FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
chkvpatel_FTNT
Article Id 195047
Description
FortiClient 5.0 clients do not support the protocol extension that conveys FortiGates calculation.

Even though the FortiGate tells the 5.0 client that it is off-net, the client does not recognize the message, so continues to show "on-net".

In FortiClient v5.2 it is possible to be "online and offnet", or "online and onnet", or "offline".
  • online means the FortiClient can reach the FortiGate (It can 'ping' it).
  • offline means the FortiClient cannot reach the FortiGate (It cannot 'ping' it).
In FortiClient v5.0
  • onnet means the FortiClient can reach the FortiGate (It can 'ping' it).
  • offnet means the FortiClient cannot reach the FortiGate (It cannot 'ping' it).
In v5.2, where both FortiOS and FortiClient must be at least v5.2
  • onnet means the FortiOS has told the FortiClient it is onnet.
  • offnet means the FortiOS has told the FortiClient it is offnet.
The XML format sent from the FortiGate is as follows:
<endpoint_control>
        <onnet_addresses>
            <address>x.x.x.x-y.y.y.y
            <address>x.x.x.x/y.y.y.y
        </onnet_addresses>
</endpoint_control>
As long as it is "online" status (keepalive is being exchanged between FortiGate and FortiClient), the FortiClient trusts the "on-net" status sent from the FortiGate, and this status is a combination of dhcp-on-net and ip-on-net.

When the FortiClient is in offline status, it performs its own calculation of ip-on-net.

Contributors