Fortinet white logo
Fortinet white logo

EMS Administration Guide

Configuring EMS to share tagging information with multiple FortiGates

Configuring EMS to share tagging information with multiple FortiGates

When an endpoint has a Zero Trust tag applied and EMS is operating as part of a Fortinet Security Fabric, the FortiGate that the endpoint's FortiClient gateway points to receives the endpoint's resolved IP or MAC address (hereafter referred to as "host tag") from EMS.

If your EMS is operating as part of a Security Fabric with multiple FortiGates, you may want to configure EMS to send the host tag to other FortiGates in the Fabric, in addition to the FortiGate that the endpoint's FortiClient gateway points to. You can configure this as follows.

The following illustrates the topology in this example:

The following is true for this scenario:

  • Both FortiGates are connected to EMS as part of a Security Fabric.
  • FortiClient is registered to EMS.
  • The FortiClient gateway points to the first floor FortiGate.
  • The FortiClient endpoint has the TAG_ANTIVIRUS_ON Zero Trust tag applied.
  • The host tag of the FortiClient endpoint with TAG_ANTIVIRUS_ON applied is 10.100.91.100.

By default in this example, the core FortiGate does not retrieve the host-tag information for TAG_ANTIVIRUS_ON. This is because the FortiClient device gateway is 10.100.91.1, which does not match the core FortiGate.

You can configure the core FortiGate to retrieve the host tag for TAG_ANTIVIRUS_ON by allowing the host tag to sync from FortiClient endpoints connected to the first floor FortiGate to the core FortiGate.

To configure EMS to share the host tag to additional FortiGates:
  1. Go to Administration > Fabric Devices.
  2. Select the serial number associated with the core FortiGate. In this example, it is FGVM02TM21011924.
  3. Click Edit.
  4. From the FortiClient Endpoint Sharing dropdown list, select Share FortiClients connected to selected fabric devices.
  5. From the Filter Tag IPs From Specific FortiGates dropdown list, select the serial number of the FortiGate on the first floor. In this example, it is FGVM02TM21011669. This change triggers EMS to resynchronize tag information to the first floor FortiGate.
  6. Click Save.
  7. Reselect the core FortiGate. It now displays that it receives host tag information from the first floor FortiGate.
  8. Verify that the core FortiGate is receiving the tag information:
    1. In FortiOS on the core FortiGate, go to Policy & Objects > ZTNA > ZTNA Tags.
    2. Hover over the ZTNA tag TAG_ANTIVIRUS_ON. Confirm that the Resolves To IP address displays the FortiClient IP address.

Configuring EMS to share tagging information with multiple FortiGates

Configuring EMS to share tagging information with multiple FortiGates

When an endpoint has a Zero Trust tag applied and EMS is operating as part of a Fortinet Security Fabric, the FortiGate that the endpoint's FortiClient gateway points to receives the endpoint's resolved IP or MAC address (hereafter referred to as "host tag") from EMS.

If your EMS is operating as part of a Security Fabric with multiple FortiGates, you may want to configure EMS to send the host tag to other FortiGates in the Fabric, in addition to the FortiGate that the endpoint's FortiClient gateway points to. You can configure this as follows.

The following illustrates the topology in this example:

The following is true for this scenario:

  • Both FortiGates are connected to EMS as part of a Security Fabric.
  • FortiClient is registered to EMS.
  • The FortiClient gateway points to the first floor FortiGate.
  • The FortiClient endpoint has the TAG_ANTIVIRUS_ON Zero Trust tag applied.
  • The host tag of the FortiClient endpoint with TAG_ANTIVIRUS_ON applied is 10.100.91.100.

By default in this example, the core FortiGate does not retrieve the host-tag information for TAG_ANTIVIRUS_ON. This is because the FortiClient device gateway is 10.100.91.1, which does not match the core FortiGate.

You can configure the core FortiGate to retrieve the host tag for TAG_ANTIVIRUS_ON by allowing the host tag to sync from FortiClient endpoints connected to the first floor FortiGate to the core FortiGate.

To configure EMS to share the host tag to additional FortiGates:
  1. Go to Administration > Fabric Devices.
  2. Select the serial number associated with the core FortiGate. In this example, it is FGVM02TM21011924.
  3. Click Edit.
  4. From the FortiClient Endpoint Sharing dropdown list, select Share FortiClients connected to selected fabric devices.
  5. From the Filter Tag IPs From Specific FortiGates dropdown list, select the serial number of the FortiGate on the first floor. In this example, it is FGVM02TM21011669. This change triggers EMS to resynchronize tag information to the first floor FortiGate.
  6. Click Save.
  7. Reselect the core FortiGate. It now displays that it receives host tag information from the first floor FortiGate.
  8. Verify that the core FortiGate is receiving the tag information:
    1. In FortiOS on the core FortiGate, go to Policy & Objects > ZTNA > ZTNA Tags.
    2. Hover over the ZTNA tag TAG_ANTIVIRUS_ON. Confirm that the Resolves To IP address displays the FortiClient IP address.