Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    Home FortiClient 6.2.0 New Features
    6.2.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.3
    6.2.2
    6.2.1
    6.2.0

    Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)

    Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)

    As part of the Security Fabric, you can now configure categorization rules on EMS to dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint groups when host compliance or other events happen. You can combine the endpoint groups with FortiGate firewall policies to provide dynamic access control based on endpoint status.

    You can dynamically group endpoints by OS type, OS version, certificate, logged in domain, files, running applications/processes, registry keys, and more. When a FortiClient endpoint registers to EMS, EMS dynamically groups the endpoint based on the compliance verification rules.

    You can selectively block, allow, or captive portal display endpoint groups based on their real-time compliance statuses.

    You can configure EMS to send requests for tags to registered endpoints. Each endpoint responds by sending the values of matching tags to EMS in the endpoint control protocol keepalive messages. You can configure FortiGates to retrieve endpoint tags from EMS. You can use the tags in FortiGate firewall policies.

    This feature requires three main components:

    • FortiClient (Windows, macOS, or Linux)
    • EMS
    • FortiGate

    This feature is new to 6.2.0 and requires that all components are running 6.2.0 or a newer version.

    To configure EMS for dynamic endpoint grouping:
    1. Create a profile:
      1. Go to Endpoint Profiles > Manage Profiles.
      2. Click Add.
      3. Configure the security features in the profile as desired.
      4. If you want the host tags to display on the FortiClient GUI, on the System Settings tab, enable Show Host Tag on FortiClient & FortiClient EMS GUI. By default, the FortiClient GUI does not display host tags.

    2. Create a policy:
      1. Go to Endpoint Policy > Manage Policies.
      2. Click Add.
      3. Configure the new policy. Select the desired group or Active Directory organizational unit (OU), profile, and Telemetry gateway list.
    3. Create host verification rules:
      1. Go to Compliance Verification > Compliance Verification Rules.
      2. Click Add.
      3. Configure rules and tags as desired.

        4. For details on compliance verification rule types, see the EMS Administration Guide.

    To configure FortiOS for dynamic endpoint grouping:

    config user fsso

    edit "ems_name"

    set server 10.127.121.21

    set type fortiems

    set ssl enable

    set ssl-trusted-cert "Fortinet_CA"

    set group-poll-interval <desired interval in minutes>

    next

    end

    config user group

    edit "group_name"

    set group-type fsso-service

    set member "ems_group"

    next

    end

    In the above CLI sample, set ssl-trusted cert is optional. For this option to function, you must upload a certificate in System Settings > Server > EMS FSSO Settings.

    group-poll-interval is only available for FortiOS 6.2.2 and later versions. In FortiOS 6.2.0 and 6.2.1, you can go to Security Fabric > Fabric Connectors, open the EMS connector editing page, then click Apply & Refresh to fetch endpoint grouping data from EMS.

    To configure FortiClient for dynamic endpoint grouping:

    Ensure that FortiClient is registered to EMS. If FortiClient is not registered to EMS, manually enter the EMS IP address in the FortiClient GUI on the Fabric Telemetry tab. FortiClient receives the assigned Telemetry gateway list and registers to the FortiGate on the gateway list. FortiClient then sends the tags to EMS.

    To view the results:
    1. In EMS, go to Compliance Verification > Compliance Verification Rules to view all configured rules and tags.

    2. Go to Compliance Verification > Host Tag Monitor to view all tags and the endpoints that are currently applicable.

    3. Go to Compliance Verification > Fabric Device Monitor to view connected FortiGates.

    4. View the endpoint details. You can see that host verification tags have been applied. In this example, the endpoint is running Firefox and has Windows 8.1 or 10 installed, and therefore has the has_firefox and winos tags applied according to the compliance verification rules.

    5. In the FortiOS CLI, run the diag debug authd fsso list command to view received endpoint tags:

      ----FSSO logons----

      IP: 10.127.131.102 User: LEDINGTON Groups: 6E813333919A475F9AA7C9B640A8B871+HAS_FIREFOX+WINOS Workstation: CHERRYWOOD

      IP: 10.127.131.108 User: DLAMBERSON Groups: F3C5191D4F6E47B996467A25AB12C4A4+HAS_FIREFOX Workstation: ALDERWOOD

      Total number of logons listed: 2, filtered: 0

      ----end of FSSO logons----

    6. Run the diag debug enable command, then the diag debug authd fsso server-status command to view the EMS that the FortiGate is connected to:

    7. Disable debug mode by running the diag debug disable command.
    8. View the tags that FortiClient sends on the avatar page in the FortiClient GUI.

    To create a dynamic firewall policy for the user group:

    You can now create a dynamic firewall policy in FortiOS for the user group. In this example, an IPv4 policy is created for the user group.

    1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
    2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
    3. Configure other options as desired. Click OK.
    4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.

    Previous
    Next

    Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)

    Dynamic endpoint grouping/tagging and EMS connector (endpoint compliance)

    As part of the Security Fabric, you can now configure categorization rules on EMS to dynamically group/tag FortiClient Fabric Agent endpoints. You can then share these endpoint groups with FortiGate over the EMS connector. EMS dynamically updates these endpoint groups when host compliance or other events happen. You can combine the endpoint groups with FortiGate firewall policies to provide dynamic access control based on endpoint status.

    You can dynamically group endpoints by OS type, OS version, certificate, logged in domain, files, running applications/processes, registry keys, and more. When a FortiClient endpoint registers to EMS, EMS dynamically groups the endpoint based on the compliance verification rules.

    You can selectively block, allow, or captive portal display endpoint groups based on their real-time compliance statuses.

    You can configure EMS to send requests for tags to registered endpoints. Each endpoint responds by sending the values of matching tags to EMS in the endpoint control protocol keepalive messages. You can configure FortiGates to retrieve endpoint tags from EMS. You can use the tags in FortiGate firewall policies.

    This feature requires three main components:

    • FortiClient (Windows, macOS, or Linux)
    • EMS
    • FortiGate

    This feature is new to 6.2.0 and requires that all components are running 6.2.0 or a newer version.

    To configure EMS for dynamic endpoint grouping:
    1. Create a profile:
      1. Go to Endpoint Profiles > Manage Profiles.
      2. Click Add.
      3. Configure the security features in the profile as desired.
      4. If you want the host tags to display on the FortiClient GUI, on the System Settings tab, enable Show Host Tag on FortiClient & FortiClient EMS GUI. By default, the FortiClient GUI does not display host tags.

    2. Create a policy:
      1. Go to Endpoint Policy > Manage Policies.
      2. Click Add.
      3. Configure the new policy. Select the desired group or Active Directory organizational unit (OU), profile, and Telemetry gateway list.
    3. Create host verification rules:
      1. Go to Compliance Verification > Compliance Verification Rules.
      2. Click Add.
      3. Configure rules and tags as desired.

        4. For details on compliance verification rule types, see the EMS Administration Guide.

    To configure FortiOS for dynamic endpoint grouping:

    config user fsso

    edit "ems_name"

    set server 10.127.121.21

    set type fortiems

    set ssl enable

    set ssl-trusted-cert "Fortinet_CA"

    set group-poll-interval <desired interval in minutes>

    next

    end

    config user group

    edit "group_name"

    set group-type fsso-service

    set member "ems_group"

    next

    end

    In the above CLI sample, set ssl-trusted cert is optional. For this option to function, you must upload a certificate in System Settings > Server > EMS FSSO Settings.

    group-poll-interval is only available for FortiOS 6.2.2 and later versions. In FortiOS 6.2.0 and 6.2.1, you can go to Security Fabric > Fabric Connectors, open the EMS connector editing page, then click Apply & Refresh to fetch endpoint grouping data from EMS.

    To configure FortiClient for dynamic endpoint grouping:

    Ensure that FortiClient is registered to EMS. If FortiClient is not registered to EMS, manually enter the EMS IP address in the FortiClient GUI on the Fabric Telemetry tab. FortiClient receives the assigned Telemetry gateway list and registers to the FortiGate on the gateway list. FortiClient then sends the tags to EMS.

    To view the results:
    1. In EMS, go to Compliance Verification > Compliance Verification Rules to view all configured rules and tags.

    2. Go to Compliance Verification > Host Tag Monitor to view all tags and the endpoints that are currently applicable.

    3. Go to Compliance Verification > Fabric Device Monitor to view connected FortiGates.

    4. View the endpoint details. You can see that host verification tags have been applied. In this example, the endpoint is running Firefox and has Windows 8.1 or 10 installed, and therefore has the has_firefox and winos tags applied according to the compliance verification rules.

    5. In the FortiOS CLI, run the diag debug authd fsso list command to view received endpoint tags:

      ----FSSO logons----

      IP: 10.127.131.102 User: LEDINGTON Groups: 6E813333919A475F9AA7C9B640A8B871+HAS_FIREFOX+WINOS Workstation: CHERRYWOOD

      IP: 10.127.131.108 User: DLAMBERSON Groups: F3C5191D4F6E47B996467A25AB12C4A4+HAS_FIREFOX Workstation: ALDERWOOD

      Total number of logons listed: 2, filtered: 0

      ----end of FSSO logons----

    6. Run the diag debug enable command, then the diag debug authd fsso server-status command to view the EMS that the FortiGate is connected to:

    7. Disable debug mode by running the diag debug disable command.
    8. View the tags that FortiClient sends on the avatar page in the FortiClient GUI.

    To create a dynamic firewall policy for the user group:

    You can now create a dynamic firewall policy in FortiOS for the user group. In this example, an IPv4 policy is created for the user group.

    1. In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
    2. In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
    3. Configure other options as desired. Click OK.
    4. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.

    Previous
    Next