Skip to main content
Cythraul
Cythraul
New Member
March 25, 2015
Solved

FortiClient version management/control?

  • March 25, 2015
  • 7 replies
  • 16227 views

Hi, folks,

 

Is there a built-in way of monitoring which version of FortiClient my users are running?

 

We had an issue the other week that was limited to users who were on old versions of FortiClient (5.0.x, vs. 5.3.x).  I'm wondering if there's a systematic way to watch for users lagging behind before they become an issue.

 

(I know there are third-party solutions for monitoring software versions in general, but I'm wondering if there's something specific to Fortinet for FortiClient.)

 

Thanks.

    Best answer by Chris_Lin_FTNT

    If your FortiClient is registered to FortiGate, FortiGate GUI will show a table which include FortiClient version.

     

    In 5.2.3 FortiOS, it's in User & Device -> Monitor -> FortiClient .

    7 replies

    Chris_Lin_FTNT
    Staff
    Chris_Lin_FTNTAnswer
    Staff
    March 25, 2015

    If your FortiClient is registered to FortiGate, FortiGate GUI will show a table which include FortiClient version.

     

    In 5.2.3 FortiOS, it's in User & Device -> Monitor -> FortiClient .

    Cythraul
    CythraulAuthor
    New Member
    March 26, 2015

    Chris.Lin wrote:

    If your FortiClient is registered to FortiGate, FortiGate GUI will show a table which include FortiClient version.

     

    In 5.2.3 FortiOS, it's in User & Device -> Monitor -> FortiClient .

    Thanks!

     

    Hmm.  I appear to be running firmware 5.0.

     

    The menu path you list is there, but I get "No matching entries found".

     

    When this feature works, does it show me versions for all of my clients, or just the ones that are currently signed in?

    storaid
    storaid
    New Member
    March 26, 2015

    hello, fortinet guys...

    how can I control client's forticlient version for FOS v5.x/5.2.x????...

    Chris_Lin_FTNT
    Staff
    Chris_Lin_FTNT
    Staff
    March 26, 2015

    That table only lists the registered FortiClient.

     

    You can imagine... FortiClient has to tell about itself to FortiGate, and the only way is to register. Otherwise if FortiClient just broadcasting information, it sounds like a vulnerability :)

    Cythraul
    CythraulAuthor
    New Member
    March 26, 2015

    What do you mean by "register", though?  Do you mean "be presently signed in", or just "have a connection configured" or "have connected at some point"?

     

    I mean, here's what I've got.  I've got hundreds of users, a significant subset of whom make regular use of FortiClient to make VPN connections to my firewall.  And yet.

    Chris_Lin_FTNT
    Staff
    Chris_Lin_FTNT
    Staff
    March 26, 2015

    I mean the endpoint control function between FortiClient and FortiGate.

     

    Your picture seems to indicate that the endpoint control function is not used at all.

     

    http://video.fortinet.com...on-to-endpoint-control

    Cythraul
    CythraulAuthor
    New Member
    March 26, 2015

    So as it turns out, I haven't been registering my clients.  First mistake.

     

    Now, as I experiment with registering, I'm noticing that clients only show up if they're both (1) registered and (2) currently connected.

     

    Which doesn't seem to be the case in your screenshot.  Please correct me if I'm wrong, but your screenshot seems to show unregistered-but-connected users, and a registered-but-offline user.

    Chris_Lin_FTNT
    Staff
    Chris_Lin_FTNT
    Staff
    March 26, 2015

    Those 3 "unregistered" devices used to be registered. If you click the "Unregister" button on FortiClient GUI, they will become unregistered on FortiGate.

     

    After unregister, FortiClient and FortiGate are not "connected" in the sense that they are not communicating any more. It's just a record showing in the database.

    Cythraul
    CythraulAuthor
    New Member
    March 27, 2015

    I'm wondering why mine doesn't show records like that.

     

    When a registered client signs in to VPN, it shows there.  As soon as it disconnects, it vanishes, leaving no trace of any kind behind.

    Chris_Lin_FTNT
    Staff
    Chris_Lin_FTNT
    Staff
    March 27, 2015

    You mentioned VPN... So how does your FortiClient reach endpoint FortiGate? By connecting VPN? And what's your FortiOS version?

    Cythraul
    CythraulAuthor
    New Member
    March 27, 2015

    Exactly; FortiClient reaches the FortiGate by VPN.  I'm able to register clients from there, and they seem to stay registered as far as the client is concerned, but the FortiGate seems to forget they ever existed once they end their VPN session.

     

    My FortiOS appears to be 5.0.  That's what's given as the firmware version.

    Chris_Lin_FTNT
    Staff
    Chris_Lin_FTNT
    Staff
    March 27, 2015

    Is your VPN server FortiGate also the endpoint FortiGate? If that's the case, on which interface do you enable endpoint registration?

    Cythraul
    CythraulAuthor
    New Member
    March 27, 2015

    Yup, they're both the same box.

     

    I'm registering against the outside interface (the same one the client itself connects to).

    Terms & ConditionsAccessibility statement