How are you updating Forticlient?

VPN
1

Hello /r/MSP

We are currently running into an issue where our RMM cannot update the version of Fortinet Forticlient. It’s not scriptable, and it throws errors using msiexec and the usual methods.

When we reach out to Fortinet to assist with this, they want to sell us paid versions of Forticlient.

I’m not particularly interested in giving my staff yet another portal to use.

There are active CVE’s in Forticlient versions we have deployed. Other then manually uninstalling thousands of agents, do other MSP’s have a workable solution?

Thank you

2

Same boat, and i started down the path, but never finished it. Half the time if the version changed too much, it wiped out the configuration… so i figured out how to script the export and re-import.

Here were my notes:

https://links.fortinet.com/forticlient/win/vpnagent

Download the FortiClientVPNOnlineInstaller_x.x.exe file to a folder created at (C:\Downloads)

Manually launch the FortiClientVPNOnlineInstaller_x.x.exe installer

Wait for the FortiClient VPN Setup Wizard and then navigate to “C:\ProgramData\Applications\Cache\{2C4B3A44-AE16-4D4A-87F7-32016C4AEB18}\7.0.5.0238”

Copy the FortiClientVPN.msi to the C:\FCT folder

C:\Program Files\Fortinet\FortiClient\FCConfig -m vpn -f c:\fct\vpn.xml -o export -p Password

cd c:\FCT

MsiExec.exe /i FortiClientVPN.msi REBOOT=ReallySuppress /qn

C:\Program Files\Fortinet\FortiClient\FCConfig -m vpn -f c:\fct\vpn.xml -o import -p Password

-Then run some cleanup to delete the msi and xml.

3

Hey, Im the PM for patch at N-able for RMM and N-central and we are looking at Forticlient and have had it in QA for some time, I also personally know one of their main PM’s as he worked for us for a long time.

It isn’t easy, there are so many variables even inside their major versions. It’s not as simple as being able to update a v6 to any newer version of v6. To get from the first to the last version available may require 2 or 3 separate updates. So any tool would need to figure out your current version then check it against compatible versions, not necessarily the latest

FWIW, in house we have successfully updated it every single time without issues, but its the potential of breaking VPN’s on mass which honestly puts the fear in me haha

4

Most of our FortiClient deployments are paid versions, so unfortunately I don’t have a suggestion in your situation.

Is cost the issue for you switching to a paid version or are none of the paid features of interest?

5

Chocolatey.

Choco update forticlientvpn -y

Works for us over several hundred endpoints.

6

We don’t, however we could. We have an automatic installation script, it would be simple to build one for the uninstallation. To patch it: Uninstall, install newest version.
Am I missing something here?

7

My impression is that I’ve run into an issue that is pretty universal among ITSP’s who are deploying Fortinet. I was completely shocked there wasn’t an automated way to uninstall or update the agent for the many millions of Forticlient agents installed.

8

Cost isn’t one of the core considerations, however given that I don’t have interest in most of the paid features it is a consideration.

Consolidation and efficiency is.

- I’m trying to avoid having to give staff access to yet another portal to control just VPN clients.

- We can update everything via winget except forticlient :slight_smile:

- There must be lots of us out there with this same problem.

9

I keep telling myself… self… start using Chocolatey. This is a great example of what makes it stand out.

10

I will be messaging you in 2 days on 2022-06-29 23:35:10 UTC to remind you of this link

CLICK THIS LINK to send a PM to also be reminded and to reduce spam.

^(Parent commenter can ) ^(delete this message to hide from others.)

^(Info) ^(Custom) ^(Your Reminders) ^(Feedback)
11

I was completely shocked there wasn’t an automated way to uninstall or update the agent for the many millions of Forticlient agents installed.

There is. It’s called FortiClient EMS.

12

Yeah, I think companies at that level (and I include Microsoft etc in this) don’t really consider MSPs who typically have a lot of different networks to look after with different versions on them when thinking about their product updates.

13

^ this. EMS is the solution, and honestly if you’re deploying at scale, if you’re not running EMS you’re making a very big mistake.