Thursday, July 24, 2014

Setting up fortinet fortlclient for macosx AV and WebFiltering in a few easy steps

I was working with a school that needed a  simple AV/wbefilter for the few  MAC machines in a small private school.

They have an old cisco  pix firewall , but need a simple/free method for the protection  of  <36 mac computers in a training class environment. The have zero budget for additonal hardware or software so , I suggested the Fortinet  "forticlient"  ;   http://www.forticlient.com/

This post will show you how you can setup the forticlient  for AV and webfiltering. It's available for windows/macosx & a few phone Os

1st the version of forticlient running on macosx 10.8.x and 10.9.x


Okay let's start with AV, once you start the client & after the installation you need to update the AV definitions. This takes approx 2-10mins depending on internet access. And yes you need internet access to get the updates.

The system will indicate if it's updated;

Now, here's the fun part, you will need the administrator account. You can tell the forticlient when to scan for automatic scan and you have a few options such as full scan or custom. Most will opt for full scanning. Without the end-user having administrator access, he/she will not be able to make changes or to disable the client.



You can now run a scan now to check the functionality




Optional, you can set the level of logging and download the logs under the preferences;



Now webfiltering. It too is simple to configured but has a lot more to configure.



You must defined categories that you can allow or disable access. These categories will use the fortiguard services inspection and reputation  database  and based on the website Categorization , you will be allow or disallow based on the setting in the forticlient



NOTE: Within each major category are sub-category that you can control;

Example; Adult/Mature Content has 15 sub-categories

To allow/block/warn/monitor you need to click the "category name" and  set the action.

example,  the passing of a pornographic websites


Now if we left the category "porn" set to block,  and tried to go to a porn site, we would get a block message.


Note1:  in a school environment you will most likely block everything and then add the categories for education

Note2: if  you fill the site is catagorized into a wrong setting, you can submit a request to fortinet for a review by  clicking the "click here" tab. Here they will allow you submit the url for review ( rarely does a site get categorized wrongly imho )




Here's my final  block/allowance by categories for this particular school;





Note the client has an exclusion list, so you can list urls or wildcards to allow for certain site to be allowed or block regardless of the main category selection.

Example we will allow porntube.com




not: But  beaware , a site like a pornsite for example , has numerous hyperlinks. So just allow http://www.porntube.com , will still now display the full graphic/text of the page. Each other text/graphic  hyperlink could be in a different category.





So now you have a free & easy  AV/Webfiltering for MACOSX.

A few key points to remember;

  • it's free, so what you pay is what you get ( it's really not a bad solution btw )
  • it can take a considerable amount of time 4-8 mins to modify each client webcategory ( I don't think a simple up a upload configuration file method). So if you had maybe 50+ desktop/laptops, this would not be an ideal solution to managed. Everytime you want to make a change, you would have to touch X amount of machines
  • ideally you want a  simple  AV/Webfiltering inspection firewall  or proxy like  a fortigate or pfsense for example
  • Using a centralize firewall , will allow you to provide full protection without the need to make adjustments per client machine
I'm not a big fan of the forticlient ,but it's a quick simple solution and it fits certain environments and solutions needs.



note: If you need to administrate  the client and need to run updates or install applications, remember to disable the forticlient. If you have a hard lock-down webfilter, you will most likely block simple things like updates. This will require the administrator login


Restart the client or reboot the machine to re-enable the protection :)

And lastly, another free solution for MACosx and AV protection is the opensource ClamAVx
http://www.clamxav.com/

It's just as good or better, but on protects for AntiVirus. This is a great solution if you have some existing webfiltering device ( i.e HTTP/HTTPs proxy )  and need to add AV protection.



The forticlient is great for a  few home machines,  and for  protection for your kid's computer. Or at your company lobby/cyber-cafe  as a guest machine access. In this case you might allow access to webmail or a limited set of sites.
     






Ken Felix
Freelance Network/Security Engineer Providing security solutions using Fortinet hardware.
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( @  @ )=
      @
      /   \

1 comment:

  1. I've used AVG security for a couple of years, I'd recommend this product to all of you.

    ReplyDelete