As part of the Security Fabric, you can now configure categorization rules on EMS to dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint groups when host compliance or other events happen. You can combine the endpoint groups with FortiGate firewall policies to provide dynamic access control based on endpoint status.
You can dynamically group endpoints by OS type, OS version, certificate, logged in domain, files, running applications/processes, registry keys, and more. When a FortiClient endpoint registers to EMS, EMS dynamically groups the endpoint based on the compliance verification rules.
You can selectively block, allow, or captive portal display endpoint groups based on their real-time compliance statuses.
You can configure EMS to send requests for tags to registered endpoints. Each endpoint responds by sending the values of matching tags to EMS in the endpoint control protocol keepalive messages. You can configure FortiGates to retrieve endpoint tags from EMS. You can use the tags in FortiGate firewall policies.
This feature requires three main components:
- FortiClient (Windows, macOS, or Linux)
This feature is new to 6.2.0 and requires that all components are running 6.2.0 or a newer version.
- Create a profile:
- Go to Endpoint Profiles > Manage Profiles.
- Click Add.
- Configure the security features in the profile as desired.
- If you want the host tags to display on the FortiClient GUI, on the System Settings tab, enable Show Host Tag on FortiClient & FortiClient EMS GUI. By default, the FortiClient GUI does not display host tags.
- Create a policy:
- Go to Endpoint Policy > Manage Policies.
- Click Add.
- Configure the new policy. Select the desired group or Active Directory organizational unit (OU), profile, and Telemetry gateway list.
- Create host verification rules:
- Go to Compliance Verification > Compliance Verification Rules.
- Click Add.
- Configure rules and tags as desired.
For details on compliance verification rule types, see the EMS Administration Guide.
config user fsso
set server 10.127.121.21
set type fortiems
set ssl enable
set ssl-trusted-cert "Fortinet_CA"
set group-poll-interval <desired interval in minutes>
config user group
set group-type fsso-service
set member "ems_group"
group-poll-interval is only available for FortiOS 6.2.2 and later versions. In FortiOS 6.2.0 and 6.2.1, you can go to Security Fabric > Fabric Connectors, open the EMS connector editing page, then click Apply & Refresh to fetch endpoint grouping data from EMS.
Ensure that FortiClient is registered to EMS. If FortiClient is not registered to EMS, manually enter the EMS IP address in the FortiClient GUI on the Fabric Telemetry tab. FortiClient receives the assigned Telemetry gateway list and registers to the FortiGate on the gateway list. FortiClient then sends the tags to EMS.
- In EMS, go to Compliance Verification > Compliance Verification Rules to view all configured rules and tags.
- Go to Compliance Verification > Host Tag Monitor to view all tags and the endpoints that are currently applicable.
- Go to Compliance Verification > Fabric Device Monitor to view connected FortiGates.
- View the endpoint details. You can see that host verification tags have been applied. In this example, the endpoint is running Firefox and has Windows 8.1 or 10 installed, and therefore has the has_firefox and winos tags applied according to the compliance verification rules.
- In the FortiOS CLI, run the
diag debug authd fsso listcommand to view received endpoint tags:
IP: 10.127.131.102 User: LEDINGTON Groups: 6E813333919A475F9AA7C9B640A8B871+HAS_FIREFOX+WINOS Workstation: CHERRYWOOD
IP: 10.127.131.108 User: DLAMBERSON Groups: F3C5191D4F6E47B996467A25AB12C4A4+HAS_FIREFOX Workstation: ALDERWOOD
Total number of logons listed: 2, filtered: 0
----end of FSSO logons----
- Run the
diag debug enablecommand, then the
diag debug authd fsso server-statuscommand to view the EMS that the FortiGate is connected to:
- Disable debug mode by running the
diag debug disablecommand.
- View the tags that FortiClient sends on the avatar page in the FortiClient GUI.
You can now create a dynamic firewall policy in FortiOS for the user group. In this example, an IPv4 policy is created for the user group.
- In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
- In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
- Configure other options as desired. Click OK.
- Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group.
FortiOS will update this policy when it receives updates from EMS.