Hi,
This drives me crazy and I didn't find any solution that is working as expected.
Our Setup
2 FGT 1000C Active-Active Cluster (Firmware v5.2.3,build670)
12 Forti Access Points 221B (Firmware: v5.2-build0225)
Forticlient 5.2.3.0663
Port 12 dedicatet for Forti APs
Port 3 Internal LAN
SSID s24.ito (Enterprise Authenticated)
We want to achive that Mobile Devices can connect to several Services (like Fileshare) in the Inside LAN. For security reasons this only would be allowed, if the Forticlient is compliant with the designated profile.
What happens...
- If I connect my Notebook to the Internal LAN (wired) the Forticlient registers silently to the Fortigate and Status stay On-Net
- If I connect to the Wireless Network (s24.ito), the Forticlient doesn't register silent and after a while (about 2mins) the On-Net Status shows offline, thus doesn't allow me to connect to Internal Services
- If I register manual (I can see the Fortiagte with IP of the s24.ito Network), it registers successfully, but after a while the On-Net Status also goes offline.
- If I go back to wired connection, the Client registers automaticly (silent as expected) and stay On-Line
Here's what I configured:
SSID Interface
name : s24.ito
vdom : root
cli-conn-status : 0
mode : static
dhcp-relay-service : disable
ip : xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
allowaccess : ping https http radius-acct
arpforward : enable
broadcast-forward : disable
bfd : global
l2forward : disable
icmp-redirect : enable
vlanforward : enable
stpforward : disable
ips-sniffer-mode : disable
ident-accept : disable
ipmac : disable
status : up
netbios-forward : disable
wins-ip : 0.0.0.0
type : vap-switch
netflow-sampler : disable
sflow-sampler : disable
sample-rate : 2000
polling-interval : 20
sample-direction : both
explicit-web-proxy : disable
explicit-ftp-proxy : disable
tcp-mss : 0
inbandwidth : 0
outbandwidth : 0
external : disable
devindex : 42
description :
alias :
device-identification: enable
device-user-identification: enable
device-access-list :
device-netscan : disable
[style="background-color: #ffff00;"]listen-forticlient-connection: enable[/style]
[style="background-color: #ffff00;"]broadcast-forticlient-discovery: enable[/style]
snmp-index : 34
secondary-IP : disable
ipv6:
ip6-mode : static
ip6-allowaccess : https
ip6-reachable-time : 0
ip6-retrans-time : 0
ip6-hop-limit : 0
ip6-address : ::/0
ip6-extra-addr:
ip6-send-adv : disable
autoconf : disable
dhcp6-relay-service : disable
dhcp-relay-ip :
dhcp-relay-type : regular
mtu-override : disable
Interface Forti Access Points
name : port12
vdom : root
cli-conn-status : 0
mode : static
dhcp-relay-service : disable
ip : xxx. xxx. xxx. xxx xxx. xxx. xxx. xxx
[style="background-color: #ffff00;"]allowaccess : capwap[/style]
fail-detect : disable
arpforward : enable
broadcast-forward : disable
bfd : global
l2forward : disable
icmp-redirect : enable
vlanforward : enable
stpforward : disable
ips-sniffer-mode : disable
ident-accept : disable
ipmac : disable
subst : disable
substitute-dst-mac : 00:00:00:00:00:00
status : up
netbios-forward : disable
wins-ip : 0.0.0.0
type : physical
netflow-sampler : disable
sflow-sampler : disable
sample-rate : 2000
polling-interval : 20
sample-direction : both
explicit-web-proxy : disable
explicit-ftp-proxy : disable
tcp-mss : 0
fp-anomaly :
inbandwidth : 0
outbandwidth : 0
spillover-threshold : 0
weight : 0
external : disable
devindex : 18
description :
alias : fortiAccessPoints
security-mode : none
device-identification: enable
device-user-identification: enable
device-access-list :
device-netscan : disable
lldp-transmission : vdom
listen-forticlient-connection: disable
vrrp-virtual-mac : disable
vrrp:
snmp-index : 17
secondary-IP : disable
ipv6:
ip6-mode : static
ip6-allowaccess : capwap
ip6-reachable-time : 0
ip6-retrans-time : 0
ip6-hop-limit : 0
ip6-address : ::/0
ip6-extra-addr:
ip6-send-adv : disable
autoconf : disable
dhcp6-relay-service : disable
dhcp-relay-ip :
dhcp-relay-type : regular
speed : auto
mtu-override : disable
wccp : disable
drop-overlapped-fragment: disable
drop-fragment : disable
DHCP Server Interface WLAN (s24.ito)
status : enable
lease-time : 604800
mac-acl-default-action: assign
[style="background-color: #ffff00;"]forticlient-on-net-status: enable[/style]
dns-service : default
wifi-ac1 : 0.0.0.0
wifi-ac2 : 0.0.0.0
wifi-ac3 : 0.0.0.0
ntp-service : local
domain :
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
default-gateway : xxx. xxx. xxx. xxx
next-server : 0.0.0.0
netmask : xxx. xxx. xxx. xxx
interface : s24.ito
ip-range:
== [ 1 ]
id: 1
timezone-option : default
tftp-server :
filename :
option1 : 0
option2 : 0
option3 : 0
option4 : 0
option5 : 0
option6 : 0
server-type : regular
conflicted-ip-timeout: 1800
auto-configuration : enable
vci-match : disable
exclude-range:
reserved-address:
Forticlient Profile
<endpoint_control>
<enabled>1</enabled>
<socket_connect_timeouts>1:5</socket_connect_timeouts>
<custom_ping_server />
<offnet_update>1</offnet_update>
[style="background-color: #ffff00;"]<disable_unregister>1</disable_unregister>[/style]
<show_bubble_notifications>1</show_bubble_notifications>
[style="background-color: #ffff00;"]<silent_registration>1</silent_registration>[/style]
<ui>
<registration_dialog>
<show_profile_details>0</show_profile_details>
</registration_dialog>
</ui>
<fortigates>
<fortigate>
<serial_number>fgt_sn0</serial_number>
<name>LAN</name>
<registration_password>secret</registration_password>
[style="background-color: #ffff00;"]<addresses><ssid-address>:8010;<lan-address>:8010</addresses>[/style]
</fortigate>
</fortigates>
</endpoint_control>
I also tried with "Roaming"
<fortigate>
<serial_number>fgt_sn0</serial_number>
<name>LAN</name>
<registration_password>secret</registration_password>
[style="background-color: #ffff00;"]<addresses><lan-address>:8010</addresses>[/style]
</fortigate>
<fortigate>
<serial_number>fgt_sn0</serial_number>
<name>WLAN</name>
<registration_password>secret</registration_password>
[style="background-color: #ffff00;"]<addresses><ssid-address>:8010</addresses>[/style]
</fortigate>
Do I miss something, or is there any other thing that I haven't configured yet?
Any help is is appreciated, thank you
Best,
Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I have FGT running 5.2.3 and FAP 5.2.3, FCT 5.2.3. Both my LAN and WIFI listen to forticlient registration.
FortiClient XML config is just like yours "<addresses><ssid-address>:8010;<lan-address>:8010</addresses>"
The silent registration works, but it takes about 2 minutes from FortiClient notices itself "Offline" to it registers again.
There are two settings on FortiGate may be relevant:
config endpoint-control settings set forticlient-keepalive-interval 120 set forticlient-sys-update-interval 720 end
I have FGT running 5.2.3 and FAP 5.2.3, FCT 5.2.3. Both my LAN and WIFI listen to forticlient registration.
FortiClient XML config is just like yours "<addresses><ssid-address>:8010;<lan-address>:8010</addresses>"
The silent registration works, but it takes about 2 minutes from FortiClient notices itself "Offline" to it registers again.
There are two settings on FortiGate may be relevant:
config endpoint-control settings set forticlient-keepalive-interval 120 set forticlient-sys-update-interval 720 end
Hi Chris,
Thank you, the set forticlient-keepalive-interval 120 does the trick. After that, it was also no longer neccessary to use both IP Addresses in the Endpoint Settings - the Client stays On-Line, great.
Best regards,
Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.