It has been a while, but that is to be expected. There is a lot of work to do at the start of a new year, but mostly not the most interesting work.
Anyway, this will be an easier one.
Fortigate routers, Fortiswitches and other Fortinet options are gaining more traction within a good few businesses (Might be country-dependent) so using the Forticlient software is done more and more by our customers.
However, you mostly only want it for one reason... to have the entire company use its VPN function.
The Forticlient package has a good few options in there, including protection/anti-virus services and more.
Most of the time, however, there will already be alternatives active to a big part of the options and only the VPN one will be needed.
Luckily, the Forticlient MSI has multiple install levels that determine which options get installed. For only installing the VPN, this is parameter “INSTALLLEVEL=3” (whereas 1 is only a core SSL option and 5 are all the anti-virus functions).
This means the easiest way to deploy this using Powershell would be
EDIT: As of Q1 2021 there are 2 big changes.
1. Its easy to get just the VPN part of the Forticlient by installing the seperate Forticlient VPN Agent which can be found on their site
2. When using this script on the Forticlient VPN Agent, for exporting the settings it requires a password which can be added by adding this behind the export command
.. Ofcourse exchange PASSWORD for anything you want. It has to have a minimal of 8 characters.
3. It also is not possible to export just the VPN settings anymore (While it should be able to, it does not execute the export)
Whereby obviously the Forticlient.msi path can be adjusted depending on usage of RMM software, use of a share or anything similar.
This simply silently installs Forticlient with the VPN function silently and without restart.
At this point a CMD would be just as easy, except we will expand the script more.
However, when doing this all the employee’s will have the software, but would have to manually set up their VPN settings and even with instructions I can almost ensure you that some people will fill it in incorrectly and not be able to connect. So we need a way to deploy a pre-built VPN configuration with it.
Luckily, Forticlient has a command line export function that we can use for this. This gives us the option to export either ALL the Forticlient settings or just the VPN settings as .xml which you can have created at any location.
This means that we can have 1 pc (Either on customer location or a testpc at your own location) which has the Forticlient VPN set up the way we want it, export the settings and then later import them at all the targets using below code (Again, set the .xml location to whatever you want depending on method used)
Of course this would already be enough to be able to deploy a configured Forticlient VPN as all you have to do would be to paste the config import line under the installation line, but what fun would that be?
So we are taking it a small step further and simply making a script that we can use in all cases, regardless of what we have to do.
While this will be a very niche script, I wanted to share these commands regardless.
Just in case it helps that one specific individual looking for something like it.
Hopefully, everyone has a good day and don’t forget to stay safe!
Categories: Windows, Powershell, Script, Software, Fortinet
Patrick Berger AKA Powershellder.
[ i ] Parallax section below. Click on the section below to upload image. Don't worry if it looks weird in the Weebly editor. It'll look normal on your published site.
To edit or delete your image, press the "toggle" button below. Then, hover over your image until a popup appears with the "edit" and "delete" options. If you don't want a white content section, leave it blank. It will disappear on your live website.