Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    EMS Administration Guide

    Home FortiClient 7.4.5 EMS Administration Guide
    7.4.5
    7.4.5
    7.4.4
    7.4.3
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Installation parameters

    Installation parameters

    The following provides a list of parameters that the EMS install commands support:

    Parameter

    Description

    allowed_hosts

    A comma-separated list (without spaces) of hostnames or IP addresses that the EMS web server will respond to (for example, EMS FQDN or FortiGate VIP address).

    This setting does not control user access by source IP. It only validates the HTTP host header for security.

    das_cache_engine

    		 Specify DAS cache engine, such as simple.

    db_host

    		 Remote database (DB) hostname.

    db_hosts

    A comma-separated list (without spaces) of remote database (DB) hostnames in the following format: <host>:<port>.

    For example, --db_hosts "db1:5432,db2:5432,db3:5543".

    db_pass

    		 Remote DB password.

    db_port

    		 Port that remote DB uses to communicate with EMS.

    db_prefix

    		 Used when FortiClient Cloud uses an external DB. Prepend this value to the DBs that FortiClient Cloud uses to ensure unique DB names.

    db_user

    		 Remote DB username.

    elastic_api_key

    Having EMS connect to the Elasticsearch (ES) cluster using an API encoded key, rather than username and password, is considered best practice. Provide the encoded version of the key to EMS.

    elastic_ca_path

    If the ES cluster is set up to strictly check for a client certificate, you must provide the CA certificate to EMS. This must be a fully qualified path to the CA certificate file. Store the file in a location outside of /opt/forticlientems and be readable by the forticlientems user or group. For example, you may configure the following:

    --elastic_ca_path /data/certs/es_ca.crt

    elastic_hosts

    ES server IP address and port that ES uses to communicate with EMS in <ES server IP address>:<port> format. If you have multiple primary ES server nodes, provide their <IP address>:<port> in a comma-separated list with no whitespace in between. For example, you may configure the following:

    elastic_hosts "node1.local:8000,node2.local:8000,node3.local:8000"

    elastic_password

    		 Password for ES user created for EMS.

    elastic_user

    		 Username to use to connect to ES. If you provide both an API key and username and password, EMS prefers to use the API key and ignores the username and password.

    enable_event_feature

    		 Enable EMS services required for using the new DB for storing and querying events.

    enable_fips

    Enable FIPS mode. If this parameter is not specified (default), EMS will work in non-FIPS mode.

    enable_remote_https

    		 Enable remote HTTPS access to EMS.

    fileserver_port

    		 Customize webserver ports.

    http_port

    https_port

    internal_db_port

    PostgreSQL port to set for executing the DB deployment or upgrade (remote or locally).

    is_paas

    		 Only used when using EMS with a cloud DB. This parameters tells the installer that this is a special DB and needs special handling.

    redis_cluster_hosts

    		 Redis cluster hosts names.

    redis_host

    		 Redis hostname.

    redis_password

    		 Redis password.

    redis_port

    		 Port that Redis uses to communicate with EMS.

    redis_username

    		 Redis username.

    scep_public_hostname

    		 Specify the FQDN or hostname accessible by mobile endpoints to pull the ZTNA certificate from the SCEP server running on EMS.

    skip_db_deploy

    		 Skip express DB deployment.

    skip_db_install

    		 Skip express DB install.

    skip_event_feature_local_install_local_install

    		 Skip event worker local installation.
    Previous
    Next

    Installation parameters

    Installation parameters

    The following provides a list of parameters that the EMS install commands support:

    Parameter

    Description

    allowed_hosts

    A comma-separated list (without spaces) of hostnames or IP addresses that the EMS web server will respond to (for example, EMS FQDN or FortiGate VIP address).

    This setting does not control user access by source IP. It only validates the HTTP host header for security.

    das_cache_engine

    		 Specify DAS cache engine, such as simple.

    db_host

    		 Remote database (DB) hostname.

    db_hosts

    A comma-separated list (without spaces) of remote database (DB) hostnames in the following format: <host>:<port>.

    For example, --db_hosts "db1:5432,db2:5432,db3:5543".

    db_pass

    		 Remote DB password.

    db_port

    		 Port that remote DB uses to communicate with EMS.

    db_prefix

    		 Used when FortiClient Cloud uses an external DB. Prepend this value to the DBs that FortiClient Cloud uses to ensure unique DB names.

    db_user

    		 Remote DB username.

    elastic_api_key

    Having EMS connect to the Elasticsearch (ES) cluster using an API encoded key, rather than username and password, is considered best practice. Provide the encoded version of the key to EMS.

    elastic_ca_path

    If the ES cluster is set up to strictly check for a client certificate, you must provide the CA certificate to EMS. This must be a fully qualified path to the CA certificate file. Store the file in a location outside of /opt/forticlientems and be readable by the forticlientems user or group. For example, you may configure the following:

    --elastic_ca_path /data/certs/es_ca.crt

    elastic_hosts

    ES server IP address and port that ES uses to communicate with EMS in <ES server IP address>:<port> format. If you have multiple primary ES server nodes, provide their <IP address>:<port> in a comma-separated list with no whitespace in between. For example, you may configure the following:

    elastic_hosts "node1.local:8000,node2.local:8000,node3.local:8000"

    elastic_password

    		 Password for ES user created for EMS.

    elastic_user

    		 Username to use to connect to ES. If you provide both an API key and username and password, EMS prefers to use the API key and ignores the username and password.

    enable_event_feature

    		 Enable EMS services required for using the new DB for storing and querying events.

    enable_fips

    Enable FIPS mode. If this parameter is not specified (default), EMS will work in non-FIPS mode.

    enable_remote_https

    		 Enable remote HTTPS access to EMS.

    fileserver_port

    		 Customize webserver ports.

    http_port

    https_port

    internal_db_port

    PostgreSQL port to set for executing the DB deployment or upgrade (remote or locally).

    is_paas

    		 Only used when using EMS with a cloud DB. This parameters tells the installer that this is a special DB and needs special handling.

    redis_cluster_hosts

    		 Redis cluster hosts names.

    redis_host

    		 Redis hostname.

    redis_password

    		 Redis password.

    redis_port

    		 Port that Redis uses to communicate with EMS.

    redis_username

    		 Redis username.

    scep_public_hostname

    		 Specify the FQDN or hostname accessible by mobile endpoints to pull the ZTNA certificate from the SCEP server running on EMS.

    skip_db_deploy

    		 Skip express DB deployment.

    skip_db_install

    		 Skip express DB install.

    skip_event_feature_local_install_local_install

    		 Skip event worker local installation.
    Previous
    Next