Expanded on-fabric detection rules 6.4.2
EMS 6.4.2 adds support for eight new on-fabric detection rule types. On-fabric rules were called on-net detection rules in earlier EMS versions. This enhancement allows you to have greater control over endpoints. You can configure EMS to apply different profiles to an endpoint depending on its on-/off-fabric status. EMS determines an endpoint's on-/off-fabric status using the following rule types:
- DHCP server
- DNS server
- EMS connection
- Local IP address/subnet
- Default gateway
- Ping server
- Public IP address
- Connection media
- VPN tunnel
The following describes the process for configuring on-fabric detection rules and using them to apply profiles to endpoints:
- Configure on-fabric detection rules.
- Create an on-fabric profile and off-fabric profile.
- Create a policy with on-fabric detection rules, an on-fabric profile, and an off-fabric profile.
To configure on-fabric detection rules:
- Go to Policy Components > On-fabric Detection Rules.
- Click the Add button.
- Configure the Name, Enabled, and Comments fields as desired.
- Click Add Rule.
- From the Detection Type dropdown list, select the desired rule type. Under Criteria, AND indicates that the endpoint must meet both criteria for EMS to consider the endpoint as on-fabric. OR indicates that if the endpoint meets any of the criteria, EMS considers the endpoint as on-fabric. The following describes the rule types:
- DHCP Server: Configure the IP and/or MAC address or the DHCP code for the desired DHCP server. You can configure just the IP/MAC address, just the DHCP code, or both. If configuring the IP/MAC Address, the MAC address is optional.
- DNS Server: Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.
- EMS Connection: The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.
- Local IP/Subnet: Enter a range of IP addresses. Optionally enter the default gateway MAC address. Configuring the MAC address is optional.
- Default Gateway: Enter the default gateway IP address. Optionally enter the default gateway MAC address.
- Ping Server: Enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.
- Public IP: Enter the desired IP address. You can configure multiple addresses using the + button.
- Connection Media: From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected.
- VPN Tunnel: Enter an SSL or IPsec VPN tunnel name.
- Click Save.
The example shows nine rule sets. If a policy applied to an endpoint contains all nine sets, EMS considers the endpoint as on-fabric if it satisfies any of the rule sets.
The example shows a rule set that contains two rule types: DHCP server and DNS server. An endpoint must satisfy both rules to satisfy the rule set:
- The DHCP server rule requires the endpoint to be connected to a DHCP server that has one of the two specified IP addresses (192.168.1.1 or 192.168.1.2) and MAC address (54-b2-03-0a-0b-66), or the specified DHCP code (FCTEMS0117284765).
- The DNS server rule requires the endpoint to be connected to a DNS server that has the specified IP address (192.168.1.1).
The following shows the XML configuration for the same rule set:
<forticlient_configuration>
<version>6.4.1</version>
<partial_configuration>1</partial_configuration>
<endpoint_control>
<onnet_addresses/>
<onnet_mac_addresses/>
<onnet_rules>
<rule_set>
<dhcp_server>
<dhcp_code>
<criterion id="0">FCTEMS0117284765</criterion>
</dhcp_code>
<ip_address>
<criterion id="1">192.168.1.1</criterion>
<criterion id="2">192.168.1.2</criterion>
</ip_address>
<mac_address>
<criterion id="3">54-b2-03-0a-0b-66</criterion>
</mac_address>
</dhcp_server>
<dns_server>
<ip_address>
<criterion id="4">192.168.1.1</criterion>
</ip_address>
</dns_server>
</rule_set>
</onnet_rules>
</endpoint_control>
</forticlient_configuration>
To configure a policy with on-fabric detection rules, an on-fabric profile, and an off-fabric profile:
The following steps assume that you have already configured two endpoint profiles.
- Go to Endpoint Policy > Manage Policies.
- Create a new policy or edit an existing policy.
- From the Profile dropdown list, select the profile to apply to endpoints that are on-fabric.
- From the Profile (Off-Fabric) dropdown list, select the profile to apply to endpoints that are off-fabric.
- In the On-Fabric Detection Rules field, select the desired rules to include in the policy.
- Click Save.
Registered FortiClient endpoints that you have applied this policy to receive both the on-Fabric and off-Fabric profiles. The on-Fabric or off-Fabric profile is applied to the endpoint depending on its on- or off-Fabric status. If you do not define an off-Fabric profile in the applied policy, the on-Fabric profile is applied. The EMS endpoint summary displays all matched rules for an on-Fabric endpoint.