Forticlient Selfregister and On-Net Status not allways working

Markus · ‎03-24-2015

Hi,

This drives me crazy and I didn't find any solution that is working as expected.

Our Setup

2 FGT 1000C Active-Active Cluster (Firmware v5.2.3,build670)

12 Forti Access Points 221B (Firmware: v5.2-build0225)

Forticlient 5.2.3.0663

Port 12 dedicatet for Forti APs

Port 3 Internal LAN

SSID s24.ito (Enterprise Authenticated)

We want to achive that Mobile Devices can connect to several Services (like Fileshare) in the Inside LAN. For security reasons this only would be allowed, if the Forticlient is compliant with the designated profile.

What happens...

- If I connect my Notebook to the Internal LAN (wired) the Forticlient registers silently to the Fortigate and Status stay On-Net

- If I connect to the Wireless Network (s24.ito), the Forticlient doesn't register silent and after a while (about 2mins) the On-Net Status shows offline, thus doesn't allow me to connect to Internal Services

- If I register manual (I can see the Fortiagte with IP of the s24.ito Network), it registers successfully, but after a while the On-Net Status also goes offline.

- If I go back to wired connection, the Client registers automaticly (silent as expected) and stay On-Line

Here's what I configured:

SSID Interface

name : s24.ito

vdom : root

cli-conn-status : 0

mode : static

dhcp-relay-service : disable

ip : xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

allowaccess : ping https http radius-acct

arpforward : enable

broadcast-forward : disable

bfd : global

l2forward : disable

icmp-redirect : enable

vlanforward : enable

stpforward : disable

ips-sniffer-mode : disable

ident-accept : disable

ipmac : disable

status : up

netbios-forward : disable

wins-ip : 0.0.0.0

type : vap-switch

netflow-sampler : disable

sflow-sampler : disable

sample-rate : 2000

polling-interval : 20

sample-direction : both

explicit-web-proxy : disable

explicit-ftp-proxy : disable

tcp-mss : 0

inbandwidth : 0

outbandwidth : 0

external : disable

devindex : 42

description :

alias :

device-identification: enable

device-user-identification: enable

device-access-list :

device-netscan : disable

[style="background-color: #ffff00;"]listen-forticlient-connection: enable[/style]

[style="background-color: #ffff00;"]broadcast-forticlient-discovery: enable[/style]

snmp-index : 34

secondary-IP : disable

ipv6:

ip6-mode : static

ip6-allowaccess : https

ip6-reachable-time : 0

ip6-retrans-time : 0

ip6-hop-limit : 0

ip6-address : ::/0

ip6-extra-addr:

ip6-send-adv : disable

autoconf : disable

dhcp6-relay-service : disable

dhcp-relay-ip :

dhcp-relay-type : regular

mtu-override : disable

Interface Forti Access Points

name : port12

vdom : root

cli-conn-status : 0

mode : static

dhcp-relay-service : disable

ip : xxx. xxx. xxx. xxx xxx. xxx. xxx. xxx

[style="background-color: #ffff00;"]allowaccess : capwap[/style]

fail-detect : disable

arpforward : enable

broadcast-forward : disable

bfd : global

l2forward : disable

icmp-redirect : enable

vlanforward : enable

stpforward : disable

ips-sniffer-mode : disable

ident-accept : disable

ipmac : disable

subst : disable

substitute-dst-mac : 00:00:00:00:00:00

status : up

netbios-forward : disable

wins-ip : 0.0.0.0

type : physical

netflow-sampler : disable

sflow-sampler : disable

sample-rate : 2000

polling-interval : 20

sample-direction : both

explicit-web-proxy : disable

explicit-ftp-proxy : disable

tcp-mss : 0

fp-anomaly :

inbandwidth : 0

outbandwidth : 0

spillover-threshold : 0

weight : 0

external : disable

devindex : 18

description :

alias : fortiAccessPoints

security-mode : none

device-identification: enable

device-user-identification: enable

device-access-list :

device-netscan : disable

lldp-transmission : vdom

listen-forticlient-connection: disable

vrrp-virtual-mac : disable

vrrp:

snmp-index : 17

secondary-IP : disable

ipv6:

ip6-mode : static

ip6-allowaccess : capwap

ip6-reachable-time : 0

ip6-retrans-time : 0

ip6-hop-limit : 0

ip6-address : ::/0

ip6-extra-addr:

ip6-send-adv : disable

autoconf : disable

dhcp6-relay-service : disable

dhcp-relay-ip :

dhcp-relay-type : regular

speed : auto

mtu-override : disable

wccp : disable

drop-overlapped-fragment: disable

drop-fragment : disable

DHCP Server Interface WLAN (s24.ito)

status : enable

lease-time : 604800

mac-acl-default-action: assign

[style="background-color: #ffff00;"]forticlient-on-net-status: enable[/style]

dns-service : default

wifi-ac1 : 0.0.0.0

wifi-ac2 : 0.0.0.0

wifi-ac3 : 0.0.0.0

ntp-service : local

domain :

wins-server1 : 0.0.0.0

wins-server2 : 0.0.0.0

default-gateway : xxx. xxx. xxx. xxx

next-server : 0.0.0.0

netmask : xxx. xxx. xxx. xxx

interface : s24.ito

ip-range:

== [ 1 ]

id: 1

timezone-option : default

tftp-server :

filename :

option1 : 0

option2 : 0

option3 : 0

option4 : 0

option5 : 0

option6 : 0

server-type : regular

conflicted-ip-timeout: 1800

auto-configuration : enable

vci-match : disable

exclude-range:

reserved-address:

Forticlient Profile

<endpoint_control>

<socket_connect_timeouts>1:5</socket_connect_timeouts>

<custom_ping_server />

<offnet_update>1</offnet_update>

[style="background-color: #ffff00;"]<disable_unregister>1</disable_unregister>[/style]

<show_bubble_notifications>1</show_bubble_notifications>

[style="background-color: #ffff00;"]<silent_registration>1</silent_registration>[/style]

<ui>

<registration_dialog>

<show_profile_details>0</show_profile_details>

</registration_dialog>

</ui>

<serial_number>fgt_sn0</serial_number>

<registration_password>secret</registration_password>

[style="background-color: #ffff00;"]<addresses><ssid-address>:8010;<lan-address>:8010</addresses>[/style]

</fortigate>

</fortigates>

</endpoint_control>

I also tried with "Roaming"

<serial_number>fgt_sn0</serial_number>

<registration_password>secret</registration_password>

[style="background-color: #ffff00;"]<addresses><lan-address>:8010</addresses>[/style]

</fortigate>

<serial_number>fgt_sn0</serial_number>

<registration_password>secret</registration_password>

[style="background-color: #ffff00;"]<addresses><ssid-address>:8010</addresses>[/style]

</fortigate>

Do I miss something, or is there any other thing that I haven't configured yet?

Any help is is appreciated, thank you

Best,

Markus

________________________________________________________
--- NSE 4 ---
________________________________________________________

Chris_Lin_FTNT · ‎03-25-2015

I have FGT running 5.2.3 and FAP 5.2.3, FCT 5.2.3. Both my LAN and WIFI listen to forticlient registration.

FortiClient XML config is just like yours "<addresses><ssid-address>:8010;<lan-address>:8010</addresses>"

The silent registration works, but it takes about 2 minutes from FortiClient notices itself "Offline" to it registers again.

There are two settings on FortiGate may be relevant:

config endpoint-control settings set forticlient-keepalive-interval 120 set forticlient-sys-update-interval 720 end

View solution in original post

Chris_Lin_FTNT · ‎03-25-2015

I have FGT running 5.2.3 and FAP 5.2.3, FCT 5.2.3. Both my LAN and WIFI listen to forticlient registration.

FortiClient XML config is just like yours "<addresses><ssid-address>:8010;<lan-address>:8010</addresses>"

The silent registration works, but it takes about 2 minutes from FortiClient notices itself "Offline" to it registers again.

There are two settings on FortiGate may be relevant:

config endpoint-control settings set forticlient-keepalive-interval 120 set forticlient-sys-update-interval 720 end

Markus · ‎03-26-2015

Hi Chris,

Thank you, the set forticlient-keepalive-interval 120 does the trick. After that, it was also no longer neccessary to use both IP Addresses in the Endpoint Settings - the Client stays On-Line, great.

Best regards,

Markus

________________________________________________________
--- NSE 4 ---
________________________________________________________