FortiOS dynamic policies using EMS dynamic endpoint groups
After defining Zero Trust tagging rules in EMS, you can configure FortiOS to receive the dynamic endpoint groups from EMS using the FortiClient EMS Fabric connector which supports SSL and imports trusted certificates. When a change to the dynamic endpoint groups occurs, such as an endpoint being added to or removed from a group, EMS sends the update to FortiOS, and FortiOS updates its dynamic policies accordingly, providing dynamic access control based on endpoint status.
EMS supports this feature with FortiOS 6.4 and 6.2. Configuration differs depending on the FortiOS version that you use:
- Configuring FortiOS 6.4 dynamic policies using EMS dynamic endpoint groups
- Configuring FortiOS 6.2 dynamic policies using EMS dynamic endpoint groups
FortiOS only receives endpoint information and enforces compliance for directly connected endpoints. Directly connected endpoints are the ones that have FortiGate as the default gateway.
This feature works for endpoints that are connected to a VPN tunnel as long as they can access EMS and the FortiOS version is 6.4.7 or later.