Hi everybody,
i tried a trial of #ForticlientEMS on premis to evaluate the product and then bought a license, but now that I really have to use it i have encountered several problems. I try to expose my questions, anyone who can help me even for just one of these I would be very grateful! :)

1) Is there a way to understand from the telemetry if the Forticlient (7.0.7) is connected in VPN (IPSec or SSL) to the Fortigate? I currently use the server in standalone mode, so it doesn't interact with the Fortigate.

2) I have set up a telemetry connection key on the server. I would like to create Forticlient installations that do not contain the key so that it is always to be entered manually after the first installation on the PC. When I create the installations I see the "Auto Registration" field enabled, but during the creation I am not asked if you want to enable this option or not.

3) I have the server which is under NAT, so the ethernet interface has a private IP. This setting creates problems for me in creating invitations because I cannot select the public IP as the server:

In EMS Settings I added the public IP of the internet line as IP listening for telemetry, so why can't I put it in the invitations too?

4) I want to block Ipsec VPN attempts from clients that do not meet certain requirements and I have created, with the Zero Trust Tagging Rules, a very simple rule that for now verifies if the client has Windows 10. In setting the VPN I connected the rule by putting it in the Permit state. The PC, which is Windows 10, is properly tagged and goes into the VPN.
The problem comes now: if in the advanced setting of the VPN I put the Tag in the forbidden state:

and I try to connect in VPN, rightly I do not connect and the notification appears on the PC. However, if, as in my case, I have enabled the Login Before Logon with automatic connection, when the PC is turned on, the computer connects to the VPN! If I then log into the Windows user and disconnect the VPN (which was activated), the Forticlient returns to work regularly because if I try to connect it informs me that I cannot connect. Therefore it appears that the Zero Trust Tagging Rules are not checked at PC startup. I also created the diagnostic file from Forticlient and actually there is no connection log which, when the PC was turned on, had to be prohibited. This is a big problem for me. I also tried to set the <use_legacy_vpn_before_logon> parameter to 1 and I also tried the Forticlient 7.0.6 but nothing changes. Now i use these settings:

One thing I noticed (I don't know if it can be connected in some way) is that until I log in with the Windows user the antivirus status is not detected in the client status:

I have many other questions but for now I will stop at the most urgent ones. I haven't opened a ticket in Fortinet yet because they would surely tell me, as already happened, "For each ticket only one question", so I start by writing here on the Forum. And if some Fortinet technician would like to write me for the details I would be happy, otherwise I will subsequently open a ticket for each question as requested.