New compliance verification rule types
EMS 6.2.2 introduces new compliance verification rule types. If an endpoints satisfies a rule, EMS places the endpoint into a group with other endpoints that satisfy the rule. The new rule types are:
- AD Group
- AntiVirus Software
- Sandbox Detection
- Windows Security (only available for Windows endpoints)
- User Identity
Configuring a compliance verification rule set remains similar to earlier versions of EMS. See the FortiClient EMS 6.2.2 Administration Guide.
AD Group
An endpoint that belongs to an AD domain may belong to numerous AD groups. You can configure a compliance verification rule that applies tags to endpoints based on what AD group(s) they belong to.
AntiVirus Software
You can configure an AntiVirus Software rule to consist of the following criteria:
- AV Software is installed and running
- AV signature is up-to-date
AV software can include:
- FortiClient AV
- Third-party AV software
- Windows Defender
Sandbox Detection
The Sandbox Detection rule type has one criterion: Sandbox detected malware on the endpoint in the last seven days.
Windows Security
You can configure a Windows Security rule to consist of the following criteria:
- Windows Defender is enabled
- Bitlocker Disk Encryption is enabled
- Exploit Guard is enabled
- Application Guard is enabled
- Windows Firewall is enabled
Application Guard is only available for Windows 10.
Results
The example shows a rule configured for each new rule type:
Name |
Description |
---|---|
AD-group-Builtin-Admin |
AD group rule that tags endpoints where the logged-in user is a member of the BuiltIn/Administrators AD group |
AV-installed |
AntiVirus Software rule that tags endpoints where AV software is installed and running |
BitLocker |
Windows Security rule that tags endpoints where Bitlocker Disk Encryption is enabled |
sandbox-detection |
Sandbox Detection rule that tags endpoints where Sandbox detected malware in the last seven days. |
Go to Compliance Verification > Host Tag Monitor. You can view each tag and the endpoints grouped by each tag:
Go to Compliance Verification > Fabric Device Monitor. You can view all FortiGates that are connected to EMS using the FSSO protocol, the tags shared with the FortiGate, and the number of endpoints in each tag group.
Go to Endpoints and view the details for a tagged endpoint. Host Verification Tags displays the tags that EMS has applied to the endpoint.
If you enabled Show Host Tags on FortiClient GUI on the endpoint's applied profile, you can also view the host tags on the FortiClient GUI.