Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations MintJulep on being selected by the Eng-Tips community for having the most helpful posts in the forums last week. Way to Go!

FortiClient software - has anyone use this?

Status
Not open for further replies.
Sparweb

Sparweb

Aerospace
Joined
May 21, 2003
Messages
5,187
Location
CA
Up until today, I've been able to work remotely from home or a hotel by using a VPN to access the company network and log into my desk computer workstation. This system worked well enough, though it was often clunky for heavy applications like CAD and FEA. The VPN connected with software from Checkpoint and AFAIK it only did the typical VPN encryption task but includes some malware scanning.

Now they want to change to a different software, and this one seems much more intrusive:

Forticlient is designed to interrogate my OS to determine it has all patches and updates installed, confirm that my firewall and antivirus are completely up to date, scan other applications that are in memory, and collect statistics about my usage and activity. Woah. This is like installing spyware on my computer... on purpose.

Has anybody used this? Or something like it? Is it as bad as I think it is?

I'm giving serious thought to buying a "burner" laptop that I can install this, and only this, software on. My company is not likely to give me a laptop of their own for me to keep at home for this purpose.

STF
 
Sort by date Sort by votes
Or if they wont buy you a company laptop, stop working from home.
 
Upvote 0 Downvote
I've used it. It works well as a VPN. FortiClient isn't a single program; it's of a bunch of components. I only use "Remote Access" (VPN) component and not any of the other components (Compliance, Sandbox detection, Vulnerability scan, etc.), so I don't think it's performing the "spyware" functions you mention on my computer. I suggest checking to see what components you are all supposed to run and verifying what they will do.
 
Upvote 0 Downvote
I don't understand the point of the burner laptop if you're not going to put any other software on it. If you're not going to put any other software on that one then you can't do anything with it, and presumably the computer that you want to connect to the network on has functional and useful software on it but presumably the security system will be looking for the security software on *that* one.
 
Upvote 0 Downvote
Hi Brian,
Good question, but the workstation at my office desk is already well "tended to" by the IT department, no need for extra scrutiny on that one. The Forticlient is pretty obviously going to be scanning applications on MY home computer. When using the VPN, I have access to everything on my workstation, just like I'm sitting at my office desk. I don't need applications on a "burner laptop" because I have access to many more at work.

Jmec87,
That's interesting. The documentation I read so far didn't give me that impression at all. The demonstration from my IT manager didn't bring that up, either. I will look again, of course. What is downloaded from the website is a single installer that will, by default, install everything. Having an option to disable/remove some parts may become apparent, but I would have to install it to find out!

Many people from the office are talking about doing what SWC says.

STF
 
Upvote 0 Downvote
SparWeb,
Looking at the website, I also thought at first that everything came as a single package, but I definitely don't have some of the components installed. Their Technical Specifications page also shows which components are compatible with which OS: The admin guide is available from . If I'm understanding it correctly, the minimum installation is the "Security Fabric Agent", which includes the Compliance and Vulnerability Scan components, and then other components (such as Remote Access/VPN and Web Filtering) are optional. However, depending on your set-up, the Compliance component/function can be set to "Not participating", which means it is disabled, even while you're able to use the Remote Access component.
 
Upvote 0 Downvote
Thanks jmec87, you seem to understand it better than me.
I'll give it a go... in the sandbox first... and see if I can make this thing harmless.

STF
 
Upvote 0 Downvote
Doh!
"Sandbox detection for FortiClient (Windows)"
I didn't realize I was using terminology that typically refers to something else. What I meant was using an old laptop as a "sandbox" - to see what modules I can avoid installing to just get it running the VPN.

STF
 
Upvote 0 Downvote
I suppose I can see some perspective in terms of IT's view, there's a lot more issues prevalent now than there used to be, and the last thing they want is to remotely exposing SMB shares to your own PC, and having some cryptolocker variant smash the corporate storage.

There are probably different levels of capability, and probably not much stopping you from running your own VM installation to connect to the corporate network. You can even attempt to run Linux, I note that it only supports the VPN connection.

I tend to agree though, if they don't provide the facilities for working at home, then its probably not quite worth pursuing.
 
Upvote 0 Downvote
"worth pursuing" Yeah, it's either my time or my money.

The IT guy has described several such attempted attacks to me. There have been several "beachheads" established by attackers when ignorant users opened ZIP files in their e-mail.
Nothing gets our IT guys more agitated and writing e-mails in ALL CAPS than when they remind us not to open e-mail attachments from unknown sources.

STF
 
Upvote 0 Downvote
You shouldn't open them from KNOWN sources, either ;-) Seriously, though, all attachments should be opened in a sandbox environment first, then multiple virus scanners run on the file. Only then can you be relatively sure it's a kosher file.

Quite often those types of programs will not run in a sandbox themselves to prevent someone from reverse-engineering what hooks it uses, so installing on a junk system and wiping after is the generally the only available solution to the average home user.

Dan - Owner
Footwell%20Animation%20Tiny.gif
 
Upvote 0 Downvote
For certain - my company had one get loose because a mid-level executive demanded the mail filters let a file-type through (I think it was .exe or .zip) and one of the first things it did was to go to people's e-mail and send itself to everyone on their list. It then damaged and renamed as many files as it could get to, adding copies of itself to certain types of ordinary files (.doc, .jpg, et al). So every one who got e-mailed was getting it from a source they probably trusted.

The main flaw it depended on was that Outlook would use an internal marker in the file to see if it was executable even if the suffix indicated it was not. So a file with a .jpg suffix that was actually executable would get run instead of being opened in an image viewer.

I suspect somewhere north of a million files were deleted or damaged. Fortunately our IT group wears belts and suspenders and was able to purge the company and restore the files within a day. And no mid=level executives were ever given any traction about shutting off system security measures.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Nils Haugen
  • Question Question
Invoicing software
Replies
7
Views
4K
stephaniesmith
stephaniesmith
StrucPatholgst
  • Locked
  • Question Question
Anyone use electronic contract signatures?
Replies
4
Views
498
phamENG
phamENG
skeletron
  • Locked
  • Question Question
Sole Proprietors: What document signing software are you using?
Replies
12
Views
960
Eng16080
Eng16080
Geotech_Pavement
  • Locked
  • Question Question
Timesheet/Time Tracking and Invoice Software
Replies
10
Views
1K
Lomarandil
Lomarandil
XR250
  • Locked
  • Question Question
This is my competition...
2
Replies
22
Views
1K
JStructsteel
JStructsteel

Part and Inventory Search

Sponsor

Back
Top