FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.


This article describes how to use FortiClient and FortiClient EMS's Endpoint Security profile to protect against the Apache Log4j exploit. The vulnerability is assigned CVE-2021-44228


For more information about this vulnerability, as well as recommended package updates for various Fortinet Security Fabric devices, see the following FortiGuard Outbreak Alert:

FortiGuard Outbreak Alert - Log4j2 Vulnerability


FortiClient Endpoints must have Application Firewall package updates in the recommended version (19.218) or above. See IPS package below:

FortiGuard IPS Package 19.218



The Endpoint Security Profile configurations can be configured on FortiClient EMS v6.2+, deployed to FortiClient Endpoints v6.2+. Supported endpoint OSes are Windows and Mac.



1) Using FortiClient EMS, create a new Endpoint Profile or edit an existing Endpoint Profile. Then configure the following:

- On the Firewall tab, enable Application Firewall

- Under General settings, enable Detect & Block Exploits

- select 'Save' to save changes.




2) Allow changes to be pushed to managed Endpoints. Then check Endpoints for installation of the latest Application Firewall Signature packages.



3) If an exploit attempt is detected, the FortiClient will block the attempt. A FortiClient pop-up notification will appear on the Endpoint's system tray.




4) On FortiClient EMS, you can view the log of the exploit attempt when you view the targeted Endpoint. 

- Go to Endpoints > All Endpoints, and select the device that was targeted.

- Use the Firewall Events tab to view the exploit attempt.



Related Links

Configure Application Firewall on FortiClient EMS