Configuring FortiOS 6.2 dynamic policies using EMS dynamic endpoint groups
FortiOS 6.2 uses the FSSO protocol to retrieve dynamic endpoint groups from EMS. The following instructions only apply when using FortiOS 6.2.
The following configuration is necessary for this feature:
- In FortiClient EMS, create Zero Trust tagging rules. See Adding a Zero Trust tagging rule set.
- After Telemetry communication has occurred between EMS and FortiClient, ensure that EMS has dynamically grouped endpoints based on the Zero Trust tagging rules. See Zero Trust Tag Monitor.
- In FortiOS, create the EMS Fabric connector.
- Configure FSSO settings.
- In FortiOS, create a user group based on EMS dynamic endpoint groups.
- In FortiOS, create a dynamic firewall policy for the user group.
EMS can be connected to a maximum of three FortiGates at a time via the FSSO protocol.
To create the EMS Fabric connector in FortiOS:
You can create the EMS Fabric connector in the FortiOS GUI or CLI. If desired, you can optionally configure the Fabric connector with an SSL certificate and a password for FSSO. If configured, you must configure the same certificate and password in EMS to ensure a successful connection.
- Go to Security Fabric > Fabric Connectors.
- Click Create New, then select FortiClient EMS.
- In the Name field, enter the desired name.
- For Type, select FortiClient EMS.
- In the Primary Server IP field, enter the EMS IP address. If EMS multitenancy is enabled, you must enter the FQDN instead of the IP address. You must enter the FQDN in the format side.fqdn to integrate the FortiGate to the a specific EMS multitenancy site. For example, if the site name is site A, enter sitea.ems.example.com. See Multitenancy.
- (Optional) From the Trusted SSL certificate dropdown list, select the certificate.
- (Optional) In the Password field, enter the desired password.
- Click Apply & Refresh.
To configure EMS FSSO Settings:
If you configured a certificate and/or password in To create the EMS Fabric connector in FortiOS:, you must configure the same certificate and password in EMS.
- If you configured a certificate for the EMS Fabric connector in FortiOS, do the following:
- In FortiOS, go to System > Certificates.
- Right-click the configured certificate, then select Download.
- In EMS, go to System Settings > EMS Settings.
- For SSL certificate, browse to and upload the certificate downloaded in step 1.
- In the Configure FSSO Password field, enter the password.
- Click Save.
To create a user group based on EMS dynamic groups:
- In FortiOS, go to User & Device > User Groups. Click Create New.
- In the Name field, enter the desired name.
- For Type, select Fortinet Single Sign-On (FSSO).
- In the Members field, click +. The Select Entries pane appears. Select the dynamic endpoint groups pulled from EMS.
- Select the desired dynamic endpoint groups. Endpoints that currently belong to this EMS dynamic endpoint group will be members of this FortiOS user group.
- Click OK.
To create a dynamic firewall policy for the user group:
You can now create a dynamic firewall policy for the user group. In this example, an IPv4 policy is created for the user group.
- In FortiOS, go to Policy & Objects > IPv4 Policy. Click Create New.
- In the Source field, click +. The Select Entries pane appears. On the User tab, select the user group configured above.
- Configure other options as desired. Click OK.
- Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group. FortiOS will update this policy when it receives updates from EMS.