Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 6.4.3 EMS Administration Guide
    6.4.3
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    On-fabric Detection Rules

    On-fabric Detection Rules

    You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

    When a user switches accounts between a local non-domain account and a domain account on the same machine, FortiClient EMS may not apply the correct policy to the endpoint.

    Note

    On-fabric detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions. Endpoints running FortiClient 6.2.1 and earlier versions determine on-/off-fabric status as Determining on-fabric/off-fabric status describes.
    To add an on-fabric detection rule set:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Click Add.
    3. In the Name field, enter the desired name.
    4. Enable or disable the rule set by toggling Enabled on or off.
    5. Click Add Rule.
    6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to satisfy the entire rule set:

      Detection type

      Description

      DHCP Server

      On the IP/MAC Address tab, configure the IP and/or MAC address for the desired DHCP server. On the DHCP Code tab, configure the DHCP code for the desired DHCP server. You can configure just the IP/MAC Address tab, just the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the MAC Address field is optional.

      The DHCP code is synonymous with the old option 224, which FortiClient would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It used to be the FortiGate serial number. Now, it can be any string configured in the DHCP server as option 224. You may still use FortiGate serial number as the DHCP code if desired.

      EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

      DNS Server

      Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.

      EMS Connection

      The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.

      Local IP/Subnet

      In the IP Range field, enter a range of IP addresses. In the Default Gateway MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

      This is the only detection type that applies to endpoints running FortiClient 6.4.0 and earlier versions. Other detection types do not apply to these endpoints.

      Default Gateway

      In the IP Address field, enter the default gateway IP address. In the MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

      Ping Server

      In the IP Address field, enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.

      Public IP

      In the IP Address field, enter the desired IP address. EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. You can configure multiple addresses using the + button.

      Connection Media

      From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected. EMS considers the endpoint as satisfying the rule if its network settings match all configured fields.

      VPN Tunnel

      In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure tunnels using the + button.
    7. Click Add Rule.
    8. Click Save.
    To edit an on-fabric detection rule set:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Select the rule set.
    3. Click Edit.
    4. Edit as desired.
    5. Click Save.
    To delete an on-fabric detection rule set:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Click the desired rule set.
    3. Click Delete.
    4. In the confirmation dialog, click Yes.
    To delete an on-fabric detection rule from a rule set:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Click the desired rule set.
    3. Under Rules, select the desired rule.
    4. Click Delete Rule.
    5. Click Save.
    To enable/disable an on-fabric detection rule:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Select or deselect the Enabled checkbox for the desired rule set.

    Determining on-fabric/off-fabric status

    This section only applies to endpoints running FortiClient 6.2.1 and earlier versions.

    There are two settings in EMS that affect FortiClient on-fabric/off-fabric status:

    • DHCP on-fabric/off-fabric
    • On-fabric detection rules configured for the endpoint's assigned policy

    The table shows how the DHCP on-fabric/off-fabric setting, on-fabric detection rules, and Option 224 serial number affect the endpoint's on-fabric/off-fabric status. DHCP on-fabric/off-fabric only applies when the endpoint is connected to EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and on-fabric with that FortiGate.

    DHCP on-fabric/off-fabric

    On-fabric detection rules

    Option 224 serial number

    Resulting endpoint status

    Disabled

    Not configured

    N/A

    Endpoint is on-fabric when registered to EMS.

    Enabled

    Not configured

    Not configured

    Endpoint is off-fabric when registered to EMS.

    Enabled

    Not configured

    Configured

    On-fabric

    Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-fabric with that FortiGate.

    N/A

    Enabled, with subnet configured.

    Endpoint IP address is in the configured subnet.

    N/A

    On-fabric

    The endpoint is inside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.

    N/A

    Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

    N/A

    Off-fabric

    The endpoint is outside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.

    An endpoint has an offline off-fabric status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-fabric networks.

    An endpoint has an offline on-fabric status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-fabric networks, or if no on-fabric rules are configured within the assigned policy.

    Previous
    Next

    On-fabric Detection Rules

    On-fabric Detection Rules

    You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

    When a user switches accounts between a local non-domain account and a domain account on the same machine, FortiClient EMS may not apply the correct policy to the endpoint.

    Note

    On-fabric detection rules do not apply to endpoints running FortiClient 6.2.1 and earlier versions. Endpoints running FortiClient 6.2.1 and earlier versions determine on-/off-fabric status as Determining on-fabric/off-fabric status describes.
    To add an on-fabric detection rule set:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Click Add.
    3. In the Name field, enter the desired name.
    4. Enable or disable the rule set by toggling Enabled on or off.
    5. Click Add Rule.
    6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to satisfy the entire rule set:

      Detection type

      Description

      DHCP Server

      On the IP/MAC Address tab, configure the IP and/or MAC address for the desired DHCP server. On the DHCP Code tab, configure the DHCP code for the desired DHCP server. You can configure just the IP/MAC Address tab, just the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the MAC Address field is optional.

      The DHCP code is synonymous with the old option 224, which FortiClient would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It used to be the FortiGate serial number. Now, it can be any string configured in the DHCP server as option 224. You may still use FortiGate serial number as the DHCP code if desired.

      EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

      DNS Server

      Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.

      EMS Connection

      The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.

      Local IP/Subnet

      In the IP Range field, enter a range of IP addresses. In the Default Gateway MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

      This is the only detection type that applies to endpoints running FortiClient 6.4.0 and earlier versions. Other detection types do not apply to these endpoints.

      Default Gateway

      In the IP Address field, enter the default gateway IP address. In the MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

      Ping Server

      In the IP Address field, enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.

      Public IP

      In the IP Address field, enter the desired IP address. EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. You can configure multiple addresses using the + button.

      Connection Media

      From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected. EMS considers the endpoint as satisfying the rule if its network settings match all configured fields.

      VPN Tunnel

      In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure tunnels using the + button.
    7. Click Add Rule.
    8. Click Save.
    To edit an on-fabric detection rule set:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Select the rule set.
    3. Click Edit.
    4. Edit as desired.
    5. Click Save.
    To delete an on-fabric detection rule set:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Click the desired rule set.
    3. Click Delete.
    4. In the confirmation dialog, click Yes.
    To delete an on-fabric detection rule from a rule set:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Click the desired rule set.
    3. Under Rules, select the desired rule.
    4. Click Delete Rule.
    5. Click Save.
    To enable/disable an on-fabric detection rule:
    1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
    2. Select or deselect the Enabled checkbox for the desired rule set.

    Determining on-fabric/off-fabric status

    This section only applies to endpoints running FortiClient 6.2.1 and earlier versions.

    There are two settings in EMS that affect FortiClient on-fabric/off-fabric status:

    • DHCP on-fabric/off-fabric
    • On-fabric detection rules configured for the endpoint's assigned policy

    The table shows how the DHCP on-fabric/off-fabric setting, on-fabric detection rules, and Option 224 serial number affect the endpoint's on-fabric/off-fabric status. DHCP on-fabric/off-fabric only applies when the endpoint is connected to EMS. You can configure Option 224 with any Fortinet device's serial number. EMS assumes that FortiClient is behind a FortiGate and on-fabric with that FortiGate.

    DHCP on-fabric/off-fabric

    On-fabric detection rules

    Option 224 serial number

    Resulting endpoint status

    Disabled

    Not configured

    N/A

    Endpoint is on-fabric when registered to EMS.

    Enabled

    Not configured

    Not configured

    Endpoint is off-fabric when registered to EMS.

    Enabled

    Not configured

    Configured

    On-fabric

    Since Option 224 is configured with a Fortinet device's serial number, EMS assumes FortiClient is on-fabric with that FortiGate.

    N/A

    Enabled, with subnet configured.

    Endpoint IP address is in the configured subnet.

    N/A

    On-fabric

    The endpoint is inside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.

    N/A

    Enabled, with subnet configured. Endpoint IP address is not in the configured subnet.

    N/A

    Off-fabric

    The endpoint is outside the on-fabric networks configured in the applied endpoint policy's on-fabric detection rules.

    An endpoint has an offline off-fabric status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-fabric networks.

    An endpoint has an offline on-fabric status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-fabric networks, or if no on-fabric rules are configured within the assigned policy.

    Previous
    Next