Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • EMS Administration Guide

    Home FortiClient 7.4.1 EMS Administration Guide
    7.4.1
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Quarantining an endpoint from FortiOS using EMS

    Quarantining an endpoint from FortiOS using EMS

    The Fortinet Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator of Compromise (IoC) is detected. This requires the following network components:

    • FortiGate
    • FortiAnalyzer
    • FortiClient EMS
    • FortiClient

    The following must be true:

    • FortiAnalyzer must have both FortiGate and EMS as approved logging devices.
    • FortiGate and FortiAnalyzer must have a valid security fabric connection.
    • FortiGate and EMS must have a valid security fabric connection.
    • FortiClient must have logging to FortiAnalyzer configured in their EMS profile.

    This process functions as follows:

    1. FortiClient sends logs to the FortiAnalyzer.
    2. FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate.
    3. FortiGate determines if the FortiClient is among its connected endpoints and if it has a fabric connection to the EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine the endpoint.
    4. EMS searches for the endpoint and sends a quarantine message to it.
    5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint notifies the FortiGate and EMS of the status change.
    Note

    FortiClient (Linux) does not support this feature.
    Prerequisites

    The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate.

    FortiClient

    FortiClient must be installed on the endpoint and connected to EMS as part of a Security Fabric.

    EMS
    1. You must create a profile for the endpoint. See Creating a new profile. The profile must:
      • Be configured to log to FortiAnalyzer
      • Include a unified threat management feature, such as Malware Protection > Real-Time Protection
    2. You must create and configure an endpoint policy that is configured with the desired profile and Telemetry gateway list for the desired endpoint group. See Adding an endpoint policy.
    3. Enable Remote HTTPS access. See Configuring EMS settings.
    FortiGate

    Before automation can be triggered, you must configure the following:

    1. Configure an automation trigger.
    2. Configure an automation object.
    3. Configure an automation stitch.
    4. Configure an EMS fabric connector

    You may also elect to enable a pre-defined automation stitch instead of completing 1-3 above.

    CLI

    To create an automation trigger:

    config system automation-trigger

    edit "trigger01"

    set trigger-type event-based

    set event-type ioc

    next

    end

    To create an automation action:
    config system automation-action
   edit "action01"
      set action-type quarantine-forticlient
   next
end
    To create an automation stitch:
    config system automation-stitch
   edit "stitch01"
      set status enable
      set trigger "trigger01"
      config actions
         edit 1
            set action “action01”
         next
      end
   next
end

    GUI

    To enable an existing quarantine automation stitch:
    1. Go to Security Fabric > Automation.
    2. Under Compromised Host, right-click Compromised Host Quarantine, hover over Set Status, then select Enable.
    To create a custom quarantine stitch:
    1. Go to Security Fabric > Automation.
    2. At the top of the page, select Create New.
    3. Provide a name for the stitch.
    4. Click the Add Trigger button to select Compromised Host Quarantine from the slide in menu, then click Apply.
    5. Click the Add Action button to select FortiClient Quarantine_quarantine-forticlient from the slide in menu, then click Apply.
    6. Click OK to save the automation stitch.

    To configure EMS Fabric Connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click the FortiClient EMS tile, then select Edit.
    3. Enable EMS 1, then provide the EMS name and IP address or domain.
    4. Click OK.
    5. On the Verify EMS Server Certificate slide in, review the details and accept the certificate once verified.
    6. You may authorize the FortiGate on the EMS using the new slide in menu, or you may do so from the EMS using the popup when you login to the EMS, or by navigating to Fabric & Connectors > Fabric Devices.
    To verify the configuration:

    The following occurs if the configuration has been performed correctly.

    1. FortiClient sends logs to FortiAnalyzer. If the FortiClient profile is configured and connectivity is possible, FortiClient will send logs to FortiAnalyzer.
      Note

      You can generate logs that will be flagged as an IOC by visiting http://195.22.28.198 from the test endpoint.

    2. FortiAnalyzer receives the logs from FortiClient and determines there is an IOC
    3. FortiAnalyzer notifies the FortiGate using the Fabric Connector
    4. FortiGate triggers the automation stitch.
    5. You can also review Security Fabric > Automation > Stitch, to see the Trigger Count for the configured stitch.

    6. On the EMS, go to Endpoints > All Endpoints, then select the Quarantined tile in the top right.

    7. Select the endpoint to view more details, such as the status in the top right.
    8. The endpoint will also display a quarantine warning from the FortiClient:

    Previous
    Next

    Quarantining an endpoint from FortiOS using EMS

    Quarantining an endpoint from FortiOS using EMS

    The Fortinet Security Fabric offers visibility of endpoints at various monitoring levels. When the Security Fabric includes the following network devices, you can configure the system to automatically quarantine an endpoint on which an Indicator of Compromise (IoC) is detected. This requires the following network components:

    • FortiGate
    • FortiAnalyzer
    • FortiClient EMS
    • FortiClient

    The following must be true:

    • FortiAnalyzer must have both FortiGate and EMS as approved logging devices.
    • FortiGate and FortiAnalyzer must have a valid security fabric connection.
    • FortiGate and EMS must have a valid security fabric connection.
    • FortiClient must have logging to FortiAnalyzer configured in their EMS profile.

    This process functions as follows:

    1. FortiClient sends logs to the FortiAnalyzer.
    2. FortiAnalyzer discovers IoCs in the logs and notifies the FortiGate.
    3. FortiGate determines if the FortiClient is among its connected endpoints and if it has a fabric connection to the EMS that the FortiClient is connected to. With this information, FortiGate sends a notification to EMS to quarantine the endpoint.
    4. EMS searches for the endpoint and sends a quarantine message to it.
    5. The endpoint receives the quarantine message and quarantines itself, blocking all network traffic. The endpoint notifies the FortiGate and EMS of the status change.
    Note

    FortiClient (Linux) does not support this feature.
    Prerequisites

    The following lists the prerequisites that must be met for FortiClient, EMS, and the FortiGate.

    FortiClient

    FortiClient must be installed on the endpoint and connected to EMS as part of a Security Fabric.

    EMS
    1. You must create a profile for the endpoint. See Creating a new profile. The profile must:
      • Be configured to log to FortiAnalyzer
      • Include a unified threat management feature, such as Malware Protection > Real-Time Protection
    2. You must create and configure an endpoint policy that is configured with the desired profile and Telemetry gateway list for the desired endpoint group. See Adding an endpoint policy.
    3. Enable Remote HTTPS access. See Configuring EMS settings.
    FortiGate

    Before automation can be triggered, you must configure the following:

    1. Configure an automation trigger.
    2. Configure an automation object.
    3. Configure an automation stitch.
    4. Configure an EMS fabric connector

    You may also elect to enable a pre-defined automation stitch instead of completing 1-3 above.

    CLI

    To create an automation trigger:

    config system automation-trigger

    edit "trigger01"

    set trigger-type event-based

    set event-type ioc

    next

    end

    To create an automation action:
    config system automation-action
   edit "action01"
      set action-type quarantine-forticlient
   next
end
    To create an automation stitch:
    config system automation-stitch
   edit "stitch01"
      set status enable
      set trigger "trigger01"
      config actions
         edit 1
            set action “action01”
         next
      end
   next
end

    GUI

    To enable an existing quarantine automation stitch:
    1. Go to Security Fabric > Automation.
    2. Under Compromised Host, right-click Compromised Host Quarantine, hover over Set Status, then select Enable.
    To create a custom quarantine stitch:
    1. Go to Security Fabric > Automation.
    2. At the top of the page, select Create New.
    3. Provide a name for the stitch.
    4. Click the Add Trigger button to select Compromised Host Quarantine from the slide in menu, then click Apply.
    5. Click the Add Action button to select FortiClient Quarantine_quarantine-forticlient from the slide in menu, then click Apply.
    6. Click OK to save the automation stitch.

    To configure EMS Fabric Connector:
    1. Go to Security Fabric > Fabric Connectors.
    2. Click the FortiClient EMS tile, then select Edit.
    3. Enable EMS 1, then provide the EMS name and IP address or domain.
    4. Click OK.
    5. On the Verify EMS Server Certificate slide in, review the details and accept the certificate once verified.
    6. You may authorize the FortiGate on the EMS using the new slide in menu, or you may do so from the EMS using the popup when you login to the EMS, or by navigating to Fabric & Connectors > Fabric Devices.
    To verify the configuration:

    The following occurs if the configuration has been performed correctly.

    1. FortiClient sends logs to FortiAnalyzer. If the FortiClient profile is configured and connectivity is possible, FortiClient will send logs to FortiAnalyzer.
      Note

      You can generate logs that will be flagged as an IOC by visiting http://195.22.28.198 from the test endpoint.

    2. FortiAnalyzer receives the logs from FortiClient and determines there is an IOC
    3. FortiAnalyzer notifies the FortiGate using the Fabric Connector
    4. FortiGate triggers the automation stitch.
    5. You can also review Security Fabric > Automation > Stitch, to see the Trigger Count for the configured stitch.

    6. On the EMS, go to Endpoints > All Endpoints, then select the Quarantined tile in the top right.

    7. Select the endpoint to view more details, such as the status in the top right.
    8. The endpoint will also display a quarantine warning from the FortiClient:

    Previous
    Next