Fortinet black logo

Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)

Copy Link
Copy Doc ID b195a357-50a9-11e9-94bf-00505692583a:21153
Download PDF

Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)

As part of the Security Fabric, you can now configure categorization rules on EMS to dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint groups when host compliance or other events happen. You can combine the endpoint groups with FortiGate firewall policies to provide dynamic access control based on endpoint status.

You can dynamically group endpoints by OS type, OS version, certificate, logged in domain, files, running applications/processes, registry keys, and more. When a FortiClient endpoint registers to EMS, EMS dynamically groups the endpoint based on the compliance verification rules.

You can selectively block, allow, or captive portal display endpoint groups based on their real-time compliance statuses.

You can configure EMS to send requests for tags to registered endpoints. Each endpoint responds by sending the values of matching tags to EMS in the endpoint control protocol keepalive messages. You can configure FortiGates to retrieve endpoint tags from EMS. You can use the tags in FortiGate firewall policies.

This feature requires three main components:

  • FortiClient (Windows, macOS, or Linux)
  • EMS
  • FortiGate

This feature is new to 6.2.0 and requires that all components are running 6.2.0 or a newer version.

To configure EMS for dynamic endpoint grouping:
  1. Create a profile:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Click Add.
    3. Configure the security features in the profile as desired.
    4. If you want the host tags to display on the FortiClient GUI, on the System Settings tab, enable Show Host Tag on FortiClient & FortiClient EMS GUI. By default, the FortiClient GUI does not display host tags.

  2. Create a policy:
    1. Go to Endpoint Policy > Manage Policies.
    2. Click Add.
    3. Configure the new policy. Select the desired group or Active Directory organizational unit (OU), profile, and Telemetry gateway list.
  3. Create host verification rules:
    1. Go to Compliance Verification > Compliance Verification Rules.
    2. Click Add.
    3. Configure rules and tags as desired.
    4. For details on compliance verification rule types, see the EMS Administration Guide.

To configure FortiOS for dynamic endpoint grouping:

config user fsso

edit "ems_name"

set server 10.127.121.21

set type fortiems

set ssl enable

set ssl-trusted-cert "Fortinet_CA"

set group-poll-interval <desired interval in minutes>

next

end

config user group

edit "group_name"

set group-type fsso-service

set member "ems_group"

next

end

In the above CLI sample, set ssl-trusted cert is optional. For this option to function, you must upload a certificate in System Settings > Server > EMS FSSO Settings.

group-poll-interval is only available for FortiOS 6.2.2 and later versions. In FortiOS 6.2.0 and 6.2.1, you can go to Security Fabric > Fabric Connectors, open the EMS connector editing page, then click Apply & Refresh to fetch endpoint grouping data from EMS.

To configure FortiClient for dynamic endpoint grouping:

Ensure that FortiClient is registered to EMS. If FortiClient is not registered to EMS, manually enter the EMS IP address in the FortiClient GUI on the Fabric Telemetry tab. FortiClient receives the assigned Telemetry gateway list and registers to the FortiGate on the gateway list. FortiClient then sends the tags to EMS.

To view the results:
  1. In EMS, go to Compliance Verification > Compliance Verification Rules to view all configured rules and tags.

  2. Go to Compliance Verification > Host Tag Monitor to view all tags and the endpoints that are currently applicable.

  3. Go to Compliance Verification > Fabric Device Monitor to view connected FortiGates.

  4. View the endpoint details. You can see that host verification tags have been applied. In this example, the endpoint is running Firefox and has Windows 8.1 or 10 installed, and therefore has the has_firefox and winos tags applied according to the compliance verification rules.

  5. In the FortiOS CLI, run the diag debug authd fsso list command to view received endpoint tags:

    ----FSSO logons----

    IP: 10.127.131.102 User: LEDINGTON Groups: 6E813333919A475F9AA7C9B640A8B871+HAS_FIREFOX+WINOS Workstation: CHERRYWOOD

    IP: 10.127.131.108 User: DLAMBERSON Groups: F3C5191D4F6E47B996467A25AB12C4A4+HAS_FIREFOX Workstation: ALDERWOOD

    Total number of logons listed: 2, filtered: 0

    ----end of FSSO logons----

  6. Run the diag debug enable command, then the diag debug authd fsso server-status command to view the EMS that the FortiGate is connected to:

  7. Disable debug mode by running the diag debug disable command.
  8. View the tags that FortiClient sends on the avatar page in the FortiClient GUI.

To create a dynamic firewall policy for the user group:

You can now create a dynamic firewall policy in FortiOS for the user group. In this example, an IPv4 policy is created for the user group.

  1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
  2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
  3. Configure other options as desired. Click OK.
  4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.

Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)

As part of the Security Fabric, you can now configure categorization rules on EMS to dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint groups when host compliance or other events happen. You can combine the endpoint groups with FortiGate firewall policies to provide dynamic access control based on endpoint status.

You can dynamically group endpoints by OS type, OS version, certificate, logged in domain, files, running applications/processes, registry keys, and more. When a FortiClient endpoint registers to EMS, EMS dynamically groups the endpoint based on the compliance verification rules.

You can selectively block, allow, or captive portal display endpoint groups based on their real-time compliance statuses.

You can configure EMS to send requests for tags to registered endpoints. Each endpoint responds by sending the values of matching tags to EMS in the endpoint control protocol keepalive messages. You can configure FortiGates to retrieve endpoint tags from EMS. You can use the tags in FortiGate firewall policies.

This feature requires three main components:

  • FortiClient (Windows, macOS, or Linux)
  • EMS
  • FortiGate

This feature is new to 6.2.0 and requires that all components are running 6.2.0 or a newer version.

To configure EMS for dynamic endpoint grouping:
  1. Create a profile:
    1. Go to Endpoint Profiles > Manage Profiles.
    2. Click Add.
    3. Configure the security features in the profile as desired.
    4. If you want the host tags to display on the FortiClient GUI, on the System Settings tab, enable Show Host Tag on FortiClient & FortiClient EMS GUI. By default, the FortiClient GUI does not display host tags.

  2. Create a policy:
    1. Go to Endpoint Policy > Manage Policies.
    2. Click Add.
    3. Configure the new policy. Select the desired group or Active Directory organizational unit (OU), profile, and Telemetry gateway list.
  3. Create host verification rules:
    1. Go to Compliance Verification > Compliance Verification Rules.
    2. Click Add.
    3. Configure rules and tags as desired.
    4. For details on compliance verification rule types, see the EMS Administration Guide.

To configure FortiOS for dynamic endpoint grouping:

config user fsso

edit "ems_name"

set server 10.127.121.21

set type fortiems

set ssl enable

set ssl-trusted-cert "Fortinet_CA"

set group-poll-interval <desired interval in minutes>

next

end

config user group

edit "group_name"

set group-type fsso-service

set member "ems_group"

next

end

In the above CLI sample, set ssl-trusted cert is optional. For this option to function, you must upload a certificate in System Settings > Server > EMS FSSO Settings.

group-poll-interval is only available for FortiOS 6.2.2 and later versions. In FortiOS 6.2.0 and 6.2.1, you can go to Security Fabric > Fabric Connectors, open the EMS connector editing page, then click Apply & Refresh to fetch endpoint grouping data from EMS.

To configure FortiClient for dynamic endpoint grouping:

Ensure that FortiClient is registered to EMS. If FortiClient is not registered to EMS, manually enter the EMS IP address in the FortiClient GUI on the Fabric Telemetry tab. FortiClient receives the assigned Telemetry gateway list and registers to the FortiGate on the gateway list. FortiClient then sends the tags to EMS.

To view the results:
  1. In EMS, go to Compliance Verification > Compliance Verification Rules to view all configured rules and tags.

  2. Go to Compliance Verification > Host Tag Monitor to view all tags and the endpoints that are currently applicable.

  3. Go to Compliance Verification > Fabric Device Monitor to view connected FortiGates.

  4. View the endpoint details. You can see that host verification tags have been applied. In this example, the endpoint is running Firefox and has Windows 8.1 or 10 installed, and therefore has the has_firefox and winos tags applied according to the compliance verification rules.

  5. In the FortiOS CLI, run the diag debug authd fsso list command to view received endpoint tags:

    ----FSSO logons----

    IP: 10.127.131.102 User: LEDINGTON Groups: 6E813333919A475F9AA7C9B640A8B871+HAS_FIREFOX+WINOS Workstation: CHERRYWOOD

    IP: 10.127.131.108 User: DLAMBERSON Groups: F3C5191D4F6E47B996467A25AB12C4A4+HAS_FIREFOX Workstation: ALDERWOOD

    Total number of logons listed: 2, filtered: 0

    ----end of FSSO logons----

  6. Run the diag debug enable command, then the diag debug authd fsso server-status command to view the EMS that the FortiGate is connected to:

  7. Disable debug mode by running the diag debug disable command.
  8. View the tags that FortiClient sends on the avatar page in the FortiClient GUI.

To create a dynamic firewall policy for the user group:

You can now create a dynamic firewall policy in FortiOS for the user group. In this example, an IPv4 policy is created for the user group.

  1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
  2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
  3. Configure other options as desired. Click OK.
  4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.