Fortinet produces a network security system, which is called the Fortinet Fabric. FortiClient enables remote endpoints to connect into the Fabric over a secure connection. The FortiClient unit is an agent that runs on an endpoint and implements a range of Fortinet services.
There isn’t a standard implementation of the FortiClient. Instead, each customer has a choice of ways that the FortiClient will connect to the network, and the amount of work that the agent performs depends on the other Fortinet products that are active for the business.
About Fortinet
Fortinet, Inc. started operations in 2000. It is still based in its original hometown of Sunnyvale, California, USA. The company was founded by two brothers, Ken and Michael Xie. Both are still involved with the business – Ken Xie is its CEO, and Michael Xie is Fortinet’s, Chief Technology Officer.
The main product of Fortinet has always been a firewall. The Fornet firewall, called FortiGate, was initially delivered only as a physical appliance. However, the company now also produces a virtual appliance firewall and a range of cloud-based edge services built around the firewall. It is possible to get the FortiGate delivered from the cloud on the Firewall-as-a-Service (FWaaS) model.
By creating an endpoint detection and response (EDR) package, called FortiEDR, Fortinet extended its security protection to all IT assets. In addition, the FortiGate box has independent processing power that can be used for other purposes. For example, the company produced a SIEM, called FortiSIEM, which gathers data from EDR units; the FortiGate device can process all log messages and hunt for threats. A variation on the SIEM service is the FortiXDR, which coordinates all EDR implementations installed on the company’s endpoints.
The device can carry software that scans network traffic for suspicious behavior as it is connected to the network. The processor can also offer services, such as sandboxing, and while acting as a network gateway, the FortiGate can host DDoS protection and load balancing functions with its FortiDDoS package. All of these elements form the Fortinet Security Fabric.
As well as the FortiGate FWaaS, Fortinet produces FortiSASE, a cloud-based service that creates a secure network over the internet. This service also has a Firewall-as-a-Service element to protect traffic as it enters the virtual network and scans outbound traffic to block data theft. Without the FWaaS part, that product is marketed as the Fortinet SD-WAN (software-defined wide area network).
Fortinet Zero Trust Access is a variation on the FortiSASE concept. It allows remote endpoints to access specific applications on the home network or cloud platform. Confusingly, although it grants access to particular applications rather than to the whole network, the mechanism that drives the Fortinet Zero Trust Access system is called Zero Trust Network Access (ZTNA).
FortiClient enables a single endpoint to join the FortiSASE network or connect remotely over the internet to the network protected by FortiGate. It also acts as a cut-down EDR to feed activity data into FortiSIEM if that service has also been subscribed to.
FortiClient connection protection
There are two ways that a FortiClient Agent can include a remote endpoint into the Fortinet Fabric. One is with a VPN, and the other is with the ZTNA system. If FortiClient is connecting through to a FortiGate box to include the endpoint on the network, it is called the FortiClient Agent. If it uses the Zero Trust Access system, it is called the FortiClient ZTNA Agent.
This means that FortiCleint is not marketed as a standalone product. Instead, it is an endpoint client that handles all of the services that the business has subscribed to. So, for example, if the company is using the FortiSIEM, the ForitClient will act as an endpoint agent for that system, resident on remote devices, outside the home network.
FortiClient advancement
FortiClient has become more critical over the past two years due to the Covid pandemic. In addition, the rise in home-based workers has made remote connection protection more critical. As a result, FortiSASE and Zero Trust Access systems are becoming more vital than FortiGate.
If businesses end up with all of their staff working from home and no one in the office, then purchasing an expensive FortiGate network appliance is a waste of money. This is because the FortiGate system creates a virtual network without investing in the physical infrastructure of cables and routers. Instead, all of the connections are forged over the internet, a subscription service.
Implementing a corporate network over the internet with FortiSASE creates a corporate identity without any upfront costs of investing in premises and IT hardware. As more software providers move their products to the cloud and deliver them on the Software-as-a-Service model, the need for on-premises servers reduces. The company telephone system can be provided by an internet-based VoIP service instead of a network-bound VLAN system.
The economic advantages of the FortiSASE/FortiClient option have always been apparent. However, it is only the corporate culture of wanting to have all employees under one roof that has kept the concept of the physical office alive.
FortiClient VPN
If the buyer uses the FortiGate or FortiSASE systems, remote endpoints will plug into the network with a VPN. A “virtual private network” provides security. However, the method used to implement that security creates privacy as well.
Even when all of the contents of a connection are encrypted, snoopers can still gather a lot of information by looking at the unencrypted data in the header of all network (internet) packets. So, therefore, VPNs encrypt those headers as well.
Unfortunately, intermediate routers on the internet need to read packet header information. So, the VPN service packs the whole packet inside another one and addresses the outer packet to its server. Thus, the VPN service is a cloaking system and acts as a proxy on the internet.
In VPN terminology, the process of putting a packet inside another is called encapsulation, and the protection of a connection session by encapsulating all of its exchanged packets is called tunneling.
The FortiClient VPN can operate in two modes. One of those uses the Secure Socket Layer (SSL), which uses Transport Layer Security (TLS) for connection authentication and encryption. The other option uses IPSec, which is a low-level tunneling method.
If the subscriber has a FortiGate device on its network, the FortiClient connects to the Fortinet cloud server and establishes a tunnel. The Fortinet VPN server removes the outer packet and forwards contents to the FortiGate. For example, suppose the subscriber has a FortiSASE account. The VPN connection still goes to the Fortinet server, which also manages network addressing and will create a second VPN connection with the intended destination.
The VPN will always be on when the endpoint user is “at work.” While the VPN is active, the device cannot connect directly to the internet. All internet traffic first travels down the VPN to the Fortinet server and then gets routed to the internet either through the FortiSASE FWaaS or from the FortiGate device. This means that all traffic passing outside the business network has the corporate IP address and not that of the endpoint used by the remote worker, which could well be that person’s private computer.
FortiClient ZTNA
Fortinet’s Zero Trust Access system has two purposes. One is to secure communications between endpoints on the home network and remote IoT devices that don’t have their onboard security. The other is to direct traffic directly to third-party applications delivered from the cloud.
Essentially, the FortiClient ZTNA is a VPN dedicated to application-specific traffic. For example, if the user on a remote device needs to connect to Microsoft 365, there is no point in bouncing that traffic through the home network’s FortiGate box. So, the ZTNA server will forward that connects directly to the Microsoft server. If, at the same time, the user accesses the corporate on-site file server, that connection will be established to the FortiGate device protecting that network, which will forward it to the file server.
In the ZTNA scenario, the FortiClient Agent will be maintaining several connections through to the Fortigate server and sending packets from different applications down each. The routing that the Fortinet server has to perform for that traffic is defined at the time that each VPN session is established.
FortiClient deployment options
FortiClient isn’t a standalone product of Fortinet. Instead, it is bundled in with other Fortinet products, and the price you pay for your chosen system will reflect the number of Fortinet clients you require.
The FortiClient Agent will install on:
- Microsoft Windows 11 (64-bit)
- Microsoft Windows 10, 8.1, and 7 (32-bit and 64-bit)
- Microsoft Windows Server 2008 R2 or newer
- macOS Monterey (v 12), Big Sur (v 11), and Catalina (v 10.15)
- Linux Ubuntu (from v 18.04), Red Hat (from v 7.4), CentOS (from v 7.4)
The main product that you use will manage the download of the FortiClient Agent onto each enrolled endpoint.
FortiClient strengths and weaknesses
We identified the strengths and weaknesses of Fortinet’s FortiClient system.
Pros:
- A network service that operates in the background
- A flexible client that interacts with Fortinet security products
- Low load on endpoint processors
- Secures remote endpoints
- Enables selective security that can be turned on or off on user-owned devices
- Can implement containerized application delivery separating work software
- Protect the identity of work-from-home devices
Cons:
- Only works for Fortinet products
Alternatives to FortiClient
As FortiClient isn’t a standalone product, the search for alternatives needs to concentrate on those packages of which FortiClient forms a part. The purpose of FortiClient is to provide network services and security for remote endpoints, so the best fields to look into when searching for alternatives are the SD-WAN and SASE markets.
To better understand SASE, you could look at the Ultimate Guide to SASE and Best SASE Tools. For more information on SD-WAN and recommended providers, see the 10 Best SD-WAN Vendors & Solutions in 2021. Below, we have summarized the best tools explained in those two guides.
Here is our list of the best alternatives to FortiClient:
- VMWare SASE SD-WAN This product line offers you both a SASE and an SD-WAN option. VMWare can virtualize servers, and it extends that expertise into creating an internet-supported software-defined WAN. VPNs protect the connections between endpoints. However, those VPNs require an agent installed on each endpoint to manage the connections. While the SD-WAN provides solid security between enrolled endpoints on the virtual network, it doesn’t involve a firewall for external traffic security. The SASE package includes that extra element.
- Perimeter81 SASE This cloud service provides a secure virtual network to a distributed workforce with an added firewall to protect external traffic. The Perimeter81 stable also includes Zero Trust solutions for network and application access. You could also look at its SD-WAN solution and its VPN-centered alternative service.
- Zscaler SASE With this cloud platform, you can operate an entirely virtual business, connecting individual remote endpoints to present what seems to be a corporate headquarters. It is also possible to include mobile devices in the system. In addition, the network created by this package is fully secure. Alternatively, if you have an office and a LAN, you can extend that out to remote workers in a similar way to the operations of the Fortinet fabric.
- Citrix SD-WAN This system operates in a very similar way to the Fortinet SD-WAN. This package’s equivalent to FortiClient is called the Citrix Workplace App. This is a control center for the remote worker, enabling connection to the work network to be turned on or off, ideal for user-owned devices. This package also includes a traffic management system to improve the performance of the internet connections that link endpoints together.
- Aruba EdgeConnect This SD-WAN system includes traffic monitoring and connection optimization features, so your IT Operations team gets system monitoring tools built into this package, which is a cost saver. The service requires agents on each endpoint, and the gateway to watch over the networks you link together will also need the Aruba software installed on it. You run the controller for the entire system on your premises either as a virtual appliance or built into a physical device.