FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Sgagan
Staff
Staff
Article Id 248361
Description

This article provides the current state of support for FortiClient on ARM-based devices (as opposed to devices with x86-64-based processors from AMD/Intel). For Windows users in particular, an additional workaround option is also discussed.

Scope FortiClient, Windows, macOS, Linux.
Solution
  • At the time of this writing (Mid-August 2024), Windows FortiClient does not have a native binary available for ARM64-based processors (only x86-64 is supported at this time).
    • There is ongoing work to produce an ARM-native version of Windows FortiClient soon (possibly in a later revision of FortiClient 7.4), but it is currently not available.
    • However, there IS an SSL VPN only workaround option available via the Microsoft Store version of FortiClient (see further below for details).

  • macOS FortiClient currently supports Intel-based x86-64 processors, and it also supports Apple's ARM-based processors (for example the Apple Silicon M1 and M2) as of FortiClient 6.4.4. 7.0.0, and all later.

  • Linux FortiClient currently supports x86-64 at this time. There is currently no support for ARM-based Linux FortiClient, though there are plans in the future to produce an ARM-native version.

For the latest information on supported CPU architectures for FortiClient, check out the specific release notes for the operating system:

 

 

Each document provides detailed information for the latest FortiClient version.

 

Windows FortiClient workaround (Microsoft Store).

On the Microsoft Store, there is a version of FortiClient available that adds Fortinet SSL VPN support to Windows' native VPN client (for example Settings -> Network & Internet -> VPN). Notably, this Microsoft Store version does support ARM-based Windows in addition to x86-64, though it has a reduced feature set compared to the full version of FortiClient (only allows SSL VPN connections, FortiToken 2FA is supported but no SAML support).

 

Note:

There is no technical support offered for this application, nor does it integrate with FortiClient EMS.

 

To install and configure the Microsoft Store version of FortiClient: 

 

  1. Open the Microsoft Store, then search for 'FortiClient'. Select the Get button to install the application.


Sgagan_0-1678212935908.png

 

  1. Open the Windows Settings application, then go to Network & Internet -> VPN. Select 'Add a VPN connection':


Sgagan_1-1678212935909.png

 

  1. Select FortiClient instead of Windows (built-in) as the VPN provider, then assign a Connection name:

 

Sgagan_2-1678212935910.png

 

  1. Provide a Server name or address (this being the IP address or FQDN that will be used to connect to the FortiGate SSL VPN) and select the Save button.

Note:

If trying to open the FortiClient application that is downloaded then it will ask that to go to the Windows Settings instead. However, it does have some modifiers for the Server name or address field that are useful (see further below).


Sgagan_3-1678212935910.png

 

  1. Once the VPN is configured, select the Connect button to start the connection. Windows should prompt for username/password credentials, and with the correct credentials, the VPN should connect successfully.

Regarding Server name or address:

  • The URL used for the Server name or address should follow the typical URL format (https://<domainname>.<tld>:<port number if not 443>).
  • There are some additional options for the URL that are available:
  • https://vpn.domain.com:10443?ice=1 (using ice=1 tells Windows to ignore server certificate errors).  
  • https://vpn.domain.com:10443?ice=1&cert= (using cert= enables the client to select and provide a local certificate to the FortiGate for authentication).
  • https://vpn.domain.com:10443?cert=&nup=1 (nup=1 disables username/password support. Useful for PKI/certificate-only authentication).
  • https://vpn.domain.com:10443/<name of realm>?ice=1 (adds support for SSL-VPN realms. Replace <realmname> with the name of the SSL VPN realm).

 

Alternative.

If this does not work and VPN connectivity is required between the ARM device to FortiGate, L2TP VPN can be configured. Note that L2TP VPN in this case is a Full Tunnel VPN and NOT a Split Tunnel. This means that all traffic including Internet-related traffic will be routed through the L2TP tunnel. 

It is possible to disable Full Tunneling and convert the tunnel to Split Tunnel. This is done either on the local PC, or globally on the FortiGate.

 

Related documents:

Technical Tip: How to configure L2TP using interface/route based IPsec VPN 

L2TP over IPsec