- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiClients and roaming
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClients and roaming
In our network, we have a main site (Corporate) and 30 or so remote offices. Remote offices all have a FortiGate with an IPSEC VPN to our Corporate site. We are testing deployment of FortiClient, and are confused the best way to handle application of FortiClient licenses and configuration.
Because FortiClient profiles have to be configured manually as XML files uploaded to the FortiGate to do anything but the absolute basic features, we envision it being VERY difficult to maintain all our web filtering based on user group with all the exceptions in this manner. Our desire is to have whatever office FortiGate a client happens to be behind (users move / change offices frequently) do all web filtering. I would also prefer that all FortiClients show up as "on-net" when they are on the Corporate network (from any office with a tunnel).
So, my questions are:
1. If my FortiClient licensing is applied to the Corporate FortiGate, can clients register to remote FortiGates and used them for web filtering when users travel?
2. If this isn't possible, what options exist for deployment in this manner? Our goal is to have local office internet traffic go direct to the internet (not to Proxy or backhaul through our corporate office)
3. If this is possible, can registration to each FortiGate happen silently / without user interaction? (I know this can be setup in the XML file, we have just not been able to test this happening silently when roaming)
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a similar config currently in production, minus the number of sites. (Only 1 site for us)
jseptor wrote:1. If my FortiClient licensing is applied to the Corporate FortiGate, can clients register to remote FortiGates and used them for web filtering when users travel?
My understanding is that a FortiClient license needs to be purchased for each of the FGT that hosts FortiClients. For example we have a A/P HA cluster and had to purchase for both devices, as the registration database is kept seperately on each device. That being said you could probably just use one of your Fortigates as the "HeadEnd" Forticlient controller. This is where your Forticlients would register to, and would pull their config from. This would allow you to limit your licensing to a single device/HA pair. You may be able to do something with FortiManager here, however I cannot speak to the use of that product.
Also as a quick note web filtering does not get proxied by the Fortigates when using FortiClient. Filtering works at the local level by FortiClient locally proxying all traffic and querying Fortigaurd to look-up the category of the website. Only the configuration of the website categories and configured and maintained by the Fortigate.
jseptor wrote:2. If this isn't possible, what options exist for deployment in this manner? Our goal is to have local office internet traffic go direct to the internet (not to Proxy or backhaul through our corporate office)
See the last paragraph in my response to #1. No Fortigate device proxying is done by the FortiClient.
jseptor wrote:3. If this is possible, can registration to each FortiGate happen silently / without user interaction? (I know this can be setup in the XML file, we have just not been able to test this happening silently when roaming)
I believe that whatever you bake into your config will take precedent. For example if you have 3 Fortigates in the XML as possible managers, then each will be tried until a successful response is reached.
Fortigate 200D HA A/P Cluster FAZ VM
Fortigate 200D HA A/P Cluster FAZ VM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems you can benefit from working with a Systems Engineer. They can help to create an initial deployment, which you can manage on your own afterwards.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
7,131 -
FortiClient
1,406 -
5.2
801 -
5.4
639 -
FortiManager
618 -
FortiAnalyzer
453 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
290 -
FortiMail
280 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
102 -
FortiGateCloud
96 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
Routing
16 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
DNS Filter
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Web rating
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1059 | |
| 882 | |
| 523 | |
| 441 | |
| 147 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.