Fortinet black logo

Handbook

FortiClient EMS

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:113142
Download PDF

FortiClient EMS

You can configure endpoint control for your Security Fabric using FortiClient Endpoint Management System (EMS).

note icon

If you disable the FortiClient Endpoint Management System (EMS) option found on the Security Fabric > Settings page, it deletes all previously configured EMS server entries.

To configure an EMS Server - GUI:
  1. To enable endpoint control, go to System > Feature Visibility and under Security Features, enable Endpoint Control. The FortiClient Endpoint Management System (EMS) section appears in the Security Fabric > Settings page.
  2. Go to Security Fabric > Settings and enable FortiClient Endpoint Management System (EMS).
  3. Select the + to add it and enter the following:

    Name

    Enter the name of the EMS server.

    Address

    Select the FortiClient EMS address from the drop-down menu or select the + to create a new IP address or hostname.

    Serial Number

    Enter the serial number.

    REST API Calls

    Select Disable or Authentication.

    If you select Authentication,you can set the authentication type to Windows or LDAP. Then you can enter the Admin user,which must be a user with admin rights, and Password.

    You can add a maximum of 16 EMS Servers.

  4. Apply your changes.
To configure endpoint control settings - CLI:

config endpoint-control settings

set forticlient-ems-rest-api-call-timeout <value>

end

where the value is set between 500 to 30000 milliseconds (default of 5000).

To configure a FortiClient Enterprise Management server - CLI:

config endpoint-control forticlient-ems

edit 1

set address <firewall-address-name>

set serial-number <FortiClient-EMS-serial-number>

set listen-port <listen-port-number>

set upload-port <upload-port-number>

set rest-api-auth <FortiClient-EMS-REST-API-authentication>

next

end

where the following values are set to:

Variable

Description

listen-port-number

Set the listening port between 1 and 65535. The default port is 8013.

upload-port-number

Set the uploading port between 1 and 65535. The default port is 8014.

To configure FortiClient registration synchronization settings - CLI:

config endpoint-control forticlient-registration-synch

edit <default-name>

config {forticlient-winmac-setting | forticlient-android-settings | forticlient-ios-settings}

next

end

To configure FortiClient endpoint control profiles - CLI:

config endpoint-control profile

edit <profile-name>

config {forticlient-winmac-setting | forticlient-android-settings | forticlient-ios-settings}

set forticlient-ems-entries <FortiClient-EMS-entry-name>

next

end

For information about further information about FortiClient EMS, see the FortiClient EMS Administration Guide.

Troubleshooting

The following commands can be useful for testing FortiClient EMS settings, including: signing in or out of FortiClient EMS, quarantining clients using EMS REST API, and adding quarantine calls to the queue. For additional troubleshooting commands, see the FortiOS CLI Reference.

  • diagnose endpoint forticlient-ems-rest-api signin <FortiClient-EMS-entry-name>
  • diagnose endpoint forticlient-ems-rest-api signout <FortiClient-EMS-entry-name>
  • diagnose endpoint forticlient-ems-rest-api quarantine-by-ipv4 <ipv4> <FortiClient-EMS-entry-name>
  • diagnose endpoint forticlient-ems-rest-api unquarantine-by-ipv4 <ipv4> <FortiClient-EMS-entry-name>
  • diagnose endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <ipv4-address>[,<ipv4-address>...] To add multiple entries, separate the entries by a comma (no spaces).
  • diagnose endpoint forticlient-ems-rest-api queue-unquarantine-ipv4 <ipv4>[,<ipv4-address>...] To add multiple entries, separate the entries by a comma (no spaces).
  • diagnose debug application fcnacd_ems <integer>

Related Videos

sidebar video

Fortinet Security Fabric 6.0.0 Series - Part 4: Connectors

  • 1,339 views
  • 5 years ago

FortiClient EMS

You can configure endpoint control for your Security Fabric using FortiClient Endpoint Management System (EMS).

note icon

If you disable the FortiClient Endpoint Management System (EMS) option found on the Security Fabric > Settings page, it deletes all previously configured EMS server entries.

To configure an EMS Server - GUI:
  1. To enable endpoint control, go to System > Feature Visibility and under Security Features, enable Endpoint Control. The FortiClient Endpoint Management System (EMS) section appears in the Security Fabric > Settings page.
  2. Go to Security Fabric > Settings and enable FortiClient Endpoint Management System (EMS).
  3. Select the + to add it and enter the following:

    Name

    Enter the name of the EMS server.

    Address

    Select the FortiClient EMS address from the drop-down menu or select the + to create a new IP address or hostname.

    Serial Number

    Enter the serial number.

    REST API Calls

    Select Disable or Authentication.

    If you select Authentication,you can set the authentication type to Windows or LDAP. Then you can enter the Admin user,which must be a user with admin rights, and Password.

    You can add a maximum of 16 EMS Servers.

  4. Apply your changes.
To configure endpoint control settings - CLI:

config endpoint-control settings

set forticlient-ems-rest-api-call-timeout <value>

end

where the value is set between 500 to 30000 milliseconds (default of 5000).

To configure a FortiClient Enterprise Management server - CLI:

config endpoint-control forticlient-ems

edit 1

set address <firewall-address-name>

set serial-number <FortiClient-EMS-serial-number>

set listen-port <listen-port-number>

set upload-port <upload-port-number>

set rest-api-auth <FortiClient-EMS-REST-API-authentication>

next

end

where the following values are set to:

Variable

Description

listen-port-number

Set the listening port between 1 and 65535. The default port is 8013.

upload-port-number

Set the uploading port between 1 and 65535. The default port is 8014.

To configure FortiClient registration synchronization settings - CLI:

config endpoint-control forticlient-registration-synch

edit <default-name>

config {forticlient-winmac-setting | forticlient-android-settings | forticlient-ios-settings}

next

end

To configure FortiClient endpoint control profiles - CLI:

config endpoint-control profile

edit <profile-name>

config {forticlient-winmac-setting | forticlient-android-settings | forticlient-ios-settings}

set forticlient-ems-entries <FortiClient-EMS-entry-name>

next

end

For information about further information about FortiClient EMS, see the FortiClient EMS Administration Guide.

Troubleshooting

The following commands can be useful for testing FortiClient EMS settings, including: signing in or out of FortiClient EMS, quarantining clients using EMS REST API, and adding quarantine calls to the queue. For additional troubleshooting commands, see the FortiOS CLI Reference.

  • diagnose endpoint forticlient-ems-rest-api signin <FortiClient-EMS-entry-name>
  • diagnose endpoint forticlient-ems-rest-api signout <FortiClient-EMS-entry-name>
  • diagnose endpoint forticlient-ems-rest-api quarantine-by-ipv4 <ipv4> <FortiClient-EMS-entry-name>
  • diagnose endpoint forticlient-ems-rest-api unquarantine-by-ipv4 <ipv4> <FortiClient-EMS-entry-name>
  • diagnose endpoint forticlient-ems-rest-api queue-quarantine-ipv4 <ipv4-address>[,<ipv4-address>...] To add multiple entries, separate the entries by a comma (no spaces).
  • diagnose endpoint forticlient-ems-rest-api queue-unquarantine-ipv4 <ipv4>[,<ipv4-address>...] To add multiple entries, separate the entries by a comma (no spaces).
  • diagnose debug application fcnacd_ems <integer>