Release Notes

FortiClient EMS 7.2.2

FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

October 04, 2023

FortiClient EMS 7.2.2 Release Notes
04-722-935803-20231004
 TABLE OF CONTENTS

Introduction 5
Endpoint requirements 5
Supported web browsers 5
Licensing and installation 6
Special notices 7
Microsoft Visual C++ installation 7
SQL Server Standard or Enterprise with 5 000 or more endpoints 7
Split tunnel 7
SAML logins 7
What's new 8
Upgrading 9
Upgrading from previous EMS versions 9
Downgrading to previous versions 9
Product integration and support 10
Resolved issues 12
Administration 12
Dashboard 12
Endpoint management 13
Endpoint policy and profile 13
Fortinet Security Fabric devices 14
FortiGuard outbreak detection 14
License 14
Malware Protection and Sandbox 14
Multitenancy 14
Onboarding 15
Software Inventory 15
Deployment and installers 15
Zero Trust tagging 15
Endpoint control 16
Performance 16
Logs 16
Upgrade 16
Vulnerability Scan 16
Web Filter and plugin 17
Zero Trust telemetry 17
ZTNA connection rules 17
Other 17
Known issues 18
Dashboard 18
Endpoint management 18

FortiClient EMS 7.2.2 Release Notes 3

Fortinet Inc.
 Endpoint policy and profile 19
License 19
Logs 19
Multitenancy 19
Performance 20
Fabric devices 20
Zero Trust tagging 20
Deployment and installers 21
System Settings 21
Software Inventory 21
Administration 21
Chromebook 22
ZTNA connection rules 22
Endpoint control 22
Malware Protection and Sandbox 22
Configuration 22
GUI 23
FortiGuard outbreak alert 23
Install and upgrade 23
Onboarding 23
Other 23
Change log 25

FortiClient EMS 7.2.2 Release Notes 4

Fortinet Inc.
Introduction

FortiClient Endpoint Management Server (EMS) is a system intended to be used to manage FortiClient installations. It
uses the Endpoint Control protocol and supports all FortiClient platforms:
l Microsoft Windows
l macOS
l Linux
l Android OS
l Apple iOS
l Chrome OS
FortiClient EMS runs on a Microsoft Windows server.
This document provides the following information for FortiClient EMS 7.2.2 build 0879:
l Special notices on page 7
l What's new on page 8
l Upgrading on page 9
l Product integration and support on page 10
l Resolved issues on page 12
l Known issues on page 18
For information about FortiClient EMS, see the FortiClient EMS 7.2.2 Administration Guide.

Endpoint requirements

The following FortiClient platforms are supported:

l FortiClient for Microsoft Windows
l FortiClient for macOS
l FortiClient for Linux
l FortiClient for Android OS
l FortiClient for iOS
l FortiClient for Chromebooks
See Product integration and support on page 10 for FortiClient version support information.
FortiClient is supported on multiple Microsoft Windows, macOS, and Linux platforms. EMS supports all such platforms
as endpoints.

Supported web browsers

The latest version of the following web browsers can be used to connect remotely to the FortiClient EMS 7.2.2 GUI:

FortiClient EMS 7.2.2 Release Notes 5

Fortinet Inc.
Introduction

l Google Chrome
l Microsoft Edge
l Mozilla Firefox
Internet Explorer is not recommended. You may need to enable remote access from the FortiClient EMS GUI. See To
enable remote access to FortiClient EMS.

Licensing and installation

For information on licensing and installing FortiClient EMS, see the FortiClient EMS Administration Guide.

Ensuring that all installed software, including EMS and SQL Server, is up-to-date, is
considered best practice.

FortiClient EMS 7.2.2 Release Notes 6

Fortinet Inc.
Special notices

Microsoft Visual C++ installation

The EMS installation includes installation of Microsoft Visual C++ (VC) 2015. If the server already has a newer version of
VC installed, the installation fails. See VC++ 2015 Redistributable installation returns error 1638 when newer version
already installed.
If you have a version of VC installed on your server that is newer than 2015, uninstall VC before installing EMS.

SQL Server Standard or Enterprise with 5 000 or more endpoints

When managing more than 5 000 endpoints, install SQL Server Standard or Enterprise instead of SQL Server Express,
which the EMS installation also installs by default. Otherwise, you may experience database deadlocks. The minimum
SQL Server version that FortiClient EMS supports is 2017. See Upgrading Microsoft SQL Server Express to Microsoft
SQL Server Standard or Enterprise.

Split tunnel

In EMS 7.2.2, you configure application split tunnel using per-tunnel configuration, not a global configuration. If you are
upgrading from an older version that uses the global application split tunnel configuration, change the configuration to
per-tunnel.

SAML logins

Upon initial SAML single sign on account login, EMS creates a standard administrator for this user in Administration >
Admin Users. A standard administrator has permissions to modify endpoints, policies, and settings. Having the EMS
super administrator manually assign the proper role to the newly created login is recommended.

FortiClient EMS 7.2.2 Release Notes 7

Fortinet Inc.
What's new

For information about what's new in FortiClient EMS 7.2.2, see the FortiClient & FortiClient EMS 7.2 New Features
Guide.

FortiClient EMS 7.2.2 Release Notes 8

Fortinet Inc.
Upgrading

Upgrading from previous EMS versions

EMS 7.2.2 only supports FortiClient 7.2 and 7.0. You must first upgrade older FortiClient
versions to 7.0.7 or newer before upgrading EMS to 7.2.2.

FortiClient EMS supports direct upgrade from EMS 6.2, 6.4, and 7.0. To upgrade older EMS versions, follow the upgrade
procedure in FortiClient and FortiClient EMS Upgrade Paths.
With the endpoint security improvement feature, there are backward compatibility issues to consider while planning
upgrades. See Recommended upgrade path.
EMS 7.2.2 does not support legacy 158 licenses, which were in use before 2021 and have reached end-of-life. Following
is a list of discontinued SKUs:
l FC1-15-EMS01-158-02-DD
l FC1-15-EMS02-158-02-DD
If you attempt an upgrade to EMS 7.2.2 with the legacy 158 licenses, the EMS installer displays an error message:
"Legacy license is not supported after upgrade". The EMS upgrade does not proceed.
EMS 7.2.2 supports the Fabric Agent license. You do not need to convert a Fabric Agent to upgrade to EMS 7.2.2.

Downgrading to previous versions

FortiClient EMS does not support downgrading to previous EMS versions.

FortiClient EMS 7.2.2 Release Notes 9

Fortinet Inc.
Product integration and support

The following table lists version 7.2.2 product integration and support information:

Server operating systems l Windows Server 2022

l Windows Server 2019
l Windows Server 2016
Minimum system requirements l 2.0 GHz 64-bit processor, six virtual CPUs
l 8 GB RAM (10 GB RAM or more is recommended)
l 40 GB free hard disk
l Gigabit (10/100/1000baseT) Ethernet adapter
l Internet access is recommended, but optional, during installation. SQL
Server may require some dependencies to be downloaded over the Internet.
EMS also tries to download information about FortiClient signature updates
from FortiGuard.
You should only install FortiClient EMS and the default services for the operating
system on the server. You should not install additional services on the same
server as FortiClient EMS.
FortiAnalyzer l 7.4.0 and later
l 7.2.0 and later
l 7.0.0 and later

Although EMS supports the listed FortiAnalyzer versions, confirming the

compatibility between your FortiAnalyzer and FortiClient versions is
recommended. Otherwise, not all features may be available. See the FortiClient
Release Notes.
FortiAuthenticator l 6.5.0 and later
l 6.4.0 and later
l 6.3.0 and later
l 6.2.0 and later
l 6.1.0 and later
l 6.0.0 and later
FortiClient (Linux) l 7.2.0 and later
l 7.0.2 and later
FortiClient (macOS) l 7.2.0 and later
l 7.0.2 and later
FortiClient (Windows) l 7.2.0 and later
l 7.0.2 and later
FortiManager l 7.4.0 and later
l 7.2.0 and later
l 7.0.0 and later
FortiOS l 7.4.0 and later

FortiClient EMS 7.2.2 Release Notes 10

Fortinet Inc.
Product integration and support

l 7.2.0 and later

l 7.0.0 and later (for zero trust network access, 7.0.6 or later is recommended)
l 6.4.0 and later
FortiSandbox l 4.4.0 and later
l 4.2.0 and later
l 4.0.0 and later
l 3.2.0 and later

Installing and running EMS on a domain controller is not supported.

FortiClient EMS 7.2.2 Release Notes 11

Fortinet Inc.
Resolved issues

The following issues have been fixed in version 7.2.2. For inquiries about a particular bug or to report a bug, contact
Customer Service & Support.

Administration

Bug ID Description

901490 Invalid error on Authentication Servers GUI after deleting domain:

"Error mssql: The root container for this domain is missing".

908004 EMS does not send email when domain sync fails.

908031 Admin user with no domain access can create zero trust Active
Directory (AD) group tag (access to domain users group list).

912743 Global authentication servers configuration gives invalid credential

error.

918858 Deleting AD Domain Services in global space fails.

919143 Certificate hostname check in authentication server form does nothing.

924269 LDAP sync has error after upgrading EMS to 7.2.1.

932715 FortiClient Cloud does not update AD server certificate.

Dashboard

Bug ID Description

845168 FortiClient Cloud Dashboard shows incorrect company name .

887409 No Endpoint Event Summary Found appears when user clicks quarantined host on
Dashboard under Endpoint Alert.

913158 GUI duplicates vulnerability entries with same FortiGuard IDs.

921421 GUI does not display proper error message upon database restore failure.

FortiClient EMS 7.2.2 Release Notes 12

Fortinet Inc.
Resolved issues

Endpoint management

Bug ID Description

786738 Anti-Ransomware Events tab is visible after disabling the feature from Feature Select.

831359 Forensics Analysis Download Report option opens the report instead of downloading it.

845739 EMS shows duplicated entries for VMware clones.

879576 EMS does not automatically remove the Orphaned group when there are no more orphaned
groups.

890943 Google user enum enumerates over the whole domain even if specifying a sub-organizational
unit (OU).

903577 Blocking group only blocks devices having FortiClient associated.

911390 Endpoint vulnerability events patch column filter does not work.

920721 Group assignment rules schedule does not work.

925531 EMS does not show custom workgroup in Endpoint > Action > Move to and under Endpoint
Policy.

930132 Local AD sync with FortiClient Cloud using AD connector shows DomainResyncReqEvent
errors.

933171 EMS shows wrong user logged into endpoint.

935166 Moving an endpoint to a custom group under domain from an OU causes endpoint to hold
membership for two groups.

936729 EMS has inconsistency between groups that you can move an endpoint to and groups under
a domain.

937736 EMS fails to sync with LDAP - spRepropagateDomainPolicies times out.

Endpoint policy and profile

Bug ID Description

466124 User cannot change <nat_alive_freq>.

910035 EMS shows Video Filter Events tab on endpoint details page when feature is disabled from
Feature Select.

916755 Port number gets appended incorrectly in XML when IPv6 address is configured as remote
gateway SSL VPN address.

919724 EMS only shows ZTNA Destinations > SaaS Applications on default site.

932308 Server encounters an error and says to try again later when sync imports Web Filter profile.

FortiClient EMS 7.2.2 Release Notes 13

Fortinet Inc.
Resolved issues

Fortinet Security Fabric devices

Bug ID Description

918753 EMS fails to establish Fabric connection with FortiGate 7.2.3.

FortiGuard outbreak detection

Bug ID Description

925491 FortiGuard detection rules automatically disable themselves.

License

Bug ID Description

931318 FortiClient does not receive Endpoint Protection Platform features with license with SKU 297
received from EMS.

Malware Protection and Sandbox

Bug ID Description

833255 Wildcards do not properly work in the Malware Protection exclusion list .

Multitenancy

Bug ID Description

816600 Non-default site database does not update EMS serial number after user uploads new
license.

838272 EMS multitenancy has site number limitation.

FortiClient EMS 7.2.2 Release Notes 14

Fortinet Inc.
Resolved issues

Onboarding

Bug ID Description

911742 With EMS user onboarding, registering to EMS URL does not launch FortiClient.

Software Inventory

Bug ID Description

897862 EMS shows anomalies when filtering applications under Software Inventory.

901431 Software Inventory-exported table columns are not parsed correctly .

Deployment and installers

Bug ID Description

883481 EMS has problem creating installer package from Invitations.

917921 EMS cannot create FortiClient deployment package.

931648 Privilege Access Management is not disabled in the MSI or MST when it is disabled in the
installer package.

Zero Trust tagging

Bug ID Description

907310 User in AD Group zero trust tagging rule does not contain the domain when the rules are
imported from JSON file.

910771 Import zero trust network access (ZTNA) tags from another EMS server causes connected
endpoints to receive all imported tags.

913627 EMS does not validate tagging rules.

919743 Importing ZTNA rules leads to duplicates if content is a number.

919888 Logged in domain tag does not calculate if user is local.

FortiClient EMS 7.2.2 Release Notes 15

Fortinet Inc.
Resolved issues

Endpoint control

Bug ID Description

753151 EMS takes long time to update the endpoint status from Endpoint Notified to Deployed.

920708 FortiClient migration from EMS fails.

921783 When Mark All Endpoints As Uninstalled is selected, endpoints stay connected and show
telemetry as successfully syncing.

929476 Registering certain clients to FortiClient Cloud does not work.

Performance

Bug ID Description

914403 EMS has high memory consumption.

929631 EMS performance degrades and query times out in SQL log.

Logs

Bug ID Description

916862 EMS does not send msg=offline to FortiAuthenticator as a syslog.

Upgrade

Bug ID Description

918021 EMS cannot enforce user verification after upgrade from 6.4.8 to 7.0.8.

923881 When clients try to upgrate from 7.2.0 to 7.2.1, EMS gives error relating to legacy licensing.

Vulnerability Scan

Bug ID Description

902143 Vulnerable Endpoints page sorting does not work .

FortiClient EMS 7.2.2 Release Notes 16

Fortinet Inc.
Resolved issues

Web Filter and plugin

Bug ID Description

946442 GUI does not show the correct setting for Web Filter unrated category.

Zero Trust telemetry

Bug ID Description

891853 FortiClient Telemetry fluctuates from connected to unreachable every few minutes .

ZTNA connection rules

Bug ID Description

923148 Revoking ZTNA certificate unintentionally causes ZTNA TCP forwarding to work
inconsistently .

Other

Bug ID Description

861622 EMS does not prevent using the same port on components.

889194 Filtering by tag does not work properly when filtering vulnerable devices.

FortiClient EMS 7.2.2 Release Notes 17

Fortinet Inc.
Known issues

The following issues have been identified in version 7.2.2. For inquiries about a particular bug or to report a bug, contact
Customer Service & Support.

Dashboard

Bug ID Description

817485 Drilldown on macOS vulnerability includes unrelated vulnerabilities.

856790 Dashboard does not have AntiRansomware Detection widget.

902136 Endpoint count is mismatched on EMS dashboard and endpoints details.

924700 EMS cannot correctly load device pages.

918258 FortiClient Cloud security risk counter widget number and endpoints list do not match.

946209 Secured Endpoints Scan Status list is empty.

Endpoint management

Bug ID Description

792447 EMS fails to show zero trust network access (ZTNA) feature in the endpoint detail
enabled/disabled features section.

831108 User cannot download PDF report of FortiClient Cloud Sandbox (PaaS) events on EMS.

860669 FortiClient 7.0.0 and 7.0.1 do not register to EMS with default certificate.

867303 Load next x pagination control should be added to the item-list component.

871923 EMS cannot apply quarantine feature to offline endpoint.

891064 Google domain enumeration fails when there are over 200 000 users.

947094 Index API error occurs when filtering potentially unwanted applications in endpoint summary.

FortiClient EMS 7.2.2 Release Notes 18

Fortinet Inc.
Known issues

Endpoint policy and profile

Bug ID Description

826013 Setting Vulnerability Scan patch status to Not does not work.

826940 EMS does not save <temp_whitelist_timeout> in an endpoint profile.

868534 Web Filter profile synced from FortiGate keeps disabled status links in the exception list.

901233 Websites that user imports under FortiManager-Web Rating Override category are listed as
Simple via EMS.

921461 Required Deep Inspection sign changes from green to red when application signatures are
added to firewall application override list.

932758 EMS profiles are not assigned to the user after EMS upgrade to 7.2.1.

License

Bug ID Description

823690 EMS includes Removable Media Access feature when using ZTNA user-based license.

868174 EMS shows features for future license.

905675 Transitioning VPN-only license to user-based throws error.

Logs

Bug ID Description

868813 EMS should improve logging of FortiGate connection-related changes.

Multitenancy

Bug ID Description

745854 Super administrators convert to site administrators after enabling multitenancy.

918769 FortiClient Cloud moves the license to the default site instead of a custom site.

FortiClient EMS 7.2.2 Release Notes 19

Fortinet Inc.
Known issues

Performance

Bug ID Description

921047 EMS performance test_persistent connection has issues with 50 000 endpoints.

948084 Sipdaemon has high memory usage with more multitenancy sites.

Fabric devices

Bug ID Description

856868 EMS cannot handle large amount of FortiGates connected.

869368 EMS does not sync FortiGuard outbreak rules with FortiGate unless there is a change in zero
trust network access (ZTNA) tags.

873831 EMS does not send notification API to FortiGate to trigger it to retrieve new tags when EMS
changes shared tag type.

907391 Dynamic IP and MAC addresses do not show up for tags received from EMS.

918139 The FortiGate sometimes cannot get websocket sysinfo about quarantine status when EMS
quarantines FortiClient .

Zero Trust tagging

Bug ID Description

810778 EMS does not equally share FortiClient tag information to connected FortiGate Fabric
devices.

843774 ZTNA monitor shows VPN connected IP address when IP address range matches with LAN
IP address.

941573 EMS allows multiplicity in zero trust tag naming.

941701 Endpoint can end up with incorrect tags if user changes ZTNA rules multiple times.

947483 Disabling AD ZTNA tag does not remove it from endpoint.

958619 Creating a Windows Security rule for Bitlocker Disk Encryption enabled on an OS disk gives
the Invalid Windows rule error.

FortiClient EMS 7.2.2 Release Notes 20

Fortinet Inc.
Known issues

Deployment and installers

Bug ID Description

764999 EMS lists FortiClient version in its official installer list when the FortiGuard Distribution Server
blocks EMS from download said version.

845767 EMS fails to create installer and cannot access installer download link.

847870 FortiClient Cloud does not include packaged installer when sending email invitation.

907933 Installers are not signed when new code certificate is added in EMS (repackager).

942984 EMS shows wrong scheduled time under endpoint detail page for endpoint user-scheduled
FortiClient deployment.

System Settings

Bug ID Description

924648 In FortiClient Cloud, enabling option to send email alert on detected software causes same
email to be sent every five minutes.

949058 FortiClient Cloud cannot delete certificate for software package signature.

949569 EMS throws an error when uploading software signing certificate.

Software Inventory

Bug ID Description

928780 GUI shows old software versions as still installed on machine.

Administration

Bug ID Description

828490 Permission Denied: Your permissions might have been updated error message displays for
all admin roles.

FortiClient EMS 7.2.2 Release Notes 21

Fortinet Inc.
Known issues

Chromebook

Bug ID Description

918105 FortiClient Cloud lists Chromebook profiles when importing Web Filter profiles from FortiGate
in multitenancy site with Chromebook feature disabled.

ZTNA connection rules

Bug ID Description

872353 Zero Trust tag - user notification message.

Endpoint control

Bug ID Description

877498 Endpoints lose policy sync in random behavior.

919052 All endpoints are deregistered after configuring user verification period to 30 days on
FortiClient Cloud.

Malware Protection and Sandbox

Bug ID Description

8498022 Endpoint summary shows antiransomware events but there are no events found in EMS.

Configuration

Bug ID Description

937233 User cannot disable mobile device management integration if OAuth Client Management is
removed from Workspace ONE.

939358 EMS uses the same port for FortiOS and Chromebook connectivity.

FortiClient EMS 7.2.2 Release Notes 22

Fortinet Inc.
Known issues

GUI

Bug ID Description

870219 EMS deployment only shows domain netbios name under Endpoint groups.

871057 EMS allows saving URL in exclusion list with empty URL field.

FortiGuard outbreak alert

Bug ID Description

819025 With multiple sites, EMS fails to display FortiGuard outbreak detection rules downloaded from
FortiGuard distribution server (FDS).

Install and upgrade

Bug ID Description

869401 Schema differences exist between the freshly installed and

upgraded databases.

933644 URL/disk path is wrong while browsing installer created on EMS

when high availability is configured.

952677 EMS HA upgrade takes more than five hours to complete.

Onboarding

Bug ID Description

918979 Active user count for invitation shows incorrect value.

Other

Bug ID Description

585763 User cannot login to FortiClient Cloud if they use the same browser for login to on-premise
EMS.

FortiClient EMS 7.2.2 Release Notes 23

Fortinet Inc.
Known issues

Bug ID Description

766163 Browser causes FortiClient Cloud issues.

792481 EMS database issue causes restore to fail when collation does not match.

797264 FortiClient cannot update signatures from FortiManager.

868556 EMS does not add ICDB signature version information in FortiGuard Signature Information
page.

872871 CSV export file is missing fields.

875391 EMS API /api/v1/endpoints/index to return manufacturer, model, and serial number.

877303 EMS sends duplicate email alerts for AD connector being offline.

887172 EMS fails to get update from FortiManager.

931170 EMS does not send firmware version to FortiAnalyzer.

FortiClient EMS 7.2.2 Release Notes 24

Fortinet Inc.
Change log

Date Change Description

2023-10-04 Initial release.

FortiClient EMS 7.2.2 Release Notes 25

Fortinet Inc.
 www.fortinet.com

Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.