Using certificate Fabric authentication
To support FortiOS Fabric authentication moving towards certificate-based authentication, this feature adds support for certificate-based authentication for the Fabric connection between FortiOS and FortiClient Cloud. The FortiClient Cloud administrator can authorize or deny a connection request from a FortiGate. An authorized connection request establishes the Fabric connection between FortiOS and FortiClient Cloud.
To configure FortiOS:
- Enable FortiHeartbeat:
config system interface
edit "wan1"
set fortiheartbeat enable
next
end
- Configure FortiClient Cloud:
config endpoint-control fctems
edit "ems-cloud"
set serial-number ''
set fortinetone-cloud-authentication enable
set source-ip 0.0.0.0
set call-timeout 5000
next
end
To enable remote HTTPS access in FortiClient Cloud:
- Go to System Settings > Server.
- Under Shared Settings, enable Remote HTTPS access. Ensure that the HTTPS port is defined as 443.
To establish Fabric connection between FortiOS and FortiClient Cloud:
- Test Fabric device connectivity from FortiOS by entering the
diagnose endpoint fctems-test-connectivity ems95
command. FortiClient Cloud should respond with aNot authorized
message. - Log in to FortiClient Cloud. Do one of the following:
- A popup notification prompts you to authorize or deny the Fabric connection for access from that particular FortiGate. The authorization request includes the FortiGate hostname, serial number, and IP address. Click Authorize.
- If you do not see a popup notification, you can also authorize Fabric devices in Administration > Fabric Devices. This page shows devices pending authorization with a yellow question mark.
Click the desired device, then click Authorize.
- Go to Administration > Fabric Devices. Verify that the Fabric connection is established between FortiOS and FortiClient Cloud. The connection's status displays as authorized.
- Repeat step 1 to test Fabric device connectivity from FortiOS. FortiClient Cloud should respond with a
Connection test passed
message. - After FortiClient Cloud authorizes a Fabric device, FortiOS can quarantine an endpoint and remove it from quarantine via FortiClient Cloud. To quarantine an endpoint, run the
diagnose endpoint fctems-queue-complete-calls Q-<endpoint IP address>
command. For example, if the endpoint's IP address is 192.168.10.204, the command would bediagnose endpoint fctems-queue-complete-calls Q-<192.168.10.204>
. The response should beSUCCESS! Queued the <call> 'Q-<endpoint IP address>'.<call> stats: total=1, valid=1, queued=1.
- To remove the endpoint from quarantine, run the
diagnose endpoint fctems-queue-complete-calls U-<endpoint IP address>
command.