Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.2.4 EMS Administration Guide
    7.2.4
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Fabric Devices

    Fabric Devices

    You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. You can also deny or authorize a FortiGate. These FortiGates receive endpoint data from EMS. FortiClient does not directly connect to FortiGates listed on this page.

    Fabric Devices displays the relationships between FortiGates if they are part of a cooperative Security Fabric (CSF) or high availability (HA) cluster. The following shows the Fabric Devices page showing two FortiGates that are part of a CSF tree:

    The following shows Fabric Devices showing two FortiGates that are part of an HA cluster:

    Fabric connection for non-root devices expires after 15 minutes, unless the root device (the device that manages the non-root device) calls an EMS API to keep it alive.

    FortiOS versions 7.0.2 to 7.0.6 only support zero trust tags and does not support other tag types when used with EMS. FortiClient endpoints connected via zero trust network access do not provide IP addresses to FortiOS.

    For connection to FortiAnalyzer, see Incoming ports.

    To edit the Fabric device tag sharing settings:
    1. Go to Administration > Fabric Devices.
    2. Select the desired device, then select Edit.
    3. From the FortiClient Endpoint Sharing dropdown list, select one of the following:

      Option

      Description

      Share all FortiClients

      Selected FortiGate receives all endpoints' resolved IP or MAC addresses (hereafter referred to as "host tag"), regardless of whether the gateways point to the selected FortiGate.

      Only share FortiClients connected to this fabric device (Recommended)

      Default setting. Selected FortiGate only receives the host tags for endpoints whose gateways point to the selected FortiGate.

      Share FortiClients connected to selected fabric devices

      The selected FortiGate receives host tags for endpoints whose gateways point to the following:

      • The selected FortiGate
      • Configured additional FortiGates. You can configure up to four additional FortiGates.
    4. In Tag Types Being Shared, select at least one tag type to share. EMS selects Zero Trust Tags by default and you cannot deselect it. EMS only shares the selected tag types with the configured Fabric devices.

      Tag

      Description

      Zero Trust tags

      See Zero Trust Tags.

      FortiGuard outbreak alert tags

      See FortiGuard Outbreak Alerts.

      Classification tags

      See Viewing the Endpoints pane.

      Fabric tags

      Fabric tags require connection to FortiAnalyzer. See the following process:

      1. EMS administrator configures FortiAnalyzer in a System Settings profile. See System Settings.
      2. FortiClient connects to EMS and receives FortiAnalyzer connection information from the profile.
      3. FortiClient sends logs to FortiAnalyzer.
      4. FortiAnalyzer administrator configures rule to tag endpoints which have indicators of compromise (IOC).
      5. If a log entry received from FortiClient on the FortiAnalyzer matches an IOC, FortiAnalyzer adds a tag to that endpoint.
      6. EMS adds this tag to the endpoint. You can view the tag in the endpoint details, as well as in Zero Trust Tag Monitor. This tag displays as a Fortinet Security Fabric tag in Zero Trust Tag Monitor, but the tag displays under Classification Tags in endpoint details. See Viewing the Endpoints pane.
      7. If FortiGate is configured to receive all tags for this specific endpoint, EMS sends the tag to FortiGate.

      See EMS API support for FortiAnalyzer to notify and tag suspicious endpoints.

    5. Click Save.
    To change the FortiGate authorization status:
    1. Go to Administration > Fabric Devices.
    2. Select the desired FortiGate.
    3. Click Deny or Authorize. The FortiGate status in the Authorized column changes.
    Previous
    Next

    Fabric Devices

    Fabric Devices

    You can view all FortiGates that the EMS has authorized in Administration > Fabric Devices. You can also deny or authorize a FortiGate. These FortiGates receive endpoint data from EMS. FortiClient does not directly connect to FortiGates listed on this page.

    Fabric Devices displays the relationships between FortiGates if they are part of a cooperative Security Fabric (CSF) or high availability (HA) cluster. The following shows the Fabric Devices page showing two FortiGates that are part of a CSF tree:

    The following shows Fabric Devices showing two FortiGates that are part of an HA cluster:

    Fabric connection for non-root devices expires after 15 minutes, unless the root device (the device that manages the non-root device) calls an EMS API to keep it alive.

    FortiOS versions 7.0.2 to 7.0.6 only support zero trust tags and does not support other tag types when used with EMS. FortiClient endpoints connected via zero trust network access do not provide IP addresses to FortiOS.

    For connection to FortiAnalyzer, see Incoming ports.

    To edit the Fabric device tag sharing settings:
    1. Go to Administration > Fabric Devices.
    2. Select the desired device, then select Edit.
    3. From the FortiClient Endpoint Sharing dropdown list, select one of the following:

      Option

      Description

      Share all FortiClients

      Selected FortiGate receives all endpoints' resolved IP or MAC addresses (hereafter referred to as "host tag"), regardless of whether the gateways point to the selected FortiGate.

      Only share FortiClients connected to this fabric device (Recommended)

      Default setting. Selected FortiGate only receives the host tags for endpoints whose gateways point to the selected FortiGate.

      Share FortiClients connected to selected fabric devices

      The selected FortiGate receives host tags for endpoints whose gateways point to the following:

      • The selected FortiGate
      • Configured additional FortiGates. You can configure up to four additional FortiGates.
    4. In Tag Types Being Shared, select at least one tag type to share. EMS selects Zero Trust Tags by default and you cannot deselect it. EMS only shares the selected tag types with the configured Fabric devices.

      Tag

      Description

      Zero Trust tags

      See Zero Trust Tags.

      FortiGuard outbreak alert tags

      See FortiGuard Outbreak Alerts.

      Classification tags

      See Viewing the Endpoints pane.

      Fabric tags

      Fabric tags require connection to FortiAnalyzer. See the following process:

      1. EMS administrator configures FortiAnalyzer in a System Settings profile. See System Settings.
      2. FortiClient connects to EMS and receives FortiAnalyzer connection information from the profile.
      3. FortiClient sends logs to FortiAnalyzer.
      4. FortiAnalyzer administrator configures rule to tag endpoints which have indicators of compromise (IOC).
      5. If a log entry received from FortiClient on the FortiAnalyzer matches an IOC, FortiAnalyzer adds a tag to that endpoint.
      6. EMS adds this tag to the endpoint. You can view the tag in the endpoint details, as well as in Zero Trust Tag Monitor. This tag displays as a Fortinet Security Fabric tag in Zero Trust Tag Monitor, but the tag displays under Classification Tags in endpoint details. See Viewing the Endpoints pane.
      7. If FortiGate is configured to receive all tags for this specific endpoint, EMS sends the tag to FortiGate.

      See EMS API support for FortiAnalyzer to notify and tag suspicious endpoints.

    5. Click Save.
    To change the FortiGate authorization status:
    1. Go to Administration > Fabric Devices.
    2. Select the desired FortiGate.
    3. Click Deny or Authorize. The FortiGate status in the Authorized column changes.
    Previous
    Next