- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Adding a registration password for FortiClients af...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding a registration password for FortiClients after initial rollout is complete
I screwed up.
I deployed my FortiClients without specifying that a password be required for registration. Shortly thereafter, a consultant came on site and had their FortiClient software register to our FortiGate. I'd like to avoid having this happen again and it seems the surest way of doing this is requiring a password to register.
So I added a password to the FortiGate in the System > Config > Advanced > FortiClient Endpoint Registration section. I adjusted my Advanced FortiClient Profile to include a value (the same as specified in the Advanced Config section) in the <registration_password> tag and repackaged my base install to also include the proper <registration_password> tag (for new installations). For each XML file, I backed up the configuration file using FortiClient on my workstation so I would not have any clear text passwords in my published configs and applied the updated XML content with encrypted passwords to both my FortiClient profile on the FortiGate and to the deployment bundle created with FortiClient Configurator (for future deployments).
Seemed like a simple fix, however, when I boot and log onto on a system that already has the FortiClient software installed and registered with my FortiGate, I am greeted with a dialog box prompting me for a registration password. Interestingly, if I merely click Accept (without entering a password) the client appears to remain registered (the shield in the system tray never deviates from a happy green icon), a check of the FortiClient Monitor on the FortiGate, however, shows the client is now in an unregistered state. If I click cancel, the client is unregistered. This is a problem because I do not wish for my end users to ever have a chance to unregister the client (unregister is not disabled, but it does require a password so IT staff can disable FortiClient if needed for troubleshooting).
I've tried simplifying the process by using clear text passwords in the XML config files and have tried allowing the FortiClient profiles with the registration_password to propagate to a client prior to enabling the password reqirement in the System > Config > Advanced > FortiClient Endpoint Registration section, but was rewarded only with further frusteration.
An excerpt of my profile config file:
<endpoint_control> <enabled>1</enabled> <socket_connect_timeouts>1:5</socket_connect_timeouts> <custom_ping_server /> <system_data>Enc blahblahblahblah</system_data> <disable_unregister>0</disable_unregister> <show_bubble_notifications>1</show_bubble_notifications> <silent_registration>1</silent_registration> <ui> <display_antivirus>1</display_antivirus> <display_webfilter>1</display_webfilter> <display_firewall>1</display_firewall> <display_vpn>1</display_vpn> <display_vulnerability_scan>0</display_vulnerability_scan> <registration_dialog> <show_profile_details>0</show_profile_details> </registration_dialog> </ui> <alerts> <notify_server>1</notify_server> <alert_threshold>1</alert_threshold> </alerts> <fortigates> <fortigate> <serial_number>FG200D123456789</serial_number> <name>TR-FG200D-01</name> <registration_password>Enc yaddayaddayadda</registration_password> <addresses>10.10.0.100:8010;192.168.163.1:8010;vpn.ofmy.net:8010</addresses> </fortigate> </fortigates> </endpoint_control>
Any guidance on how I can add a password for FortiClient registrations as transparently as possible?
Thanks,
Stan
Labels:
- Labels:
-
5.2
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support case logged - Ticket # 1446041.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One week on, the support engineer assigned to my case persists in asking that I enable a registration key on the FortiGate. My initial ticket problem description (same the text in the original post above) indicates this has already been done (and is, in fact, the point at which the issue described begins).
I performed the steps he asked be performed and indicated the problem persists. He has again asked that I perform the same steps.
I've called in and asked to have the case escalated and the person with whom I spoke offered no assistance other than to have the engineer assigned call me (which he didn't do prior to repeating his low value instructions).
I have asked for a second time in my case response that the case be escalated. I also requested having the case reassigned.
*edit*
I called in again and had the case reassigned.
Stan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things to check:
[ul]Also, if you run the newly repackaged installer, does it register to the FortiGate successfully and silently?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exporting the profile (utilizing the Backup function within Settings) does show that it has registration_password set.
The three IP addresses in the fortigate element correspond to three different interfaces on the same FortiGate unit (Wired LAN, Wireless LAN and SSL VPN).
Running the newly repackaged installer on a system without FortiClient installed does result in the system registering with the FortiGate successfully and silently. Unfortunately, running a repair operation using the newly repackaged installer does not change the behavior on clients where the installed FortiGate software was previously registered.
Uninstalling the FortiClient software and then reinstalling with the newly repackaged installer does result in successful silent registration. I've got a Group Policy configured to do just this, but have not yet enabled it as this seems like somewhat drastic means to an end (and provides a window for end-users to adjust settings as the uninstall password must be disabled to allow the uninstall). Should I ever wish/need to change the registration password, this current implementation would mean a full uninstall/reinstall of all clients (including the window of opportunity for users to disable protection) and I doubt this is intended behavior.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One last check:
Try deregister the client from the FortiGate. You may use the FortiOS GUI or CLI (diagnose endpoint registration deregister). Ensure that the client has the new <fortigate> element with password before deregistering it. Then restart the computer system.
If this does not resolve it, then, I guess you need at least one manual step on each registered client:
[ul]Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kassim:
Thank you for trying to help. Unfortunately, deregistering a client on the FortiGate prior to enabling the registration key requirement had no effect on the client prompting for a Registration Key on the next boot/logon in spite of having the registration password defined in the last profile received by the client.
I will continue to pursue the case with support through conclusion. I hope to have the ability to add/change the registration key added as a feature improvement as this really seems like something that should be practical to do without having to touch each individual endpoint or uninstalling/reinstalling the FortiClient software.
The support tech now assigned to the case seems engaged and I am hopeful we can at least get this issue addressed in a future version.
Sincerely,
Stan
Related Posts
- FortiGate Registration | License & firmware... 808 Views
- FortiAuthenticator not displaying custom fields 1433 Views
- Need assistance - VXLAN over IPSec... 656 Views
- IP SoftPhone via IPSec VPN 1868 Views
- How to set up automatic deployment... 2010 Views
Labels
-
FortiGate
6,669 -
FortiClient
1,328 -
5.2
801 -
5.4
639 -
FortiManager
577 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
255 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
77 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
LDAP
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SSO
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.