Forticlient as VPN client

I am kind of confused on the licensing for the VPN client. We just ordered a FG-60E per my other thread, but I am unsure if we need to buy anything extra to connect remote users to the network via VPN. Do you need to buy Forticlient to do this? Can other free VPN clients be used to connect to the Fortigate?

Not terribly interested in the other features of Forticlient besides VPN.

Thanks

Others have answered this, but you can also look at fortissl client for a lightweight option.

Let me clear things up…
There is a free version and a paid version.

The paid version can be managed by a FortiGate (prior to 5.4.1) or by EMS. This version has the same features as the free version but is centrally managed.

The free version is available at http://www.forticlient.com, its free and you can use it either for AV or VPN, or both - there is a install option for it to be VPN only if you have a preferred AV product already.

Thanks. I saw that it was a free download, but the devil is always in the details.

It sounds like licensing is only for the EMC version or pairing the clients to a Fortigate for easier mass management then?

That is what I was trying to confirm.

To further add to this point. As it sometimes tough to get an understanding of how the Forticlient is licensed for things.

The free version does:

• Have full VPN, AV, Application Filter, Web Filter*
• Can be installed with VPN only, but must always be passed these parameters at install time either interactively or via CLI (never personally had done this)*

The pay (non EMS) adds:

• Centralized management using the Fortigate only. This consists of vary basic config options being available in the GUI, and the rest configurable via XML syntax. Standard VPN settings are configurable via the standard GUI. Advanced settings (pre authentication and pre termination scripts such as map drives or printers) are only available on CLI.
• Customization of the install file. You can cut out pieces of the packages, and include a base config. You will probably need to do this if you plan on using anything past VPN, as the Fortigate can only accept a config XML of a certain size.
• Very basic reporting on configured endpoints, as each endpoint checks into the Fortigate.
• Group config targeting via AD or Fortigate groups. Allows you to push different settings to (you have web filter on, and you don’t).
• Enable/disable web filter when behind Fortigate.
• Offnet/Onnet VPN. You can have the client determine whether it should automatically start a VPN tunnel based on the presence of a DHCP option
• Basic NAC. No internet/access beyond the Fortigate unless Forticlient is installed and configured in a particular fashion.
• I know I’m missing some features

The EMS variant does:

• Advanced reporting. Things such as AV scan info, AV database date, things you would find with a typical managed AV product.
• Better GUI and more options for config. You may still need to do a XML config but it’s waaaaaaay easier.

Forticlient licenses need to be purchased for all Fortigates. If you have a HA pair (doesn’t matter A/P or A/A) you need to by 2 license sets. EMS is then purchased on top of Forticlient to enable the use of the EMS server.

For end-point control, you need a license for more than 10 users.

But yea, for just VPN connectivity there are no additional licenses. You can have as many users connect to the FGT that it can support in hardware.

I assume you mean EMS, that is for central management and no it is not free.

Just FYI - as of 5.4.1 you cannot manage a FortiClient with a FortiGate anymore - if you licensed that way previously you can move to EMS without a cost incurred, that is until your support renewal - then it may cost more or less depending on the number of licensed clients.

Just setup a machine with FortiClient 5.4.1.0840 managed by the FortiGate, was there meant to be something preventing me from doing this?

What version was the FortiGate running?

v5.4.1,build5447 (GA)

Re-reading the changelog all they removed was the “advanced” options. You can still use compliance to force AV and Web Filtering which was all we were using it for.