Fortinet Community

chkvpatel_FTNT · ‎09-22-2015

Description

FortiClient 5.0 clients do not support the protocol extension that conveys FortiGates calculation.

Even though the FortiGate tells the 5.0 client that it is off-net, the client does not recognize the message, so continues to show "on-net".

In FortiClient v5.2 it is possible to be "online and offnet", or "online and onnet", or "offline".

online means the FortiClient can reach the FortiGate (It can 'ping' it).
offline means the FortiClient cannot reach the FortiGate (It cannot 'ping' it).

In FortiClient v5.0

onnet means the FortiClient can reach the FortiGate (It can 'ping' it).
offnet means the FortiClient cannot reach the FortiGate (It cannot 'ping' it).

In v5.2, where both FortiOS and FortiClient must be at least v5.2

onnet means the FortiOS has told the FortiClient it is onnet.
offnet means the FortiOS has told the FortiClient it is offnet.

The XML format sent from the FortiGate is as follows:

<endpoint_control>
        <onnet_addresses>
            <address>x.x.x.x-y.y.y.y
            <address>x.x.x.x/y.y.y.y
        </onnet_addresses>
</endpoint_control>

As long as it is "online" status (keepalive is being exchanged between FortiGate and FortiClient), the FortiClient trusts the "on-net" status sent from the FortiGate, and this status is a combination of dhcp-on-net and ip-on-net.

When the FortiClient is in offline status, it performs its own calculation of ip-on-net.

Fortinet Community

Technical Note: Explanation of FortiClient online/offline, onnet/offnet