Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

EMS QuickStart Guide

Viewing the Endpoints pane

You can view information about endpoints on the Endpoints pane.

To view the Endpoints pane:
  1. Go to Endpoints, and select All Endpoints, a domain, or workgroup. The list of endpoints, a quick status bar, and a toolbar display in the content pane.

    Not Installed

    Number of endpoints that do not have FortiClient installed. Click to display the list of endpoints without FortiClient installed.

    Not Registered

    Number of endpoints that are not connected to FortiClient EMS. Click to display the list of disconnected endpoints.

    Out-Of-Sync

    Number of endpoints with an out-of-sync profile. Click to display the list of endpoints with out-of-sync profiles.

    Security Risk

    Number of endpoints that are security risks. Click to display the list of endpoints that are security risks.

    Quarantined

    Number of endpoints that EMS has quarantined. Click to display the list of quarantined endpoints.

    Endpoints

    Click the checkbox to select all endpoints displayed in the content pane.

    Show/Hide Heading

    Click to hide or display the following column headings: Device, User, IP, Configurations, Connections, and Alerts and Events.

    Show/Hide Full Group Path

    Click to hide or display the full path for the group that the endpoint belongs to.

    Refresh

    Click to refresh the list of endpoints.

    Search All Fields

    Enter a value and press Enter to search for the value in the list of endpoints.

    Filters

    Click to display and hide filters you can use to filter the list of endpoints.

    Device

    Visible when headings are displayed. Displays an icon to represent the OS on the endpoint, the hostname, and the endpoint group.

    User

    Visible when headings are displayed. Displays the name of the user logged into the endpoint.

    IP

    Visible when headings are displayed. Displays the endpoint's IP address.

    Configurations

    Visible when headings are displayed. Displays the name of the policy assigned to the endpoint and its synchronization status.

    Connections

    Visible when headings are displayed. Displays the connection status between FortiClient and FortiClient EMS. If the endpoint is connected to a FortiGate, displays the FortiGate hostname.

    Alerts and Events

    Visible when headings are displayed. Displays FortiClient alerts and events for the endpoint.

  2. Click an endpoint to display its details in the content pane. The following dropdown lists display in the toolbar for the selected endpoint:

    Scan

    Click to start a Vulnerability or AV scan on the selected endpoint.

    Patch

    Click to patch all critical and high vulnerabilities on the selected endpoint. Choose one of the following options:

    • Selected Vulnerabilities on Selected Clients
    • Selected Vulnerabilities on All Affected Clients
    • All Critical and High Vulnerabilities

    Move to

    Move the endpoint to a different group.

    Action

    Click to perform one of the following actions on the selected endpoint:

    • Request FortiClient Logs
    • Request Diagnostic Results
    • Update Signatures
    • Download Available FortiClient Logs
    • Download Available Diagnostic Results
    • Deregister
    • Quarantine
    • Un-quarantine
    • Exclude from Management
    • Clear Events
    • Mark as Uninstalled
    • Set Importance
    • Set Custom Tags. This option is only available if you have already created a custom tag.
    • Delete Device

    The following tabs are available in the content pane toolbar when you select an endpoint, depending on which FortiClient features are installed on the endpoint and enabled via the assigned profile:

    Summary

     

     

    <user name>

    Displays the name of the user logged into the selected endpoint. Also displays the user's avatar, email address, and phone number if these are provided to FortiClient on the endpoint. If the user's LinkedIn, Google, Salesforce, or other cloud app account is linked in FortiClient, the username from the cloud application displays. Also displays the group that the endpoint belongs to in EMS.

     

    Device

    Displays the selected endpoint's hostname. You can enter an alias if desired.

     

    OS

    Displays the selected endpoint's operating system and version number.

     

    IP

    Displays the selected endpoint's IP address.

     

    MAC

    Displays the selected endpoint's MAC address.

     

    Last Seen

    Displays the last date and time that FortiClient sent a keep-alive message to EMS. This information is useful if FortiClient is offline because it indicates when the last keep-alive message occurred.

     

    Location

    Displays whether the selected endpoint is on- or off-fabric. You can also view any on-fabric detection rules that the endpoint is applicable for. See On-fabric Detection Rules.

     

    Network Status

    This section only appears for endpoints running FortiClient 6.4.1 and later versions.

    Displays the following information for the networks that the endpoint is connected to:

    • MAC address
    • IP address
    • Gateway IP address
    • Gateway MAC address
    • SSID for Wi-Fi connections

     

    Hardware Details

    Displays the hardware model, vendor, CPU, RAM, and serial number information for the endpoint device, if available.

     

    Host Verification Tags

    Displays which tags have been applied to the endpoint based on the compliance verification rules. See Compliance Verification.

     

    Connection

    Displays the connection status between the selected endpoint and FortiClient EMS and between the endpoint and FortiGate.

     

    Configuration

    Displays the following information for the selected endpoint:

    • Policy: Endpoint policy assigned to the selected endpoint
    • Profile: Profile assigned to the selected endpoint
    • Off-fabric Profile: Off-fabric profile assigned to the selected endpoint
    • Installer: FortiClient installer used for the selected endpoint.
    • Telemetry Gateway List: Telemetry gateway list used for the selected endpoint. Displays Not Assigned if no Telemetry gateway list has been assigned to the selected endpoint.
    • FortiClient Version: FortiClient version installed on the selected endpoint.
    • FortiClient Serial Number: Serial number for the selected endpoint's FortiClient license.

     

    Classification Tags

    Displays classification tags that are currently assigned to the endpoint. You can also assign a classification tag to the endpoint. Classification tags include the default importance level tags (low, medium, high, or critical), and custom tags. An endpoint can only have one default importance tag assigned, but can have multiple custom tags assigned. You can also unassign a tag from the endpoint, and create, assign, or delete a custom tag. To create a new custom tag, click the Add button, enter the desired tag, the click the + button. When you create a tag, it is available for assignment to all endpoints in the current site.

    You can have a maximum of eight custom tags at a time.

    You can assign a classification tag to multiple endpoints by selecting the endpoints, then selecting Action > Set Importance or Set Custom Tags.

    See Sending endpoint classification tags to FortiAnalyzer.

     

    Status

    Displays one of the following statuses:

    • Managed: Endpoint is managed by EMS.
    • Quarantined: If quarantined, displays access code. The user can enter this access code in the affected endpoint's FortiClient to remove the endpoint from quarantine.
    • Excluded: Endpoint is excluded from management by EMS.

     

    Features

    Displays which features are enabled for FortiClient.

    Antivirus Events

     

    Date

    Displays the AV event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the AV event's message.

     

    Actions

    Mark the event as read or delete it.

    Cloud Scan Events

     

    Date

    Displays the cloud-based malware detection event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the cloud-based malware detection event's message.

     

    Actions

    Mark the event as read or delete it.

    AntiExploit Events

     

     

     

    Date

    Displays the AntiExploit event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the AntiExploit event's message.

     

    Actions

    Mark the event as read or delete it.

    USB Device Events

     

    Date

    Displays the USB device event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the USB device event's message.

     

    Actions

    Mark the event as read or delete it.

    Sandbox Events

     

    Date

    Displays the sandbox event's date and time.

     

    Message

    Displays the sandbox event's message.

     

    Rating

    Displays the file's risk rating as retrieved from FortiSandbox.

     

    Checksum

    Displays the checksum for the file.

     

    Download

    Download a PDF version of the detailed report.

     

    Magnifying glass

    Click to view a more detailed report. See Viewing Sandbox event details.

    Firewall Events

     

     

    Date

    Displays the firewall event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the firewall event's message.

     

    Actions

    Mark the event as read or delete it.

    Web Filter Events

     

     

    Date

    Displays the web filter event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the web filter event's message.

     

    Actions

    Mark the event as read or delete it.

    Vulnerability Events

     

     

    Vulnerability

    Displays the vulnerability's name. For example, Security update available for Adobe Reader.

     

    Category

    Displays the vulnerability's category. For example, Third Party App.

     

    Application

    Displays the name of the application with the vulnerability.

     

    Severity

    Displays the vulnerability's severity.

     

    Patch Type

    Displays the patch type for this vulnerability: Auto or Manual.

     

    FortiGuard

    Displays the FortiGuard ID number. If you click the FortiGuard ID number, it redirects you to FortiGuard where further information is provided if available.

    System Events

     

     

    Date

    Displays the system event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the system event's message.

     

    Actions

    Mark the event as read.

Viewing the Endpoints pane

You can view information about endpoints on the Endpoints pane.

To view the Endpoints pane:
  1. Go to Endpoints, and select All Endpoints, a domain, or workgroup. The list of endpoints, a quick status bar, and a toolbar display in the content pane.

    Not Installed

    Number of endpoints that do not have FortiClient installed. Click to display the list of endpoints without FortiClient installed.

    Not Registered

    Number of endpoints that are not connected to FortiClient EMS. Click to display the list of disconnected endpoints.

    Out-Of-Sync

    Number of endpoints with an out-of-sync profile. Click to display the list of endpoints with out-of-sync profiles.

    Security Risk

    Number of endpoints that are security risks. Click to display the list of endpoints that are security risks.

    Quarantined

    Number of endpoints that EMS has quarantined. Click to display the list of quarantined endpoints.

    Endpoints

    Click the checkbox to select all endpoints displayed in the content pane.

    Show/Hide Heading

    Click to hide or display the following column headings: Device, User, IP, Configurations, Connections, and Alerts and Events.

    Show/Hide Full Group Path

    Click to hide or display the full path for the group that the endpoint belongs to.

    Refresh

    Click to refresh the list of endpoints.

    Search All Fields

    Enter a value and press Enter to search for the value in the list of endpoints.

    Filters

    Click to display and hide filters you can use to filter the list of endpoints.

    Device

    Visible when headings are displayed. Displays an icon to represent the OS on the endpoint, the hostname, and the endpoint group.

    User

    Visible when headings are displayed. Displays the name of the user logged into the endpoint.

    IP

    Visible when headings are displayed. Displays the endpoint's IP address.

    Configurations

    Visible when headings are displayed. Displays the name of the policy assigned to the endpoint and its synchronization status.

    Connections

    Visible when headings are displayed. Displays the connection status between FortiClient and FortiClient EMS. If the endpoint is connected to a FortiGate, displays the FortiGate hostname.

    Alerts and Events

    Visible when headings are displayed. Displays FortiClient alerts and events for the endpoint.

  2. Click an endpoint to display its details in the content pane. The following dropdown lists display in the toolbar for the selected endpoint:

    Scan

    Click to start a Vulnerability or AV scan on the selected endpoint.

    Patch

    Click to patch all critical and high vulnerabilities on the selected endpoint. Choose one of the following options:

    • Selected Vulnerabilities on Selected Clients
    • Selected Vulnerabilities on All Affected Clients
    • All Critical and High Vulnerabilities

    Move to

    Move the endpoint to a different group.

    Action

    Click to perform one of the following actions on the selected endpoint:

    • Request FortiClient Logs
    • Request Diagnostic Results
    • Update Signatures
    • Download Available FortiClient Logs
    • Download Available Diagnostic Results
    • Deregister
    • Quarantine
    • Un-quarantine
    • Exclude from Management
    • Clear Events
    • Mark as Uninstalled
    • Set Importance
    • Set Custom Tags. This option is only available if you have already created a custom tag.
    • Delete Device

    The following tabs are available in the content pane toolbar when you select an endpoint, depending on which FortiClient features are installed on the endpoint and enabled via the assigned profile:

    Summary

     

     

    <user name>

    Displays the name of the user logged into the selected endpoint. Also displays the user's avatar, email address, and phone number if these are provided to FortiClient on the endpoint. If the user's LinkedIn, Google, Salesforce, or other cloud app account is linked in FortiClient, the username from the cloud application displays. Also displays the group that the endpoint belongs to in EMS.

     

    Device

    Displays the selected endpoint's hostname. You can enter an alias if desired.

     

    OS

    Displays the selected endpoint's operating system and version number.

     

    IP

    Displays the selected endpoint's IP address.

     

    MAC

    Displays the selected endpoint's MAC address.

     

    Last Seen

    Displays the last date and time that FortiClient sent a keep-alive message to EMS. This information is useful if FortiClient is offline because it indicates when the last keep-alive message occurred.

     

    Location

    Displays whether the selected endpoint is on- or off-fabric. You can also view any on-fabric detection rules that the endpoint is applicable for. See On-fabric Detection Rules.

     

    Network Status

    This section only appears for endpoints running FortiClient 6.4.1 and later versions.

    Displays the following information for the networks that the endpoint is connected to:

    • MAC address
    • IP address
    • Gateway IP address
    • Gateway MAC address
    • SSID for Wi-Fi connections

     

    Hardware Details

    Displays the hardware model, vendor, CPU, RAM, and serial number information for the endpoint device, if available.

     

    Host Verification Tags

    Displays which tags have been applied to the endpoint based on the compliance verification rules. See Compliance Verification.

     

    Connection

    Displays the connection status between the selected endpoint and FortiClient EMS and between the endpoint and FortiGate.

     

    Configuration

    Displays the following information for the selected endpoint:

    • Policy: Endpoint policy assigned to the selected endpoint
    • Profile: Profile assigned to the selected endpoint
    • Off-fabric Profile: Off-fabric profile assigned to the selected endpoint
    • Installer: FortiClient installer used for the selected endpoint.
    • Telemetry Gateway List: Telemetry gateway list used for the selected endpoint. Displays Not Assigned if no Telemetry gateway list has been assigned to the selected endpoint.
    • FortiClient Version: FortiClient version installed on the selected endpoint.
    • FortiClient Serial Number: Serial number for the selected endpoint's FortiClient license.

     

    Classification Tags

    Displays classification tags that are currently assigned to the endpoint. You can also assign a classification tag to the endpoint. Classification tags include the default importance level tags (low, medium, high, or critical), and custom tags. An endpoint can only have one default importance tag assigned, but can have multiple custom tags assigned. You can also unassign a tag from the endpoint, and create, assign, or delete a custom tag. To create a new custom tag, click the Add button, enter the desired tag, the click the + button. When you create a tag, it is available for assignment to all endpoints in the current site.

    You can have a maximum of eight custom tags at a time.

    You can assign a classification tag to multiple endpoints by selecting the endpoints, then selecting Action > Set Importance or Set Custom Tags.

    See Sending endpoint classification tags to FortiAnalyzer.

     

    Status

    Displays one of the following statuses:

    • Managed: Endpoint is managed by EMS.
    • Quarantined: If quarantined, displays access code. The user can enter this access code in the affected endpoint's FortiClient to remove the endpoint from quarantine.
    • Excluded: Endpoint is excluded from management by EMS.

     

    Features

    Displays which features are enabled for FortiClient.

    Antivirus Events

     

    Date

    Displays the AV event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the AV event's message.

     

    Actions

    Mark the event as read or delete it.

    Cloud Scan Events

     

    Date

    Displays the cloud-based malware detection event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the cloud-based malware detection event's message.

     

    Actions

    Mark the event as read or delete it.

    AntiExploit Events

     

     

     

    Date

    Displays the AntiExploit event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the AntiExploit event's message.

     

    Actions

    Mark the event as read or delete it.

    USB Device Events

     

    Date

    Displays the USB device event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the USB device event's message.

     

    Actions

    Mark the event as read or delete it.

    Sandbox Events

     

    Date

    Displays the sandbox event's date and time.

     

    Message

    Displays the sandbox event's message.

     

    Rating

    Displays the file's risk rating as retrieved from FortiSandbox.

     

    Checksum

    Displays the checksum for the file.

     

    Download

    Download a PDF version of the detailed report.

     

    Magnifying glass

    Click to view a more detailed report. See Viewing Sandbox event details.

    Firewall Events

     

     

    Date

    Displays the firewall event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the firewall event's message.

     

    Actions

    Mark the event as read or delete it.

    Web Filter Events

     

     

    Date

    Displays the web filter event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the web filter event's message.

     

    Actions

    Mark the event as read or delete it.

    Vulnerability Events

     

     

    Vulnerability

    Displays the vulnerability's name. For example, Security update available for Adobe Reader.

     

    Category

    Displays the vulnerability's category. For example, Third Party App.

     

    Application

    Displays the name of the application with the vulnerability.

     

    Severity

    Displays the vulnerability's severity.

     

    Patch Type

    Displays the patch type for this vulnerability: Auto or Manual.

     

    FortiGuard

    Displays the FortiGuard ID number. If you click the FortiGuard ID number, it redirects you to FortiGuard where further information is provided if available.

    System Events

     

     

    Date

    Displays the system event's date and time.

     

    Count

    Displays the number of occurrences for this event.

     

    Message

    Displays the system event's message.

     

    Actions

    Mark the event as read.