In our network, we have a main site (Corporate) and 30 or so remote offices. Remote offices all have a FortiGate with an IPSEC VPN to our Corporate site. We are testing deployment of FortiClient, and are confused the best way to handle application of FortiClient licenses and configuration.
Because FortiClient profiles have to be configured manually as XML files uploaded to the FortiGate to do anything but the absolute basic features, we envision it being VERY difficult to maintain all our web filtering based on user group with all the exceptions in this manner. Our desire is to have whatever office FortiGate a client happens to be behind (users move / change offices frequently) do all web filtering. I would also prefer that all FortiClients show up as "on-net" when they are on the Corporate network (from any office with a tunnel).
So, my questions are:
1. If my FortiClient licensing is applied to the Corporate FortiGate, can clients register to remote FortiGates and used them for web filtering when users travel?
2. If this isn't possible, what options exist for deployment in this manner? Our goal is to have local office internet traffic go direct to the internet (not to Proxy or backhaul through our corporate office)
3. If this is possible, can registration to each FortiGate happen silently / without user interaction? (I know this can be setup in the XML file, we have just not been able to test this happening silently when roaming)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We have a similar config currently in production, minus the number of sites. (Only 1 site for us)
jseptor wrote:1. If my FortiClient licensing is applied to the Corporate FortiGate, can clients register to remote FortiGates and used them for web filtering when users travel?
My understanding is that a FortiClient license needs to be purchased for each of the FGT that hosts FortiClients. For example we have a A/P HA cluster and had to purchase for both devices, as the registration database is kept seperately on each device. That being said you could probably just use one of your Fortigates as the "HeadEnd" Forticlient controller. This is where your Forticlients would register to, and would pull their config from. This would allow you to limit your licensing to a single device/HA pair. You may be able to do something with FortiManager here, however I cannot speak to the use of that product.
Also as a quick note web filtering does not get proxied by the Fortigates when using FortiClient. Filtering works at the local level by FortiClient locally proxying all traffic and querying Fortigaurd to look-up the category of the website. Only the configuration of the website categories and configured and maintained by the Fortigate.
jseptor wrote:2. If this isn't possible, what options exist for deployment in this manner? Our goal is to have local office internet traffic go direct to the internet (not to Proxy or backhaul through our corporate office)
See the last paragraph in my response to #1. No Fortigate device proxying is done by the FortiClient.
jseptor wrote:3. If this is possible, can registration to each FortiGate happen silently / without user interaction? (I know this can be setup in the XML file, we have just not been able to test this happening silently when roaming)
I believe that whatever you bake into your config will take precedent. For example if you have 3 Fortigates in the XML as possible managers, then each will be tried until a successful response is reached.
Fortigate 200D HA A/P Cluster FAZ VM
It seems you can benefit from working with a Systems Engineer. They can help to create an initial deployment, which you can manage on your own afterwards.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.