 Administration Guide
104 pages
FortiOS 7.4.0 New - Features - Guide1 50
No ratings yet
FortiOS 7.4.0 New - Features - Guide1 50
50 pages
FortiOS 7.4.0 New Features Guide
No ratings yet
FortiOS 7.4.0 New Features Guide
936 pages
FortiClient EMS 6.4.8 Administration Guide
No ratings yet
FortiClient EMS 6.4.8 Administration Guide
258 pages
Networkinterface
No ratings yet
Networkinterface
2 pages
Fortinet FortiClient EMS Study Guide
No ratings yet
Fortinet FortiClient EMS Study Guide
348 pages
Fortinet EMEA Channel 40mins Webinar FortiSASE Q42022
No ratings yet
Fortinet EMEA Channel 40mins Webinar FortiSASE Q42022
27 pages
FortiOS-7.2.0-New Features Guide
No ratings yet
FortiOS-7.2.0-New Features Guide
650 pages
FortiClient 7.4.0 Administration Guide
No ratings yet
FortiClient 7.4.0 Administration Guide
168 pages
08 - Everything Louder Than Everything Else
No ratings yet
08 - Everything Louder Than Everything Else
3 pages
11 - Lost Boys and Golden Girls
No ratings yet
11 - Lost Boys and Golden Girls
1 page
Veeam Certified Engineer V12 Exam Guide
No ratings yet
Veeam Certified Engineer V12 Exam Guide
8 pages
WP - Logistics - 99 US 27 1
No ratings yet
WP - Logistics - 99 US 27 1
6 pages
Downloadeddrv
No ratings yet
Downloadeddrv
3 pages
Noaa 20729 DS1
No ratings yet
Noaa 20729 DS1
70 pages
Coprinus Comatus (Higher Basidiomycetes) Extract
No ratings yet
Coprinus Comatus (Higher Basidiomycetes) Extract
10 pages
Balaskó Attila - Angoltanár, Nyelvész, Fordító, Matematika-És Fizikatanár
No ratings yet
Balaskó Attila - Angoltanár, Nyelvész, Fordító, Matematika-És Fizikatanár
1 page
Read The First Chapter of The Story, Then Do The Exercises
No ratings yet
Read The First Chapter of The Story, Then Do The Exercises
3 pages
Frequently Asked Questions: What Types of Companies Are On The "Don't Test" List?
No ratings yet
Frequently Asked Questions: What Types of Companies Are On The "Don't Test" List?
79 pages
En Online - Resource
No ratings yet
En Online - Resource
13 pages
Read The Following Text About George Clooney and Do The Exercises
No ratings yet
Read The Following Text About George Clooney and Do The Exercises
2 pages
A1 Voc5rout
No ratings yet
A1 Voc5rout
2 pages
A1 Com5jobs
No ratings yet
A1 Com5jobs
3 pages
Read The Following Dialogues and Do The Exercises.: Post Office Straight Turn Left Right
No ratings yet
Read The Following Dialogues and Do The Exercises.: Post Office Straight Turn Left Right
3 pages
En Online - MEGOLDÁSOK
No ratings yet
En Online - MEGOLDÁSOK
3 pages
User Manual: HR2621, HR2650 HR2651, HR2652 HR2653, HR2655 HR2656, HR2657
No ratings yet
User Manual: HR2621, HR2650 HR2651, HR2652 HR2653, HR2655 HR2656, HR2657
34 pages
hr2657 Szerkesztett 1
No ratings yet
hr2657 Szerkesztett 1
23 pages
Time Server Correction Parameters
No ratings yet
Time Server Correction Parameters
11 pages
Microsoft Easy Fix Solutions Are No Longer Supported: Windows 10
No ratings yet
Microsoft Easy Fix Solutions Are No Longer Supported: Windows 10
2 pages
How Do I Force Windows To Remove and Re-Detect A USB Device?
No ratings yet
How Do I Force Windows To Remove and Re-Detect A USB Device?
2 pages
How To Add or Remove Wireless Network From Allowed or Blocked Filter List in Windows 10
No ratings yet
How To Add or Remove Wireless Network From Allowed or Blocked Filter List in Windows 10
19 pages
Dell Poweredge RAID Controller H730
No ratings yet
Dell Poweredge RAID Controller H730
2 pages
Dell Docks Compare: Shop Support Community My Account
No ratings yet
Dell Docks Compare: Shop Support Community My Account
5 pages
Speech Recognition
0% (1)
Speech Recognition
27 pages
Lecture 4 Software Engineering - DR Mohammed Kamal 2024
No ratings yet
Lecture 4 Software Engineering - DR Mohammed Kamal 2024
32 pages
Django Setup
No ratings yet
Django Setup
11 pages
ACOS 4.1.4 Web Application Firewall Guide: For A10 Thunder™ Series and AX™ Series 21 February 2018
No ratings yet
ACOS 4.1.4 Web Application Firewall Guide: For A10 Thunder™ Series and AX™ Series 21 February 2018
182 pages
DevOps Lab Manual
No ratings yet
DevOps Lab Manual
35 pages
DWDM Complete Record 2
No ratings yet
DWDM Complete Record 2
58 pages
Day 1 - Introduction To MySQL
No ratings yet
Day 1 - Introduction To MySQL
11 pages
CH 07 Lab-Answers
No ratings yet
CH 07 Lab-Answers
5 pages
PHD Thesis On Cloud Computing Security PDF
100% (1)
PHD Thesis On Cloud Computing Security PDF
8 pages
Coa Lecture Unit 3 Pipelining
No ratings yet
Coa Lecture Unit 3 Pipelining
95 pages
English Assignment
100% (1)
English Assignment
2 pages
K Nearest Neighbors MLExpert
No ratings yet
K Nearest Neighbors MLExpert
3 pages
Virtual Instrumentation and Traditional Instruments
0% (1)
Virtual Instrumentation and Traditional Instruments
5 pages
Mission Planner Overview
No ratings yet
Mission Planner Overview
116 pages
Core System
No ratings yet
Core System
2 pages
1 - Introduction To Computational Biology
No ratings yet
1 - Introduction To Computational Biology
22 pages
100 - Companies Hiring in Delhi-NCR
No ratings yet
100 - Companies Hiring in Delhi-NCR
2 pages
Process To Export Test Plans From Excel Into Quality Center: 1. Install and Configure The Microsoft Excel Add-In
No ratings yet
Process To Export Test Plans From Excel Into Quality Center: 1. Install and Configure The Microsoft Excel Add-In
15 pages
Week 1 Assignment Solution
100% (1)
Week 1 Assignment Solution
7 pages
Data Comm CT Sol
No ratings yet
Data Comm CT Sol
3 pages
Enensys Asiipguard Datasheet A
No ratings yet
Enensys Asiipguard Datasheet A
4 pages
DB Lab3
No ratings yet
DB Lab3
5 pages
NIELIT-Networking Cerificate Course
No ratings yet
NIELIT-Networking Cerificate Course
4 pages
IT Roll Out (Project Panchdeep) in Esic
No ratings yet
IT Roll Out (Project Panchdeep) in Esic
32 pages
Parking Management Solution Case Study
No ratings yet
Parking Management Solution Case Study
3 pages
Second Sessional Exam Schedule.
No ratings yet
Second Sessional Exam Schedule.
14 pages
Parámetros Adaptador Dual Port
No ratings yet
Parámetros Adaptador Dual Port
4 pages
Bhai Thamen JD - Flutter Developer PDF
No ratings yet
Bhai Thamen JD - Flutter Developer PDF
1 page
DVD 4682
No ratings yet
DVD 4682
6 pages
Social Media by Hanan
No ratings yet
Social Media by Hanan
7 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.