Viewing the Endpoints pane

You can view information about endpoints on the Endpoints pane.

To view the Endpoints pane:

Go to Endpoints, and select All Endpoints, a domain, or workgroup. The list of endpoints, a quick status bar, and a toolbar display in the content pane.

Not Installed	Number of endpoints that do not have FortiClient installed. Click to display the list of endpoints without FortiClient installed.
Not Registered	Number of endpoints that are not connected to FortiClient EMS. Click to display the list of disconnected endpoints.
Out-Of-Sync	Number of endpoints with an out-of-sync profile. Click to display the list of endpoints with out-of-sync profiles.
Security Risk	Number of endpoints that are security risks. Click to display the list of endpoints that are security risks.
Quarantined	Number of endpoints that EMS has quarantined. Click to display the list of quarantined endpoints.
Endpoints	Click the checkbox to select all endpoints displayed in the content pane.
Show/Hide Heading	Click to hide or display the following column headings: Device, User, IP, Configurations, Connections, and Alerts and Events.
Show/Hide Full Group Path	Click to hide or display the full path for the group that the endpoint belongs to.
Refresh	Click to refresh the list of endpoints.
Search All Fields	Enter a value and press Enter to search for the value in the list of endpoints.
Filters	Click to display and hide filters you can use to filter the list of endpoints.
Device	Visible when headings are displayed. Displays an icon to represent the OS on the endpoint, the hostname, and the endpoint group.
User	Visible when headings are displayed. Displays the name and icon of the user logged into the endpoint. Also displays the endpoint status: Online: endpoint has been seen within less than three keep alive timeouts. Away: endpoint has been offline for less than eight hours. Offline: endpoint has been offline for more than eight hours. Never Seen: endpoint has never been registered to EMS. When using user-based licensing, you can use the dropdown list to view all registered users for this endpoint. The dropdown list displays the verified user and device username.
IP	Visible when headings are displayed. Displays the endpoint IP address.
Configurations	Visible when headings are displayed. Displays the name of the policy assigned to the endpoint and its synchronization status.
Connections	Visible when headings are displayed. Displays the connection status between FortiClient and FortiClient EMS. If the endpoint is connected to a FortiGate, displays the FortiGate hostname.
Alerts and Events	Visible when headings are displayed. Displays FortiClient alerts and events for the endpoint.

Click an endpoint to display its details in the content pane. The following dropdown lists display in the toolbar for the selected endpoint:

Scan	Click to start a Vulnerability or AV scan on the selected endpoint.
Patch	Click to patch all critical and high vulnerabilities on the selected endpoint. Choose one of the following options: Selected Vulnerabilities on Selected Clients Selected Vulnerabilities on All Affected Clients All Critical and High Vulnerabilities
Move to	Move the endpoint to a different group.
Action	Click to perform one of the following actions on the selected endpoint: Request FortiClient Logs Request Diagnostic Results Update Signatures Download Available FortiClient Logs Download Available Diagnostic Results Deregister Quarantine Un-quarantine Exclude from Management Revoke Client Certificate. This action is only available if the ZTNA or EPP license is applied and for endpoints running FortiClient 7.0.0 and later versions. Revoke the certificate that FortiClient is using to securely encrypt and tunnel TCP traffic through HTTPS to the FortiGate. You may want to revoke a certificate if it becomes compromised and can no longer be trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient with a new certificate signing request. See FortiClient in the Security Fabric. Clear Events Mark as Uninstalled Set Importance Set Custom Tags. This option is only available if you have already created a custom tag. Delete Device Send Message. See Sending endpoints one-way message .

The following tabs are available in the content pane toolbar when you select an endpoint, depending on which FortiClient features are installed on the endpoint and enabled via the assigned profile:

Summary
	<user name>	Displays the name of the user logged into the selected endpoint. Also displays the user's avatar, email address, and phone number if these are provided to FortiClient on the endpoint. If the user's LinkedIn, Google, Salesforce, or other cloud app account is linked in FortiClient, the username from the cloud application displays. Also displays the group that the endpoint belongs to in EMS.
	Device	Displays the selected endpoint's hostname. You can enter an alias if desired.
	OS	Displays the selected endpoint's operating system and version number.
	IP	Displays the selected endpoint's IP address.
	MAC	Displays the selected endpoint's MAC address.
	Last Seen	Displays the last date and time that FortiClient sent a keep-alive message to EMS. This information is useful if FortiClient is offline because it indicates when the last keep-alive message occurred.
	Location	Displays whether the selected endpoint is on- or off-fabric. You can also view any on-fabric detection rules that the endpoint is applicable for. See On-fabric Detection Rules.
	Network Status	Displays the following information for the networks that the endpoint is connected to: MAC address IP address Gateway IP address Gateway MAC address SSID for Wi-Fi connections
	Hardware Details	Displays the hardware model, vendor, CPU, RAM, and serial number information for the endpoint device, if available.
	Zero Trust Tags	Displays which tags have been applied to the endpoint based on the Zero Trust tagging rules. See Zero Trust Tags.
	FortiGuard Outbreak Detections	Displays which FortiGuard Outbreak tags have been applied to the endpoint based on the FortiGuard Outbreak Alerts service rules. See FortiGuard Outbreak Alerts.
	Connection	Displays the connection status between the selected endpoint and FortiClient EMS.
	Configuration	Displays the following information for the selected endpoint: Policy: Endpoint policy assigned to the selected endpoint Installer: FortiClient installer used for the selected endpoint. FortiClient Version: FortiClient version installed on the selected endpoint. FortiClient Serial Number: Serial number for the selected endpoint's FortiClient license. FortiClient ID ZTNA Serial Number: serial number for the zero trust network access certificate provisioned to the endpoint. MDM Enrolled: whether the endpoint is enrolled on a mobile device management (MDM) platform. MDM Deployment Status: whether a ZTNA certificate provisioned through MDM has been installed on the endpoint.
	Classification Tags	Displays classification tags that are currently assigned to the endpoint. You can also assign a classification tag to the endpoint. Classification tags include the default importance level tags (low, medium, high, or critical), and custom tags. An endpoint can only have one default importance tag assigned, but can have multiple custom tags assigned. You can also unassign a tag from the endpoint, and create, assign, or delete a custom tag. To create a new custom tag, click the Add button, enter the desired tag, the click the + button. When you create a tag, it is available for assignment to all endpoints in the current site. You can assign a classification tag to multiple endpoints by selecting the endpoints, then selecting Action > Set Importance or Set Custom Tags. Tags that FortiClient EMS receives from FortiAnalyzer also display under Classification Tags. See Sending endpoint classification tags to FortiAnalyzer.
	Classification Tags - Fabric	Displays Fabric classification tags that are currently assigned to the endpoint. In a Fabric deployment, FortiEDR can detect suspicious or compromised endpoint behavior, share that endpoint's security status with EMS, and tag the affected endpoint on EMS. You can view these tags under Classification Tags - Fabric. You can also unassign a tag from the endpoint. The following lists the predefined tags for FortiEDR use: FortiEDR_Malicious: FortiEDR has classified this endpoint as malicious. FortiEDR_PUP: FortiEDR has detected a potentially unwanted program on this endpoint. FortiEDR_Suspicious: FortiEDR has detected suspicious activity on this endpoint. FortiEDR_Likely_Safe: FortiEDR has detected this endpoint as likely to be safe. FortiEDR_Probably_Good: FortiEDR has determined that this endpoint is not a safety risk. See Identity Management integration.
	Status	Displays one of the following statuses: Managed: Endpoint is managed by EMS. Quarantined: If quarantined, displays access code. The user can enter this access code in the affected endpoint's FortiClient to remove the endpoint from quarantine. Excluded: Endpoint is excluded from management by EMS.
	Features	Displays which features are enabled for FortiClient.
	Third Party Features	Displays which third party features are installed and running on the endpoint. This section includes the status of FortiEDR on the endpoint. This information is only available for Windows endpoints.
Antivirus Events
	Date	Displays the AV event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the AV event's message.
	Actions	Mark the event as read or delete it.
Cloud Scan Events
	Date	Displays the cloud-based malware detection event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the cloud-based malware detection event's message.
	Actions	Mark the event as read or delete it.
Anti-Ransomware Events
	Date	Displays the anti-ransomware event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the anti-ransomware event's message. The message may say that FortiClient detected ransomware on the endpoint, or that FortiClient restored a file that the detected ransomware encrypted.
	Actions	Mark the event as read or delete it.
AntiExploit Events
	Date	Displays the AntiExploit event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the AntiExploit event's message.
	Actions	Mark the event as read or delete it.
USB Device Events
	Date	Displays the USB device event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the USB device event's message.
	Actions	Mark the event as read or delete it.
Sandbox Events
	Date	Displays the sandbox event's date and time.
	Message	Displays the sandbox event's message.
	Rating	Displays the file's risk rating as retrieved from FortiSandbox.
	Checksum	Displays the checksum for the file.
	Download	Download a PDF version of the detailed report.
	Magnifying glass	Click to view a more detailed report. See Viewing Sandbox event details.
Firewall Events
	Date	Displays the firewall event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the firewall event's message.
	Actions	Mark the event as read or delete it.
Web Filter Events
	Date	Displays the web filter event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the web filter event's message.
	Actions	Mark the event as read or delete it.
Videofilter Events
	Date	Displays the video filter event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the video filter event's message.
	Actions	Mark the event as read or delete it.
Vulnerability Events
	Vulnerability	Displays the vulnerability's name. For example, Security update available for Adobe Reader.
	Category	Displays the vulnerability's category. For example, Third Party App.
	Application	Displays the name of the application with the vulnerability.
	Severity	Displays the vulnerability's severity.
	Patch Type	Displays the patch type for this vulnerability: Auto or Manual.
	FortiGuard	Displays the FortiGuard ID number. If you click the FortiGuard ID number, it redirects you to FortiGuard where further information is provided if available.
System Events
	Date	Displays the system event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the system event's message.
	Actions	Mark the event as read.

FortiClient EMS 7.0 - View Managed Endpoints

1,147 views
3 years ago

Viewing Managed Endpoints on FortiClient EMS

857 views
2 years ago

Viewing the Endpoints pane

You can view information about endpoints on the Endpoints pane.

To view the Endpoints pane:

Go to Endpoints, and select All Endpoints, a domain, or workgroup. The list of endpoints, a quick status bar, and a toolbar display in the content pane.

Not Installed	Number of endpoints that do not have FortiClient installed. Click to display the list of endpoints without FortiClient installed.
Not Registered	Number of endpoints that are not connected to FortiClient EMS. Click to display the list of disconnected endpoints.
Out-Of-Sync	Number of endpoints with an out-of-sync profile. Click to display the list of endpoints with out-of-sync profiles.
Security Risk	Number of endpoints that are security risks. Click to display the list of endpoints that are security risks.
Quarantined	Number of endpoints that EMS has quarantined. Click to display the list of quarantined endpoints.
Endpoints	Click the checkbox to select all endpoints displayed in the content pane.
Show/Hide Heading	Click to hide or display the following column headings: Device, User, IP, Configurations, Connections, and Alerts and Events.
Show/Hide Full Group Path	Click to hide or display the full path for the group that the endpoint belongs to.
Refresh	Click to refresh the list of endpoints.
Search All Fields	Enter a value and press Enter to search for the value in the list of endpoints.
Filters	Click to display and hide filters you can use to filter the list of endpoints.
Device	Visible when headings are displayed. Displays an icon to represent the OS on the endpoint, the hostname, and the endpoint group.
User	Visible when headings are displayed. Displays the name and icon of the user logged into the endpoint. Also displays the endpoint status: Online: endpoint has been seen within less than three keep alive timeouts. Away: endpoint has been offline for less than eight hours. Offline: endpoint has been offline for more than eight hours. Never Seen: endpoint has never been registered to EMS. When using user-based licensing, you can use the dropdown list to view all registered users for this endpoint. The dropdown list displays the verified user and device username.
IP	Visible when headings are displayed. Displays the endpoint IP address.
Configurations	Visible when headings are displayed. Displays the name of the policy assigned to the endpoint and its synchronization status.
Connections	Visible when headings are displayed. Displays the connection status between FortiClient and FortiClient EMS. If the endpoint is connected to a FortiGate, displays the FortiGate hostname.
Alerts and Events	Visible when headings are displayed. Displays FortiClient alerts and events for the endpoint.

Click an endpoint to display its details in the content pane. The following dropdown lists display in the toolbar for the selected endpoint:

Scan	Click to start a Vulnerability or AV scan on the selected endpoint.
Patch	Click to patch all critical and high vulnerabilities on the selected endpoint. Choose one of the following options: Selected Vulnerabilities on Selected Clients Selected Vulnerabilities on All Affected Clients All Critical and High Vulnerabilities
Move to	Move the endpoint to a different group.
Action	Click to perform one of the following actions on the selected endpoint: Request FortiClient Logs Request Diagnostic Results Update Signatures Download Available FortiClient Logs Download Available Diagnostic Results Deregister Quarantine Un-quarantine Exclude from Management Revoke Client Certificate. This action is only available if the ZTNA or EPP license is applied and for endpoints running FortiClient 7.0.0 and later versions. Revoke the certificate that FortiClient is using to securely encrypt and tunnel TCP traffic through HTTPS to the FortiGate. You may want to revoke a certificate if it becomes compromised and can no longer be trusted. When a certificate is revoked, EMS prompts FortiOS and FortiClient with a new certificate signing request. See FortiClient in the Security Fabric. Clear Events Mark as Uninstalled Set Importance Set Custom Tags. This option is only available if you have already created a custom tag. Delete Device Send Message. See Sending endpoints one-way message .

The following tabs are available in the content pane toolbar when you select an endpoint, depending on which FortiClient features are installed on the endpoint and enabled via the assigned profile:

Summary
	<user name>	Displays the name of the user logged into the selected endpoint. Also displays the user's avatar, email address, and phone number if these are provided to FortiClient on the endpoint. If the user's LinkedIn, Google, Salesforce, or other cloud app account is linked in FortiClient, the username from the cloud application displays. Also displays the group that the endpoint belongs to in EMS.
	Device	Displays the selected endpoint's hostname. You can enter an alias if desired.
	OS	Displays the selected endpoint's operating system and version number.
	IP	Displays the selected endpoint's IP address.
	MAC	Displays the selected endpoint's MAC address.
	Last Seen	Displays the last date and time that FortiClient sent a keep-alive message to EMS. This information is useful if FortiClient is offline because it indicates when the last keep-alive message occurred.
	Location	Displays whether the selected endpoint is on- or off-fabric. You can also view any on-fabric detection rules that the endpoint is applicable for. See On-fabric Detection Rules.
	Network Status	Displays the following information for the networks that the endpoint is connected to: MAC address IP address Gateway IP address Gateway MAC address SSID for Wi-Fi connections
	Hardware Details	Displays the hardware model, vendor, CPU, RAM, and serial number information for the endpoint device, if available.
	Zero Trust Tags	Displays which tags have been applied to the endpoint based on the Zero Trust tagging rules. See Zero Trust Tags.
	FortiGuard Outbreak Detections	Displays which FortiGuard Outbreak tags have been applied to the endpoint based on the FortiGuard Outbreak Alerts service rules. See FortiGuard Outbreak Alerts.
	Connection	Displays the connection status between the selected endpoint and FortiClient EMS.
	Configuration	Displays the following information for the selected endpoint: Policy: Endpoint policy assigned to the selected endpoint Installer: FortiClient installer used for the selected endpoint. FortiClient Version: FortiClient version installed on the selected endpoint. FortiClient Serial Number: Serial number for the selected endpoint's FortiClient license. FortiClient ID ZTNA Serial Number: serial number for the zero trust network access certificate provisioned to the endpoint. MDM Enrolled: whether the endpoint is enrolled on a mobile device management (MDM) platform. MDM Deployment Status: whether a ZTNA certificate provisioned through MDM has been installed on the endpoint.
	Classification Tags	Displays classification tags that are currently assigned to the endpoint. You can also assign a classification tag to the endpoint. Classification tags include the default importance level tags (low, medium, high, or critical), and custom tags. An endpoint can only have one default importance tag assigned, but can have multiple custom tags assigned. You can also unassign a tag from the endpoint, and create, assign, or delete a custom tag. To create a new custom tag, click the Add button, enter the desired tag, the click the + button. When you create a tag, it is available for assignment to all endpoints in the current site. You can assign a classification tag to multiple endpoints by selecting the endpoints, then selecting Action > Set Importance or Set Custom Tags. Tags that FortiClient EMS receives from FortiAnalyzer also display under Classification Tags. See Sending endpoint classification tags to FortiAnalyzer.
	Classification Tags - Fabric	Displays Fabric classification tags that are currently assigned to the endpoint. In a Fabric deployment, FortiEDR can detect suspicious or compromised endpoint behavior, share that endpoint's security status with EMS, and tag the affected endpoint on EMS. You can view these tags under Classification Tags - Fabric. You can also unassign a tag from the endpoint. The following lists the predefined tags for FortiEDR use: FortiEDR_Malicious: FortiEDR has classified this endpoint as malicious. FortiEDR_PUP: FortiEDR has detected a potentially unwanted program on this endpoint. FortiEDR_Suspicious: FortiEDR has detected suspicious activity on this endpoint. FortiEDR_Likely_Safe: FortiEDR has detected this endpoint as likely to be safe. FortiEDR_Probably_Good: FortiEDR has determined that this endpoint is not a safety risk. See Identity Management integration.
	Status	Displays one of the following statuses: Managed: Endpoint is managed by EMS. Quarantined: If quarantined, displays access code. The user can enter this access code in the affected endpoint's FortiClient to remove the endpoint from quarantine. Excluded: Endpoint is excluded from management by EMS.
	Features	Displays which features are enabled for FortiClient.
	Third Party Features	Displays which third party features are installed and running on the endpoint. This section includes the status of FortiEDR on the endpoint. This information is only available for Windows endpoints.
Antivirus Events
	Date	Displays the AV event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the AV event's message.
	Actions	Mark the event as read or delete it.
Cloud Scan Events
	Date	Displays the cloud-based malware detection event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the cloud-based malware detection event's message.
	Actions	Mark the event as read or delete it.
Anti-Ransomware Events
	Date	Displays the anti-ransomware event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the anti-ransomware event's message. The message may say that FortiClient detected ransomware on the endpoint, or that FortiClient restored a file that the detected ransomware encrypted.
	Actions	Mark the event as read or delete it.
AntiExploit Events
	Date	Displays the AntiExploit event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the AntiExploit event's message.
	Actions	Mark the event as read or delete it.
USB Device Events
	Date	Displays the USB device event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the USB device event's message.
	Actions	Mark the event as read or delete it.
Sandbox Events
	Date	Displays the sandbox event's date and time.
	Message	Displays the sandbox event's message.
	Rating	Displays the file's risk rating as retrieved from FortiSandbox.
	Checksum	Displays the checksum for the file.
	Download	Download a PDF version of the detailed report.
	Magnifying glass	Click to view a more detailed report. See Viewing Sandbox event details.
Firewall Events
	Date	Displays the firewall event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the firewall event's message.
	Actions	Mark the event as read or delete it.
Web Filter Events
	Date	Displays the web filter event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the web filter event's message.
	Actions	Mark the event as read or delete it.
Videofilter Events
	Date	Displays the video filter event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the video filter event's message.
	Actions	Mark the event as read or delete it.
Vulnerability Events
	Vulnerability	Displays the vulnerability's name. For example, Security update available for Adobe Reader.
	Category	Displays the vulnerability's category. For example, Third Party App.
	Application	Displays the name of the application with the vulnerability.
	Severity	Displays the vulnerability's severity.
	Patch Type	Displays the patch type for this vulnerability: Auto or Manual.
	FortiGuard	Displays the FortiGuard ID number. If you click the FortiGuard ID number, it redirects you to FortiGuard where further information is provided if available.
System Events
	Date	Displays the system event's date and time.
	Count	Displays the number of occurrences for this event.
	Message	Displays the system event's message.
	Actions	Mark the event as read.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

EMS Administration Guide

Viewing the Endpoints pane

Viewing the Endpoints pane

To view the Endpoints pane:

Related Videos

FortiClient EMS 7.0 - View Managed Endpoints

Viewing Managed Endpoints on FortiClient EMS

Viewing the Endpoints pane

Viewing the Endpoints pane

To view the Endpoints pane: