Fortinet white logo
Fortinet white logo

EMS Administration Guide

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

FortiOS uses an EMS connector to retrieve dynamic endpoint groups from EMS. Configuring this feature requires the following steps:

  1. Checking prerequisites
  2. Configuring the EMS connector:
    1. Uploading certificates to EMS and FortiOS
    2. Creating the EMS connector in FortiOS
    3. Authorizing the FortiOS EMS connector in EMS
    4. Verifying the FortiOS-EMS connection in FortiOS
  3. Creating a dynamic firewall policy using dynamic endpoint groups from EMS
Note

If you configure a connection between EMS and a FortiGate that is part of a Security Fabric with multiple FortiGates, the root FortiGate can also obtain Zero Trust tags from EMS. However, the root FortiGate does not have any IP addresses to associate with the received tags.

Checking prerequisites

You must ensure that the following prerequisites are met before configuring this feature:

  • Create Zero Trust tagging rules. See Adding a Zero Trust tagging rule set.
  • After FortiClient connects Telemetry to EMS, confirm that EMS dynamically groups endpoints based on the Zero Trust tagging rules. See Zero Trust Tag Monitor.
  • Export a certificate authority (CA)-signed certificate to upload to FortiOS and web server certificate to upload to EMS. For details on configuring a server certificate using the Microsoft Certification Authority Management Console, see Configure the Server Certificate Template. You can use another CA as desired.

Configuring the EMS connector

Uploading certificates to EMS and FortiOS

To upload certificates to EMS and FortiOS:

Certificates are required to set up a secure connection between EMS and FortiOS. Uploading the CA-signed certificate to FortiOS allows FortiOS to trust the certificate that you upload to EMS.

  1. Upload the server certificate to EMS:
    1. Go to System Settings > EMS Settings.
    2. Under Shared Settings, click the Upload new SSL certificate button.
    3. Upload the server certificate and private key. Click Test.
    4. Click Save.
  2. Upload the certificate to FortiOS:
    1. Go to System > Certificates.
    2. From the Import dropdown list, select CA Certificates.
    3. Upload the CA-signed certificate.

Creating the EMS connector in FortiOS

You can create the EMS connector in the FortiOS GUI or CLI.

To create the EMS connector in the FortiOS GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New, then select FortiClient EMS.
  3. For Type, select FortiClient EMS.
  4. In the Name field, enter the desired name.
  5. In the IP/Domain name field, enter the EMS IP address or domain name. If EMS multitenancy is enabled, you must enter the FQDN instead of the IP address. You must enter the FQDN in the format side.fqdn to integrate the FortiGate to the a specific EMS multitenancy site. For example, if the site name is site A, enter sitea.ems.example.com. See Multitenancy.
  6. Ensure that Synchronize firewall addresses is enabled. This allows FortiOS to automatically create and synchronize firewall addresses for dynamic endpoint groups received from EMS.
  7. Click OK.

To create the EMS connector in the FortiOS CLI:

config endpoint-control fctems

edit "ems137"

set fortinetone-cloud-authentication disable

set server "172.16.200.137"

set https-port 443

set source-ip 0.0.0.0

set pull-sysinfo enable

set pull-vulnerabilities enable

set pull-avatars enable

set pull-tags enable

set call-timeout 5000

next

end

Authorizing the FortiOS EMS connector in EMS

To authorize the FortiOS EMS connector in EMS:
  1. EMS must authorize the Fabric connector created in FortiOS. Do one of the following:
    1. Log in to EMS. A prompt displays to authorize the FortiGate. Click Authorize.
    2. Go to Administration > Fabric Devices. Select the desired FortiGate, then click Authorize.

    You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. See Fabric Devices.

Verifying the FortiOS-EMS connection in FortiOS

To verify the FortiOS-EMS connection in FortiOS:
  1. Authorize the connection by doing one of the following:
    1. In the right pane, under FortiClient EMS Status, click Authorize.
    2. After EMS authorizes the FortiGate, authorize the connection in the FortiOS CLI by running the execute fctems verify <fctems> command.
  2. FortiOS should now automatically pull the dynamic endpoint groups from EMS as dynamic firewall addresses. Go to Policy & Objects > Addresses to view the addresses.

Creating a dynamic firewall policy using dynamic endpoint groups from EMS

To create a dynamic firewall policy using dynamic endpoint groups from EMS:
  1. In FortiOS, go to Policy & Objects > Firewall Policy. Click Create New.
  2. In the Source field, click +. The Select Entries pane appears. On the Address tab, select the address based on the desired dynamic endpoint group from EMS.
  3. Configure other options as desired. Click OK.
  4. Go to Policy & Objects > Firewall Policy to ensure the policy was created. FortiOS updates this policy when it receives updates from EMS.

Related Videos

sidebar video

FortiClient Fabric Agent

  • 1,484 views
  • 3 years ago

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

Configuring FortiOS dynamic policies using EMS dynamic endpoint groups

FortiOS uses an EMS connector to retrieve dynamic endpoint groups from EMS. Configuring this feature requires the following steps:

  1. Checking prerequisites
  2. Configuring the EMS connector:
    1. Uploading certificates to EMS and FortiOS
    2. Creating the EMS connector in FortiOS
    3. Authorizing the FortiOS EMS connector in EMS
    4. Verifying the FortiOS-EMS connection in FortiOS
  3. Creating a dynamic firewall policy using dynamic endpoint groups from EMS
Note

If you configure a connection between EMS and a FortiGate that is part of a Security Fabric with multiple FortiGates, the root FortiGate can also obtain Zero Trust tags from EMS. However, the root FortiGate does not have any IP addresses to associate with the received tags.

Checking prerequisites

You must ensure that the following prerequisites are met before configuring this feature:

  • Create Zero Trust tagging rules. See Adding a Zero Trust tagging rule set.
  • After FortiClient connects Telemetry to EMS, confirm that EMS dynamically groups endpoints based on the Zero Trust tagging rules. See Zero Trust Tag Monitor.
  • Export a certificate authority (CA)-signed certificate to upload to FortiOS and web server certificate to upload to EMS. For details on configuring a server certificate using the Microsoft Certification Authority Management Console, see Configure the Server Certificate Template. You can use another CA as desired.

Configuring the EMS connector

Uploading certificates to EMS and FortiOS

To upload certificates to EMS and FortiOS:

Certificates are required to set up a secure connection between EMS and FortiOS. Uploading the CA-signed certificate to FortiOS allows FortiOS to trust the certificate that you upload to EMS.

  1. Upload the server certificate to EMS:
    1. Go to System Settings > EMS Settings.
    2. Under Shared Settings, click the Upload new SSL certificate button.
    3. Upload the server certificate and private key. Click Test.
    4. Click Save.
  2. Upload the certificate to FortiOS:
    1. Go to System > Certificates.
    2. From the Import dropdown list, select CA Certificates.
    3. Upload the CA-signed certificate.

Creating the EMS connector in FortiOS

You can create the EMS connector in the FortiOS GUI or CLI.

To create the EMS connector in the FortiOS GUI:
  1. Go to Security Fabric > Fabric Connectors.
  2. Click Create New, then select FortiClient EMS.
  3. For Type, select FortiClient EMS.
  4. In the Name field, enter the desired name.
  5. In the IP/Domain name field, enter the EMS IP address or domain name. If EMS multitenancy is enabled, you must enter the FQDN instead of the IP address. You must enter the FQDN in the format side.fqdn to integrate the FortiGate to the a specific EMS multitenancy site. For example, if the site name is site A, enter sitea.ems.example.com. See Multitenancy.
  6. Ensure that Synchronize firewall addresses is enabled. This allows FortiOS to automatically create and synchronize firewall addresses for dynamic endpoint groups received from EMS.
  7. Click OK.

To create the EMS connector in the FortiOS CLI:

config endpoint-control fctems

edit "ems137"

set fortinetone-cloud-authentication disable

set server "172.16.200.137"

set https-port 443

set source-ip 0.0.0.0

set pull-sysinfo enable

set pull-vulnerabilities enable

set pull-avatars enable

set pull-tags enable

set call-timeout 5000

next

end

Authorizing the FortiOS EMS connector in EMS

To authorize the FortiOS EMS connector in EMS:
  1. EMS must authorize the Fabric connector created in FortiOS. Do one of the following:
    1. Log in to EMS. A prompt displays to authorize the FortiGate. Click Authorize.
    2. Go to Administration > Fabric Devices. Select the desired FortiGate, then click Authorize.

    You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. See Fabric Devices.

Verifying the FortiOS-EMS connection in FortiOS

To verify the FortiOS-EMS connection in FortiOS:
  1. Authorize the connection by doing one of the following:
    1. In the right pane, under FortiClient EMS Status, click Authorize.
    2. After EMS authorizes the FortiGate, authorize the connection in the FortiOS CLI by running the execute fctems verify <fctems> command.
  2. FortiOS should now automatically pull the dynamic endpoint groups from EMS as dynamic firewall addresses. Go to Policy & Objects > Addresses to view the addresses.

Creating a dynamic firewall policy using dynamic endpoint groups from EMS

To create a dynamic firewall policy using dynamic endpoint groups from EMS:
  1. In FortiOS, go to Policy & Objects > Firewall Policy. Click Create New.
  2. In the Source field, click +. The Select Entries pane appears. On the Address tab, select the address based on the desired dynamic endpoint group from EMS.
  3. Configure other options as desired. Click OK.
  4. Go to Policy & Objects > Firewall Policy to ensure the policy was created. FortiOS updates this policy when it receives updates from EMS.