Fortinet black logo

EMS Administration Guide

On-net Detection Rules

On-net Detection Rules

You can configure on-net detection rules for endpoints. EMS uses the rules to determine if the endpoint is on-net or off-net. Depending on the endpoint's on-net status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

Note

On-net detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.1 and earlier versions, the On-Net Subnets setting in the endpoint profile determines on-net/off-net status. See System Settings.

To add an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable or disable the rule by toggling Enable Rule on or off.
  5. In the IP Addresses/Subnet Masks field, enter the desired values. You can enter multiple values by clicking the + button.
  6. (Optional) In the Gateway MAC Addresses field, enter the desired values. You can enter multiple values by clicking the + button.
  7. Click Save.
To edit an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Select the rule.
  3. Click Edit.
  4. Edit as desired.
  5. Click Save.
To delete an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Click the desired rule.
  3. Click Delete.
  4. In the confirmation dialog, click Yes.
To enable/disable an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Select or deselect the Enabled checkbox for the desired endpoint policy.

Determining on-net/off-net status

There are two settings in EMS that affect FortiClient on-net/off-net status:

  • DHCP on-net/off-net
  • On-net detection rules configured for the endpoint's assigned policy

The table below shows how the DHCP on-net/off-net setting, on-net detection rules, and Option 224 serial number affect the endpoint's on-net/off-net status. DHCP on-net/off-net only applies when the endpoint is connected to EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and on-net with that FortiGate.

DHCP on-net/off-net

On-net detection rules

Option 224 serial number

Resulting endpoint status

Disabled

Not configured

N/A

Endpoint is on-net when registered to EMS.

Enabled

Not configured

Not configured

Endpoint is off-net when registered to EMS.

Enabled

Not configured

Configured

On-net

Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-net with that FortiGate.

N/A

Enabled, with subnet configured.

Endpoint IP address is in the configured subnet.

N/A

On-net

The endpoint is inside the on-net networks configured in the applied endpoint policy's on-net detection rules.

N/A

Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

N/A

Off-net

The endpoint is outside the on-net networks configured in the applied endpoint policy's on-net detection rules.

An endpoint has an offline off-net status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-net networks.

An endpoint has an offline on-net status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-net networks, or if no on-net rules are configured within the assigned policy.

On-net Detection Rules

You can configure on-net detection rules for endpoints. EMS uses the rules to determine if the endpoint is on-net or off-net. Depending on the endpoint's on-net status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

Note

On-net detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions. For endpoints running FortiClient 6.2.1 and earlier versions, the On-Net Subnets setting in the endpoint profile determines on-net/off-net status. See System Settings.

To add an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable or disable the rule by toggling Enable Rule on or off.
  5. In the IP Addresses/Subnet Masks field, enter the desired values. You can enter multiple values by clicking the + button.
  6. (Optional) In the Gateway MAC Addresses field, enter the desired values. You can enter multiple values by clicking the + button.
  7. Click Save.
To edit an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Select the rule.
  3. Click Edit.
  4. Edit as desired.
  5. Click Save.
To delete an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Click the desired rule.
  3. Click Delete.
  4. In the confirmation dialog, click Yes.
To enable/disable an on-net detection rule:
  1. Go to Policy Components > On-net Detection Rules.
  2. Select or deselect the Enabled checkbox for the desired endpoint policy.

Determining on-net/off-net status

There are two settings in EMS that affect FortiClient on-net/off-net status:

  • DHCP on-net/off-net
  • On-net detection rules configured for the endpoint's assigned policy

The table below shows how the DHCP on-net/off-net setting, on-net detection rules, and Option 224 serial number affect the endpoint's on-net/off-net status. DHCP on-net/off-net only applies when the endpoint is connected to EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and on-net with that FortiGate.

DHCP on-net/off-net

On-net detection rules

Option 224 serial number

Resulting endpoint status

Disabled

Not configured

N/A

Endpoint is on-net when registered to EMS.

Enabled

Not configured

Not configured

Endpoint is off-net when registered to EMS.

Enabled

Not configured

Configured

On-net

Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-net with that FortiGate.

N/A

Enabled, with subnet configured.

Endpoint IP address is in the configured subnet.

N/A

On-net

The endpoint is inside the on-net networks configured in the applied endpoint policy's on-net detection rules.

N/A

Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

N/A

Off-net

The endpoint is outside the on-net networks configured in the applied endpoint policy's on-net detection rules.

An endpoint has an offline off-net status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-net networks.

An endpoint has an offline on-net status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-net networks, or if no on-net rules are configured within the assigned policy.