Troubleshooting Tip: Identify FortiClient deployment issue

btan · ‎02-06-2024

Description

This article describes that to troubleshoot the FortiClient deployment issue, it is possible to check a few items in EMS, and the installer logs in to one of the affected endpoints. Below are the steps to do initial checking before engaging Fortinet TAC.
On a side note, it is advisable to test deployment on a small group of endpoints (eg: five) before mass deploying to all endpoints.

Scope

EMS, FortiClient v6.4, v7.0 and v7.2.

Solution

Make sure that the endpoint can reach EMS IP/FQDN on ports 8013 and 10443.

In EMS, ensure that the Deployment Package is configured:

Once deployed, it is possible to monitor the status by hovering over the progress bar below. Select it to see details:

It is also possible to check in the endpoint pane.

In the affected machine, navigate to C:\Windows\FortiEMSInstaller. It should download the FortiClient installer here:

In the affected machine, navigate to C:\Windows\FortiEMSInstaller_logs, fctinstalllog.txt log will explain what is happening in backend processes, what is failing etc:

Note:

After the endpoint reboot (part of the FortiClient upgrade process), this log file size will gradually increase, meaning the backend process is running correctly and it is installing the new FortiClient version.

If it is still not possible to identify what is failing, attach this fctinstalllog.txt file to the TAC ticket for TAC assistance.