FortiClient 6.4.x Web Content Filter

dan_ashley
New Contributor III

Currently in the process of deploying FortiClient 6.4.x to macOS devices, however after installing FortiClient 6.4.x, users are seeing a prompt to allow "com.fortinet.forticlient.macos" to filter network content.

 

Does anybody know how to create a configuration profile for the delivery of a payload which adds the web content filter for FortiClient, pre-allowing it and thus avoiding the users being prompted?

Screen Shot 2021-07-08 at 11.16.27 am.png

3 ACCEPTED SOLUTIONS

dan_ashley
New Contributor III

Thanks @jonlju for the suggestions... Googling for over a week didn't really help & Fortinet support was pretty useless when reached out to them. But through persistence combined with trial and error I have now found that implementing the following settings as part of a configuration profile does the trick for macOS:

OPTIONS > CONTENT FILTER

 

FILTER NAME =  com.fortinet.forticlient.macos.webfilter

 

IDENTIFIER =  com.fortinet.forticlient.macos

 

SOCKET FILTER BUNDLE IDENTIFIER =  com.fortinet.forticlient.macos

 

SOCKET FILTER DESIGNATED REQUIREMENT =  identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

 

NETWORK FILTER BUNDLE IDENTIFIER =  com.fortinet.forticlient.macos

 

NETWORK FILTER DESIGNATED REQUIREMENT =  identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

 

FortiClient Web Content Filter.png

View solution in original post

dan_ashley
New Contributor III

Thanks for the suggestions. I had been Googling for over a week with no success and found Fortinet support to be useless when reached out to them. But through continued persistence combined with trail and error I've eventually manage to put together a solution that works. Implementing a configuration profile as follows has done the trick:

 

OPTIONS > CONTENT FILTER

 

FILTER NAME =  com.fortinet.forticlient.macos.webfilter

 

IDENTIFIER =  com.fortinet.forticlient.macos

 

SOCKET FILTER BUNDLE IDENTIFIER =  com.fortinet.forticlient.macos

 

SOCKET FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

 

NETWORK FILTER BUNDLE IDENTIFIER =  com.fortinet.forticlient.macos

 

NETWORK FILTER DESIGNATED REQUIREMENT =  identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

 

FortiClient Web Content Filter.png

View solution in original post

dan_ashley
New Contributor III

Thanks for the suggestions. I had been Googling for over a week with no success and found Fortinet support to be useless when reached out to them. But through continued persistence combined with trail and error I've eventually manage to put together a solution that works. Implementing a configuration profile as follows has done the trick:

 

FortiClient Web Content Filter.png

View solution in original post

12 REPLIES 12

jonlju
Contributor

We have the same issue but for Sophos, I've followed their configuration guide but I'm unable to pre-approve the "filter network content" pop-up...

SCCM
Contributor III

You need to create a content filter with the identifier & network filter bundle (you might need the socket filter set too), and it need to be deployed on the machine before the software is installed. Like jonlju, i use one for sophos, in my case it doesnt prompt in my case, but it also does not seem to work correctly either. Other filters work fine.

 

jonlju
Contributor

Thanks @SCCM, I never realized and I've now added that to our configuration profile as well.

To @dan_ashley, maybe it would help reaching out to Fortinet to see if they have a guide for setting up the content filter configuration profile? I tried googling myself but can only find iOS guides.

dan_ashley
New Contributor III

Thanks @jonlju for the suggestions... Googling for over a week didn't really help & Fortinet support was pretty useless when reached out to them. But through persistence combined with trial and error I have now found that implementing the following settings as part of a configuration profile does the trick for macOS:

OPTIONS > CONTENT FILTER

 

FILTER NAME =  com.fortinet.forticlient.macos.webfilter

 

IDENTIFIER =  com.fortinet.forticlient.macos

 

SOCKET FILTER BUNDLE IDENTIFIER =  com.fortinet.forticlient.macos

 

SOCKET FILTER DESIGNATED REQUIREMENT =  identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

 

NETWORK FILTER BUNDLE IDENTIFIER =  com.fortinet.forticlient.macos

 

NETWORK FILTER DESIGNATED REQUIREMENT =  identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

 

FortiClient Web Content Filter.png

Hi @dan_ashley 

I have a similar requirement for one of the application. I am not able understand the "Filter Name" part. Is it somewhere which we can find out, or is it just a value we give for our reference ? If we can find it out , how do we do it ?

dan_ashley
New Contributor III

Thanks for the suggestions. I had been Googling for over a week with no success and found Fortinet support to be useless when reached out to them. But through continued persistence combined with trail and error I've eventually manage to put together a solution that works. Implementing a configuration profile as follows has done the trick:

 

OPTIONS > CONTENT FILTER

 

FILTER NAME =  com.fortinet.forticlient.macos.webfilter

 

IDENTIFIER =  com.fortinet.forticlient.macos

 

SOCKET FILTER BUNDLE IDENTIFIER =  com.fortinet.forticlient.macos

 

SOCKET FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

 

NETWORK FILTER BUNDLE IDENTIFIER =  com.fortinet.forticlient.macos

 

NETWORK FILTER DESIGNATED REQUIREMENT =  identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

 

FortiClient Web Content Filter.png

dan_ashley
New Contributor III

Thanks for the suggestions. I had been Googling for over a week with no success and found Fortinet support to be useless when reached out to them. But through continued persistence combined with trail and error I've eventually manage to put together a solution that works. Implementing a configuration profile as follows has done the trick:

 

FortiClient Web Content Filter.png

How did you find the correct Filter Designation Requirements? I'm facing similar issues with a different application.

dan_ashley
New Contributor III

I used the PPPC Utility to get the info for the FortiClient app to give me the Filter Designation Requirements, then swapped the identifier to that which was being presented in the popup macOS was presenting.

 

PPPC FortiClient.png

Perfect, this will help me a lot, thank you!

JohnyB33
New Contributor

Does anyone know if this changed in FortiClient 7.0.1?

griff761
New Contributor

Anyone else having issues with this when upgrading from a previous version of Forti (in my case 6.4.3) to 6.4.6? It doesn't seem to use the network filter after upgrading.