Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 6.0.8 EMS Administration Guide
    6.0.8
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Quarantining an endpoint from FortiOS using EMS

    Quarantining an endpoint from FortiOS using EMS

    The Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator of Compromise (IoC) is detected. The following network components are required:

    • FortiGate
    • FortiAnalyzer
    • FortiClient EMS
    • FortiClient

    You must connect FortiClient to both the EMS and FortiGate. The FortiGate and FortiClient must both be sending logs to the FortiAnalyzer. You must configure the EMS IP address on the FortiGate, as well as administrator login credentials.

    This configuration functions as follows:

    1. FortiClient sends logs to the FortiAnalyzer.
    2. FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate.
    3. FortiGate determines if the FortiClient is among its connected endpoints and if it has the login credentials for the EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine the endpoint.
    4. EMS searches for the endpoint and sends a quarantine message to it.
    5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint notifies the FortiGate and EMS of the status change.
    Note

    FortiClient (Linux) does not support this feature.
    Prerequisites

    The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate:

    FortiClient

    FortiClient must be installed on the endpoint and connected to both EMS and the FortiGate.

    EMS
    1. A profile must be assigned to the endpoint. See Assigning profiles to Windows, macOS, and Linux endpoints.
    2. A gateway list using the FortiGate's IP address must be assigned to the endpoint. See Creating a gateway list and Assigning a gateway list to endpoints.
    3. Enable Remote HTTPS access. See Configuring Server settings.
    FortiGate

    Before automation can be triggered, you must configure the following:

    • Automation objects
      • Automation trigger
      • Automation object
      • Automation stitch
    • EMS firewall address object
    • Endpoint control FCT-EMS object

    The following provides instructions for the FortiGate CLI.

    To create an automation trigger, enter the following commands in the CLI:

    config system automation-trigger

    edit "trigger01"

    set trigger-type event-based

    set event-type ioc

    set ioc-level high

    next

    end

    To create an automation action, enter the following commands in the CLI:

    config system automation-action

    edit "action01"

    set action-type quarantine-forticlient

    set minimum-interval 0

    next

    end

    To create an automation stitch, enter the following commands in the CLI:

    config system automation-stitch

    edit "stitch01"

    set status enable

    set trigger "trigger01"

    set action "action01"

    next

    end

    To create a firewall address object, enter the following commands in the CLI:

    config firewall address

    edit "EMS01"

    set type ipmask

    set subnet <EMS_IP_address> 255.255.255.255

    next

    end

    To create an endpoint control FCT-EMS object, enter the following commands in the CLI. In the below commands, <EMS_SERIAL_NUMBER> is the EMS serial number, <EMS_ADMIN> is the EMS administrator name, and <PASSWORD> is the EMS administrator's password.

    config endpoint-control forticlient-ems

    edit "e01"

    set address "EMS01"

    set serial-number <EMS_SERIAL_NUMBER>

    set rest-api-auth userpass

    set https-port 443

    set admin-username <EMS_ADMIN>

    set admin-password <PASSWORD>

    set admin-type Windows

    next

    end

    Executing automation

    Once prerequisites are met, you can trigger the automation process. The following procedure triggers the quarantine action on the endpoint at <endpoint_ip_address>:

    diagnose endpoint forticlient-ems-rest-api queue-complete-calls Q-<endpoint_ip_address>

    After this action, the endpoint is quarantined.

    You can also remove an endpoint from quarantine using the following command:

    diagnose endpoint forticlient-ems-rest-api queue-complete-calls U-<endpoint_ip_address>

    Previous
    Next

    On This Page

    Prerequisites
    Executing automation

    Quarantining an endpoint from FortiOS using EMS

    Quarantining an endpoint from FortiOS using EMS

    The Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator of Compromise (IoC) is detected. The following network components are required:

    • FortiGate
    • FortiAnalyzer
    • FortiClient EMS
    • FortiClient

    You must connect FortiClient to both the EMS and FortiGate. The FortiGate and FortiClient must both be sending logs to the FortiAnalyzer. You must configure the EMS IP address on the FortiGate, as well as administrator login credentials.

    This configuration functions as follows:

    1. FortiClient sends logs to the FortiAnalyzer.
    2. FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate.
    3. FortiGate determines if the FortiClient is among its connected endpoints and if it has the login credentials for the EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine the endpoint.
    4. EMS searches for the endpoint and sends a quarantine message to it.
    5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint notifies the FortiGate and EMS of the status change.
    Note

    FortiClient (Linux) does not support this feature.
    Prerequisites

    The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate:

    FortiClient

    FortiClient must be installed on the endpoint and connected to both EMS and the FortiGate.

    EMS
    1. A profile must be assigned to the endpoint. See Assigning profiles to Windows, macOS, and Linux endpoints.
    2. A gateway list using the FortiGate's IP address must be assigned to the endpoint. See Creating a gateway list and Assigning a gateway list to endpoints.
    3. Enable Remote HTTPS access. See Configuring Server settings.
    FortiGate

    Before automation can be triggered, you must configure the following:

    • Automation objects
      • Automation trigger
      • Automation object
      • Automation stitch
    • EMS firewall address object
    • Endpoint control FCT-EMS object

    The following provides instructions for the FortiGate CLI.

    To create an automation trigger, enter the following commands in the CLI:

    config system automation-trigger

    edit "trigger01"

    set trigger-type event-based

    set event-type ioc

    set ioc-level high

    next

    end

    To create an automation action, enter the following commands in the CLI:

    config system automation-action

    edit "action01"

    set action-type quarantine-forticlient

    set minimum-interval 0

    next

    end

    To create an automation stitch, enter the following commands in the CLI:

    config system automation-stitch

    edit "stitch01"

    set status enable

    set trigger "trigger01"

    set action "action01"

    next

    end

    To create a firewall address object, enter the following commands in the CLI:

    config firewall address

    edit "EMS01"

    set type ipmask

    set subnet <EMS_IP_address> 255.255.255.255

    next

    end

    To create an endpoint control FCT-EMS object, enter the following commands in the CLI. In the below commands, <EMS_SERIAL_NUMBER> is the EMS serial number, <EMS_ADMIN> is the EMS administrator name, and <PASSWORD> is the EMS administrator's password.

    config endpoint-control forticlient-ems

    edit "e01"

    set address "EMS01"

    set serial-number <EMS_SERIAL_NUMBER>

    set rest-api-auth userpass

    set https-port 443

    set admin-username <EMS_ADMIN>

    set admin-password <PASSWORD>

    set admin-type Windows

    next

    end

    Executing automation

    Once prerequisites are met, you can trigger the automation process. The following procedure triggers the quarantine action on the endpoint at <endpoint_ip_address>:

    diagnose endpoint forticlient-ems-rest-api queue-complete-calls Q-<endpoint_ip_address>

    After this action, the endpoint is quarantined.

    You can also remove an endpoint from quarantine using the following command:

    diagnose endpoint forticlient-ems-rest-api queue-complete-calls U-<endpoint_ip_address>

    Previous
    Next