Configuring FortiOS dynamic policies using EMS dynamic endpoint groups
After defining compliance verification rules, you can configure FortiOS to receive the dynamic endpoint groups from EMS via the FSSO protocol, using the FortiClient EMS Fabric connector which supports SSL and imports trusted certificates. When a change to the dynamic endpoint groups occurs, EMS sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly. This feature is only available for FortiOS 6.2.0 or a later version.
The following configuration is necessary for this feature:
- In FortiClient EMS, create compliance verification rules. See Adding a compliance verification rule set.
- After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints based on the compliance verification rules. See Host Tag Monitor.
- In FortiOS, create the EMS Fabric connector.
- In EMS, configure FSSO settings.
- In FortiOS, create a user group based on EMS dynamic endpoint groups.
- In FortiOS, create a dynamic firewall policy for the user group.
When a dynamic endpoint group event occurs (such as an endpoint being added to or removed from a dynamic endpoint group), EMS sends the updates to FortiOS. FortiOS updates firewall policies accordingly, providing dynamic access control based on endpoint status.
To create the EMS Fabric connector in FortiOS:
You can create the EMS Fabric connector in the FortiOS GUI or CLI. If desired, you can optionally configure the Fabric connector with an SSL certificate and a password for FSSO. If configured, you must configure the same certificate and password in EMS to ensure a successful connection.
To create the EMS Fabric connector in the GUI, do the following:
- Go to Security Fabric > Fabric Connectors.
- Click Create New, then select FortiClient EMS.
- In the Name field, enter the desired name.
- For Type, select FortiClient EMS.
- In the Primary Server IP field, enter the EMS IP address.
- (Optional) From the Trusted SSL certificate dropdown list, select the certificate.
- (Optional) In the Password field, enter the desired password.
- Click Apply & Refresh.
To configure EMS FSSO Settings:
If you configured a certificate and/or password in To create the EMS Fabric connector in FortiOS:, you must configure the same certificate and password in EMS.
- If you configured a certificate for the EMS Fabric connector in FortiOS, do the following:
- In FortiOS, go to System > Certificates.
- Right-click the configured certificate, then select Download.
- In EMS, go to System Settings > Server.
- For SSL certificate, browse to and upload the certificate downloaded in step 1.
- In the Configure FSSO Password field, enter the password.
- Ensure that Remote HTTPS access is enabled. In the Custom hostname field, enter the EMS IP address.
- Click Save.
To create a user group based on EMS dynamic groups:
- In FortiOS, go to User & Device > User Groups. Click Create New.
- In the Name field, enter the desired name.
- For Type, select Fortinet Single Sign-On (FSSO).
- In the Members field, click +. The Select Entries pane appears. Select the dynamic endpoint groups pulled from EMS.
- Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group will be members of this FortiOS user group.
- Click OK.
To create a dynamic firewall policy for the user group:
You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user group.
- In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
- In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
- Configure other options as desired. Click OK.
- Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.