Fortinet white logo
Fortinet white logo

EMS Administration Guide

On-fabric Detection Rules

On-fabric Detection Rules

You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

When a user switches accounts between a local non-domain account and a domain account on the same machine, EMS may not apply the correct policy to the endpoint.

To add an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable or disable the rule set by toggling Enabled on or off.
  5. Click Add Rule.
  6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to satisfy the entire rule set:

    Detection type

    Description

    Connection Media

    From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected. EMS considers the endpoint as satisfying the rule if its network settings match all configured fields.

    Default Gateway

    In the IP Address field, enter the default gateway IP address. In the MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    DHCP Server

    On the IP/MAC Address tab, configure the IP and/or MAC address for the desired DHCP server. On the DHCP Code tab, configure the DHCP code for the desired DHCP server. You can configure just the IP/MAC Address tab, just the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the MAC Address field is optional.

    The DHCP code is synonymous with the old option 224, which FortiClient would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It used to be the FortiGate serial number. Now, it can be any string configured in the DHCP server as option 224. You may still use FortiGate serial number as the DHCP code if desired. See To configure the DHCP code:.

    EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

    DNS Server

    Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.

    EMS Connection

    The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.

    Local IP/Subnet

    In the IP Range field, enter a range of IP addresses. In the Default Gateway MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    This is the only detection type that applies to endpoints running FortiClient 6.4.0 and earlier versions. Other detection types do not apply to these endpoints.

    Ping Server

    In the IP Address field, enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.

    Public IP

    In the IP Address field, enter the desired IP address. EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. You can configure multiple addresses using the + button.

    VPN Tunnel

    In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure tunnels using the + button.

    HTTP Web Request

    Configure at least one internal IP address. EMS considers the endpoint as satisfying the rule if it can make an HTTP GET request to the IP address and receive a 200 OK response. You can configure multiple IP addresses using the + button.

    HTTPS Web Request

    Configure at least one internal IP address and the certificate common name (CN) or SNI. EMS considers the endpoint as satisfying the rule if it can make an HTTPS GET request to the IP address and receive a server certificate with the specified SNI or CN. You can configure multiple IP addresses using the + button.

    DNS Request

    In the IP address and Hostname fields, enter the IP address and hostname for the desired internal DNS server.

    EMS considers the endpoint as satisfying the rule if it can make a DNS request to the DNS server that matches the specified configuration and receive a successful DNS response. You can configure multiple servers using the + button.

  7. Click Add Rule.
  8. Click Save.
To edit an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Select the rule set.
  3. Click Edit.
  4. Edit as desired.
  5. Click Save.
To delete an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Click Delete.
  4. In the confirmation dialog, click Yes.
To delete an on-fabric detection rule from a rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Under Rules, select the desired rule.
  4. Click Delete Rule.
  5. Click Save.
To enable/disable an on-fabric detection rule:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Select or deselect the Enabled checkbox for the desired rule set.

An endpoint has an offline off-fabric status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-fabric networks.

An endpoint has an offline on-fabric status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-fabric networks, or if no on-fabric rules are configured within the assigned policy.

To configure the DHCP code:

FortiClient can use a DHCP code/option 224 to determine on-/off-net status. A FortiGate automatically includes this option when used as a DHCP server. The following describes how to configure the option 224 when using a Windows server to handle DHCP.

  1. On the Windows server, open DHCP settings.
  2. Right-click IPv4, then select Set Predefined Options.
  3. In the Option name dropdown list, confirm that option 224 has not been created.
  4. Click Add.
  5. In the Code field, enter 224.
  6. Complete other fields as desired, then click OK.
  7. Click Edit Array.
  8. Click Add.
  9. Enter the desired FortiGate serial number. Click OK.

On-fabric Detection Rules

On-fabric Detection Rules

You can configure on-fabric detection rules for endpoints. EMS uses the rules to determine if the endpoint is on- or off-fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the endpoint, as configured in the applied endpoint policy. See Adding an endpoint policy.

When a user switches accounts between a local non-domain account and a domain account on the same machine, EMS may not apply the correct policy to the endpoint.

To add an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click Add.
  3. In the Name field, enter the desired name.
  4. Enable or disable the rule set by toggling Enabled on or off.
  5. Click Add Rule.
  6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection type. If you configure rules of multiple detection types for a rule set, the endpoint must satisfy all configured rules to satisfy the entire rule set:

    Detection type

    Description

    Connection Media

    From the Ethernet and/or Wi-Fi dropdown lists, select Connected or Not Connected. EMS considers the endpoint as satisfying the rule if its network settings match all configured fields.

    Default Gateway

    In the IP Address field, enter the default gateway IP address. In the MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its default gateway configuration matches the IP address specified and MAC address, if configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    DHCP Server

    On the IP/MAC Address tab, configure the IP and/or MAC address for the desired DHCP server. On the DHCP Code tab, configure the DHCP code for the desired DHCP server. You can configure just the IP/MAC Address tab, just the DHCP Code tab, or both tabs. If configuring the IP/Mac Address tab, the MAC Address field is optional.

    The DHCP code is synonymous with the old option 224, which FortiClient would read from the DHCP server and send to the FortiGate in FortiOS 6.0. It used to be the FortiGate serial number. Now, it can be any string configured in the DHCP server as option 224. You may still use FortiGate serial number as the DHCP code if desired. See To configure the DHCP code:.

    EMS considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

    DNS Server

    Configure at least one IP address for the desired DNS server. EMS considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration. You can configure multiple IP addresses using the + button.

    EMS Connection

    The only available option for this detection type is that EMS considers the endpoint as satisfying the rule if it is online with EMS.

    Local IP/Subnet

    In the IP Range field, enter a range of IP addresses. In the Default Gateway MAC Address field, optionally enter the default gateway MAC address. EMS considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    This is the only detection type that applies to endpoints running FortiClient 6.4.0 and earlier versions. Other detection types do not apply to these endpoints.

    Ping Server

    In the IP Address field, enter the server IP address. EMS considers the endpoint as satisfying the rule if it can access the server at the specified IP address. You can configure multiple addresses using the + button.

    Public IP

    In the IP Address field, enter the desired IP address. EMS considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified. You can configure multiple addresses using the + button.

    VPN Tunnel

    In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the endpoint as satisfying the rule if it is connected to a VPN tunnel with a matching name. You can configure tunnels using the + button.

    HTTP Web Request

    Configure at least one internal IP address. EMS considers the endpoint as satisfying the rule if it can make an HTTP GET request to the IP address and receive a 200 OK response. You can configure multiple IP addresses using the + button.

    HTTPS Web Request

    Configure at least one internal IP address and the certificate common name (CN) or SNI. EMS considers the endpoint as satisfying the rule if it can make an HTTPS GET request to the IP address and receive a server certificate with the specified SNI or CN. You can configure multiple IP addresses using the + button.

    DNS Request

    In the IP address and Hostname fields, enter the IP address and hostname for the desired internal DNS server.

    EMS considers the endpoint as satisfying the rule if it can make a DNS request to the DNS server that matches the specified configuration and receive a successful DNS response. You can configure multiple servers using the + button.

  7. Click Add Rule.
  8. Click Save.
To edit an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Select the rule set.
  3. Click Edit.
  4. Edit as desired.
  5. Click Save.
To delete an on-fabric detection rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Click Delete.
  4. In the confirmation dialog, click Yes.
To delete an on-fabric detection rule from a rule set:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Click the desired rule set.
  3. Under Rules, select the desired rule.
  4. Click Delete Rule.
  5. Click Save.
To enable/disable an on-fabric detection rule:
  1. Go to Endpoint Policy & Components > On-fabric Detection Rules.
  2. Select or deselect the Enabled checkbox for the desired rule set.

An endpoint has an offline off-fabric status when it cannot connect FortiClient Telemetry to EMS and is outside any of the on-fabric networks.

An endpoint has an offline on-fabric status when it cannot connect FortiClient Telemetry to EMS but is inside one of the on-fabric networks, or if no on-fabric rules are configured within the assigned policy.

To configure the DHCP code:

FortiClient can use a DHCP code/option 224 to determine on-/off-net status. A FortiGate automatically includes this option when used as a DHCP server. The following describes how to configure the option 224 when using a Windows server to handle DHCP.

  1. On the Windows server, open DHCP settings.
  2. Right-click IPv4, then select Set Predefined Options.
  3. In the Option name dropdown list, confirm that option 224 has not been created.
  4. Click Add.
  5. In the Code field, enter 224.
  6. Complete other fields as desired, then click OK.
  7. Click Edit Array.
  8. Click Add.
  9. Enter the desired FortiGate serial number. Click OK.