Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.b
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home 26.1.b Administration Guide

    Configuring EMS settings

    Configuring EMS settings

    FortiEndpoint installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiEndpoint.

    To configure EMS settings:
    1. Go to System Settings > EMS Settings.
    2. Configure the following options under Shared Settings. EMS uses these settings for FortiEndpoint managing Windows, macOS, and Linux endpoints, and FortiEndpoint managing Chromebook endpoints:

      Option

      Description

      EMS CA certificate (ZTNA)

      Displays the EMS CA certificate expiry. EMS sends this certificate to FortiOS.

      Click the Revoke and Update button to revoke and update the certificate. You may want to revoke a certificate if it is compromised and can no longer be trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient with a new certificate signing request. This may affect existing connections.

      You can also configure a custom certificate. See Uploading custom certificate and private key for ZTNA.

      Enable ZTNA token

      Enable the ZTNA JSON web token (JWT). See JWT support for ZTNA UID and tag sharing.

      ZTNA token timeout

      If you enabled the ZTNA JWT, enter the JWT expiry time in minutes. The minimum and default value is 60 minutes. When the expiry time is reached, EMS generates a new JWT and sends it to endpoints.

      Reset Stalled Deployment Interval

      Enter number of hours after which to reset stalled deployments.

    3. Configure the following options under EMS Settings. FortiEndpoint uses these settings when managing Windows, macOS, and Linux endpoints:

      Option

      Description

      Enforce User Verification

      Enforce user verification for endpoints so that only verified users can register their endpoints with EMS.

      Enable

      To register to EMS, users must log into verified user accounts using the verification type configured in Invitations.

      If you enable this option on an existing deployment, current FortiClient users will be disconnected until user verification.

      Disable

      Users do not need to log into verified user accounts to register to EMS. A warning message "User Verification Not Enforced" appears at the top of the EMS GUI.

      User Verification Period

      Enter the desired number of days for the user verification period. The minimum number of days is seven. When enable enforcing user verification, EMS deauthenticates all authenticated users that were authenticated earlier than the configured verification period. For example, if you configure the period as 30 days and then enable it, EMS immediately deauthenticates users that were authenticated more than 30 days ago. The timeout takes effect immediately.

      Cloud Region to Repackage InstallersSelect the cloud region for repackage installers.
      Enforce Password Change Check for Domain UsersEnable to require FortiClient users to re-authenticate if the domain user password (LDAP or Azure) is changed.

      Sign Software Packages

      Enable this option to have Windows FortiClient software installers created by or uploaded to FortiEndpoint digitally signed with a code signing certificate.

    4. If managing Chromebooks, enable EMS for Chromebooks Settings.
    5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiEndpoint managing Chromebook endpoints:

      Listen on port

      Displays the default port for the FortiEndpoint server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiEndpoint using the specified port number.

      User inactivity timeout

      Enter the number of hours of inactivity after which to timeout the user.

      Profile update interval

      Specify the profile update interval (in seconds).

      Service account

      Displays the service account ID currently in use.

      Update service account

      Update the service account with new credentials.

      Reset service account

      In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You must Save the settings for the change to take effect.

      Email

      Available if the Update service account button is clicked. Enter a new service account ID.

      Private key

      Available if the Update service account button is clicked. Upload a new service account private key.

    6. Configure the following options under Endpoints Settings:

      FortiClient Telemetry Connection Key

      Add the FortiClient Telemetry connection key for FortiEndpoint. FortiClient must provide this key during connection.

      The key cannot contain a semicolon ;.

      You can generate a QR code for the specified key. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

      Keepalive Interval

      Each connected FortiClient endpoint sends a short KA message to FortiClient EMS, reports client-side changes, and checks for configuration changes on EMS at the specified interval. A large number of endpoints frequently connecting to the EMS server can affect server and network performance. In this case, increasing the KA interval is recommended.

      Offline Timeout

      Configure the number of KA intervals after which EMS considers the endpoint to be offline.

      Tag Timeout

      Configure the number of minutes after EMS considers an endpoint to be offline (as configured in the Offline timeout field), that EMS then removes tags from the endpoint.

      License Timeout

      Configure the number of days after the endpoint has not contacted EMS that EMS removes that endpoint's registration record from EMS.

      Delete Device Timeout

      Configure the number of days after which EMS deletes a deregistered endpoint. For example, if you configure this value to be 45 days, EMS deletes the endpoint 45 days after its deregistration.

      Deauthorized User Inactivity Timeout

      Enable and configure the number of days after which EMS deletes FortiClient user records for unauthorized users.

      Stale Verified User Cleanup Timeout

      Enable and configure the number of days after which EMS deletes FortiClient user records associated with a single device user for unauthorized users. You can click Delete now to delete the records immediately.

      Onboarding Lockout Attempt

      Configure the maximum number of unsuccessful attempts to allow an end user to attempt verification to EMS. After the user reaches the maximum number of attempts, EMS locks out the user. This only applies if user verification is enabled. See User Management . The default value is 3 times. The maximum is 10 times.

      Onboarding Lockout Period

      Configure the number of seconds that EMS locks out an end user for after they have reached the number of unsuccessful verification attempts configured in Onboarding Lockout Attempt.

      During the onboarding lockout period, any verification attempt does not succeed, even if the user provides correct credentials. Each verification attempt during the lockout period causes the onboarding lockout period to reset and begin again.

      After the configured onboarding lockout period passes, the lockout resets and the user can again attempt to verification multiple times per the number of attempts configured in Onboarding Lockout Attempt. If they again reach the maximum number of attempts, the onboarding lockout period begins again.

      Automatically Upload Avatars

      FortiClient uploads user avatars to all FortiGates, FortiAnalyzers, and FortiEndpoint servers it is connected to.

      Enable Endpoint Snapshot Reports

      Enable endpoint snapshot reports and enter the interval at which to take reports in seconds. The interval must be between 300 and 86400 seconds. The snapshot contains process and network information of the endpoint's current state.

    7. Click Apply.
    Previous
    Next

    Configuring EMS settings

    Configuring EMS settings

    FortiEndpoint installs with a default IP address and port configured. You can change the IP address and port and configure other server settings for FortiEndpoint.

    To configure EMS settings:
    1. Go to System Settings > EMS Settings.
    2. Configure the following options under Shared Settings. EMS uses these settings for FortiEndpoint managing Windows, macOS, and Linux endpoints, and FortiEndpoint managing Chromebook endpoints:

      Option

      Description

      EMS CA certificate (ZTNA)

      Displays the EMS CA certificate expiry. EMS sends this certificate to FortiOS.

      Click the Revoke and Update button to revoke and update the certificate. You may want to revoke a certificate if it is compromised and can no longer be trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient with a new certificate signing request. This may affect existing connections.

      You can also configure a custom certificate. See Uploading custom certificate and private key for ZTNA.

      Enable ZTNA token

      Enable the ZTNA JSON web token (JWT). See JWT support for ZTNA UID and tag sharing.

      ZTNA token timeout

      If you enabled the ZTNA JWT, enter the JWT expiry time in minutes. The minimum and default value is 60 minutes. When the expiry time is reached, EMS generates a new JWT and sends it to endpoints.

      Reset Stalled Deployment Interval

      Enter number of hours after which to reset stalled deployments.

    3. Configure the following options under EMS Settings. FortiEndpoint uses these settings when managing Windows, macOS, and Linux endpoints:

      Option

      Description

      Enforce User Verification

      Enforce user verification for endpoints so that only verified users can register their endpoints with EMS.

      Enable

      To register to EMS, users must log into verified user accounts using the verification type configured in Invitations.

      If you enable this option on an existing deployment, current FortiClient users will be disconnected until user verification.

      Disable

      Users do not need to log into verified user accounts to register to EMS. A warning message "User Verification Not Enforced" appears at the top of the EMS GUI.

      User Verification Period

      Enter the desired number of days for the user verification period. The minimum number of days is seven. When enable enforcing user verification, EMS deauthenticates all authenticated users that were authenticated earlier than the configured verification period. For example, if you configure the period as 30 days and then enable it, EMS immediately deauthenticates users that were authenticated more than 30 days ago. The timeout takes effect immediately.

      Cloud Region to Repackage InstallersSelect the cloud region for repackage installers.
      Enforce Password Change Check for Domain UsersEnable to require FortiClient users to re-authenticate if the domain user password (LDAP or Azure) is changed.

      Sign Software Packages

      Enable this option to have Windows FortiClient software installers created by or uploaded to FortiEndpoint digitally signed with a code signing certificate.

    4. If managing Chromebooks, enable EMS for Chromebooks Settings.
    5. Configure the following options under EMS for Chromebooks Settings. These settings are used by FortiEndpoint managing Chromebook endpoints:

      Listen on port

      Displays the default port for the FortiEndpoint server for Chromebooks. You can change the port by typing a new port number. The FortiClient Web Filter extension on Chromebooks connects to FortiEndpoint using the specified port number.

      User inactivity timeout

      Enter the number of hours of inactivity after which to timeout the user.

      Profile update interval

      Specify the profile update interval (in seconds).

      Service account

      Displays the service account ID currently in use.

      Update service account

      Update the service account with new credentials.

      Reset service account

      In the event your service account is broken, you can revert back to the default service account by clicking the Reset button. This restores the default service account. You must Save the settings for the change to take effect.

      Email

      Available if the Update service account button is clicked. Enter a new service account ID.

      Private key

      Available if the Update service account button is clicked. Upload a new service account private key.

    6. Configure the following options under Endpoints Settings:

      FortiClient Telemetry Connection Key

      Add the FortiClient Telemetry connection key for FortiEndpoint. FortiClient must provide this key during connection.

      The key cannot contain a semicolon ;.

      You can generate a QR code for the specified key. See Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints.

      Keepalive Interval

      Each connected FortiClient endpoint sends a short KA message to FortiClient EMS, reports client-side changes, and checks for configuration changes on EMS at the specified interval. A large number of endpoints frequently connecting to the EMS server can affect server and network performance. In this case, increasing the KA interval is recommended.

      Offline Timeout

      Configure the number of KA intervals after which EMS considers the endpoint to be offline.

      Tag Timeout

      Configure the number of minutes after EMS considers an endpoint to be offline (as configured in the Offline timeout field), that EMS then removes tags from the endpoint.

      License Timeout

      Configure the number of days after the endpoint has not contacted EMS that EMS removes that endpoint's registration record from EMS.

      Delete Device Timeout

      Configure the number of days after which EMS deletes a deregistered endpoint. For example, if you configure this value to be 45 days, EMS deletes the endpoint 45 days after its deregistration.

      Deauthorized User Inactivity Timeout

      Enable and configure the number of days after which EMS deletes FortiClient user records for unauthorized users.

      Stale Verified User Cleanup Timeout

      Enable and configure the number of days after which EMS deletes FortiClient user records associated with a single device user for unauthorized users. You can click Delete now to delete the records immediately.

      Onboarding Lockout Attempt

      Configure the maximum number of unsuccessful attempts to allow an end user to attempt verification to EMS. After the user reaches the maximum number of attempts, EMS locks out the user. This only applies if user verification is enabled. See User Management . The default value is 3 times. The maximum is 10 times.

      Onboarding Lockout Period

      Configure the number of seconds that EMS locks out an end user for after they have reached the number of unsuccessful verification attempts configured in Onboarding Lockout Attempt.

      During the onboarding lockout period, any verification attempt does not succeed, even if the user provides correct credentials. Each verification attempt during the lockout period causes the onboarding lockout period to reset and begin again.

      After the configured onboarding lockout period passes, the lockout resets and the user can again attempt to verification multiple times per the number of attempts configured in Onboarding Lockout Attempt. If they again reach the maximum number of attempts, the onboarding lockout period begins again.

      Automatically Upload Avatars

      FortiClient uploads user avatars to all FortiGates, FortiAnalyzers, and FortiEndpoint servers it is connected to.

      Enable Endpoint Snapshot Reports

      Enable endpoint snapshot reports and enter the interval at which to take reports in seconds. The interval must be between 300 and 86400 seconds. The snapshot contains process and network information of the endpoint's current state.

    7. Click Apply.
    Previous
    Next