Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Looking for Forticlient experiences
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking for Forticlient experiences
Hi
We're currently comparing Forticlient and Z-scaler for client security. Was hoping to hear some stories from real users/admins.
We have around 50.000 users all around the globe and I was wondering:
[ul]I know these are very generic questions but I am grateful for any input.
Thank you!
Kind regards,
Patrik
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, we've been using FortiClient and EMS (since it was released). We have a very small estate compared to yours, about 1500 devices, a mix of Linux, MacOS & Windows. Here are my honest answers to your questions, I'm a big Fortinet fan.
How's the management platform, is it easy to understand and manage?
The web interface of EMS is actually great, it's very modern and functional.
Has there been any serious bugs or annoyances?
Yep! Still are, the auto upgrade feature for Mac's only works in about 70% of the updates. The failed upgrades leave the Mac with no FortiClient installed which means re-installing it manually.
Any weaknesses/limitations in the product that we should know about?
Generally speaking FortiClient does not work reliably on MacOS.
Although there is a Linux client it doesn't support any form of VPN connection but I believe that's in the works.
How long does it take from updating the policy to it reaching the client?
Our install is set to a 2 minute FortiClient poll so updates are pushed pretty quickly, if you change a profile that affects hundreds of PC's it does take a little longer to sync them all.
Which method do you use to authenticate the clients when they are outside the office? Is there any issues with said method?
You can enable the "FortiClient telemetry connection key" which is effectively a password required to register FC with EMS. What's nice is if you don't have a PW you can add it to a profile, which get's sync'd, then you can enable the global PW and most FC's will carry on working. One issue we do hit is if someone is WFH and the auto upgrade kicks in, FC will be uninstalled which kills the VPN, which means the new installer isn't pushed to the PC. So the user is stuck with no VPN and no FC installed. It may be there's a way around this in EMS but I've not found it yet!
We have a bunch of local security products already and it would take considerable political efforts before we can replace them. Would you consider the client to be heavy if only using it for Web filtering/Sandbox:ing?
From what I've seen FC is very light weight, things have improved a lot as, again on MacOS, we were seeing high CPU but version 6 seems to have largely fixed this.
In summary, EMS is a joy to use but there still remain so frustrating bugs around the auto upgrade feature. On Windows you can force a remote install but this isn't an option on Mac's without a pre-installed FC so when the client disappears manual intervention is required. If you push installers via GPO etc then I'd expect you to really like EMS. I'd certainly use EMS again given how efficient FC is and how affordable it is compared to other products BUT that's only if I was using Fortigate firewalls as there's some nice integration. I typically find FN support very good, but I always dread raising a ticket for EMS/FC as it's a real struggle to find someone on their support team who understands it well.
Hopefully that helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah I'm with you. There are a few options within EMS/FC. You can specify an 'on net subnet', and use different filter settings when on prem as opposed to at home. However that's easily bypassed given it's based on IP. FortiClient has the same web filtering capability as the FortiGate firewalls so you can undertake any filtering etc on the client device. The configuration of that stuff is very easy to do via the profile that's applied to the group which the client PC's are in. That group membership can be pulled from AD so there's very little admin required within EMS.
The policy here is we don't restrict web access but everything is logged, we're a progressive company. FC has the ability to send traffic logs to FortiAnalyzer (hence my comment about nice integration with other FN products). With each released of EMS they introduce new features so there may well be stuff you'd benefit from which I don't know about.
epacke wrote:Hi Steve
How do you handle employees travelling? Don't you enforce web filtering then?
/Patrik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The way it works for us is when the VPN user authenticates any traffic logs from the client PC results in the username being logged with the site accessed. We use the logs for the FortiGate firewall they are connected to, but given FC supports uploading traffic logs to FortiAnalyzer you could probably achieve the same doing it that way.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, we've been using FortiClient and EMS (since it was released). We have a very small estate compared to yours, about 1500 devices, a mix of Linux, MacOS & Windows. Here are my honest answers to your questions, I'm a big Fortinet fan.
How's the management platform, is it easy to understand and manage?
The web interface of EMS is actually great, it's very modern and functional.
Has there been any serious bugs or annoyances?
Yep! Still are, the auto upgrade feature for Mac's only works in about 70% of the updates. The failed upgrades leave the Mac with no FortiClient installed which means re-installing it manually.
Any weaknesses/limitations in the product that we should know about?
Generally speaking FortiClient does not work reliably on MacOS.
Although there is a Linux client it doesn't support any form of VPN connection but I believe that's in the works.
How long does it take from updating the policy to it reaching the client?
Our install is set to a 2 minute FortiClient poll so updates are pushed pretty quickly, if you change a profile that affects hundreds of PC's it does take a little longer to sync them all.
Which method do you use to authenticate the clients when they are outside the office? Is there any issues with said method?
You can enable the "FortiClient telemetry connection key" which is effectively a password required to register FC with EMS. What's nice is if you don't have a PW you can add it to a profile, which get's sync'd, then you can enable the global PW and most FC's will carry on working. One issue we do hit is if someone is WFH and the auto upgrade kicks in, FC will be uninstalled which kills the VPN, which means the new installer isn't pushed to the PC. So the user is stuck with no VPN and no FC installed. It may be there's a way around this in EMS but I've not found it yet!
We have a bunch of local security products already and it would take considerable political efforts before we can replace them. Would you consider the client to be heavy if only using it for Web filtering/Sandbox:ing?
From what I've seen FC is very light weight, things have improved a lot as, again on MacOS, we were seeing high CPU but version 6 seems to have largely fixed this.
In summary, EMS is a joy to use but there still remain so frustrating bugs around the auto upgrade feature. On Windows you can force a remote install but this isn't an option on Mac's without a pre-installed FC so when the client disappears manual intervention is required. If you push installers via GPO etc then I'd expect you to really like EMS. I'd certainly use EMS again given how efficient FC is and how affordable it is compared to other products BUT that's only if I was using Fortigate firewalls as there's some nice integration. I typically find FN support very good, but I always dread raising a ticket for EMS/FC as it's a real struggle to find someone on their support team who understands it well.
Hopefully that helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Steve
Thank you for your feedback, it is invaluable to hear from someone actually using the product instead of Sales Reps.
Which method do you use to authenticate the clients when they are outside the office? Is there any issues with said method?
You can enable the "FortiClient telemetry connection key" which is effectively a password required to register FC with EMS. What's nice is if you don't have a PW you can add it to a profile, which get's sync'd, then you can enable the global PW and most FC's will carry on working. One issue we do hit is if someone is WFH and the auto upgrade kicks in, FC will be uninstalled which kills the VPN, which means the new installer isn't pushed to the PC. So the user is stuck with no VPN and no FC installed. It may be there's a way around this in EMS but I've not found it yet!
What I meant here is for the proxy settings. We are struggling finding a suitable way of identifying clients both inside and outside the office. SAML requires fully fledged HTTP clients, Scanning active directory logs comes with problems when users are elevating their permissions, and Kerberos seems to be a pain to implement for other platforms than Windows.
Kind regards,
Patrik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmmm, still not sure what you're getting at. We don't use proxies for client web access, instead we rely on the Fortigate rule with AV, IPS, web filtering etc enabled.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Steve
How do you handle employees travelling? Don't you enforce web filtering then?
/Patrik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a demand from our security department that all users should be identified, no matter where they are.
I am just trying to find a way to do that with the FC. Maybe it is not possible?
Kind regards,
Patrik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah I'm with you. There are a few options within EMS/FC. You can specify an 'on net subnet', and use different filter settings when on prem as opposed to at home. However that's easily bypassed given it's based on IP. FortiClient has the same web filtering capability as the FortiGate firewalls so you can undertake any filtering etc on the client device. The configuration of that stuff is very easy to do via the profile that's applied to the group which the client PC's are in. That group membership can be pulled from AD so there's very little admin required within EMS.
The policy here is we don't restrict web access but everything is logged, we're a progressive company. FC has the ability to send traffic logs to FortiAnalyzer (hence my comment about nice integration with other FN products). With each released of EMS they introduce new features so there may well be stuff you'd benefit from which I don't know about.
epacke wrote:Hi Steve
How do you handle employees travelling? Don't you enforce web filtering then?
/Patrik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The policy here is we don't restrict web access but everything is logged, we're a progressive company. FC has the ability to send traffic logs to FortiAnalyzer (hence my comment about nice integration with other FN products). With each released of EMS they introduce new features so there may well be stuff you'd benefit from which I don't know about.
I will quote you on that. :)
Ah I'm with you. There are a few options within EMS/FC. You can specify an 'on net subnet', and use different filter settings when on prem as opposed to at home. However that's easily bypassed given it's based on IP. FortiClient has the same web filtering capability as the FortiGate firewalls so you can undertake any filtering etc on the client device. The configuration of that stuff is very easy to do via the profile that's applied to the group which the client PC's are in. That group membership can be pulled from AD so there's very little admin required within EMS.
I see, but how to do you identify username johndoe@company.com in the logs when John is travelling? And how to identify him when he is in the office? Or are you just logging IP addresses?
Kind regards,
Patrik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The way it works for us is when the VPN user authenticates any traffic logs from the client PC results in the username being logged with the site accessed. We use the logs for the FortiGate firewall they are connected to, but given FC supports uploading traffic logs to FortiAnalyzer you could probably achieve the same doing it that way.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Steve, appreciate your time!
Kind regards,
Patrik
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,721 -
FortiClient
1,768 -
5.2
801 -
FortiManager
732 -
5.4
639 -
FortiAnalyzer
560 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
Fortiweb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1720 | |
| 1093 | |
| 752 | |
| 447 | |
| 234 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.