Dynamic policies - FortiClient EMS
The FortiClient EMS FSSO connector allows objects to be defined in FortiOS that map to tags and groups on EMS. EMS dynamically updates these endpoint groups when host compliance or other events occur, causing FortiOS to dynamically adjust its security policies based on the group definitions.
EMS supports creating compliance verification rules based on various criteria. When a FortiClient endpoint registers to EMS, EMS dynamically groups them based on these rules. FortiOS can receive the dynamic endpoint groups from EMS as tags via the FSSO protocol using an FSSO agent that supports SSL and imports trusted certificates.
After FortiOS pulls the tags from EMS, they can be used as members in user groups that can have dynamic firewall policies applied to them. When an event occur, EMS sends an update to FortiOS, and the dynamic policies are updated.
The following instructions assume EMS is installed, configured, and has endpoints connected. For information on configuring EMS, see the FortiClient EMS Administration Guide.
The following steps provide an example of configuring a dynamic policy:
- Add a compliance verification rule in EMS
- Configure an EMS FSSO agent
- Configure user groups
- Create a dynamic firewall policy
This example creates a compliance verification rule that applies to endpoints that have Windows 10 installed.
To create a compliance verification rule in EMS:
- In EMS, go to Compliance Verification > Compliance Verification Rules.
- Click Add.
- In the Name field, enter the desired rule name.
EMS uses the tag name to dynamically group endpoints, not the rule name configured in this field.
- Turn Status on to enable the rule.
- For Type, select Windows, Mac, or Linux. This affects what rule types are available. In this example, Windows is selected.
- From the Rule dropdown list, select the rule type and configure the related options. Ensure you click the + button after entering each criterion.
In this example, OS Version is selected from the Rule dropdown list, and Windows 10 is selected from the OS Version dropdown list.
- Under Assign to, select All.
- In the Tag endpoint as dropdown list, select an existing tag or enter a new tag. In this example, a new tag, WIN10_EMS134, is created. EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.
- Click Save.
- Go to Compliance Verification > Host Tag Monitor. All endpoints that have Windows 10 installed are shown grouped by the WIN10_EMS134 tag.
In this example, the FSSO agent name is EMS_FSSO_connector, and the EMS server is located at 172.18.64.7.
To configure the EMS FSSO agent in FortiOS in the GUI:
- Go to Security Fabric > Fabric Connectors.
- Click Create New.
- In the SSO/Identity section, click Fortinet Single Sign-On Agent.
- Fill in the Name, and Primary FSSO Agent server IP address or name and Password.
- Set the User Group Source to Collector Agent.
User groups will be pushed to the FortiGate from the collector agent. Click Apply & Refresh to fetch group filters from the collector agent.
- Click OK.
To configure the EMS FSSO agent in FortiOS in the CLI:
config user fsso edit "ems_QA_connector" set server "172.18.64.7" set password ****** set type fortiems set ssl enable next end
In this example, the user group is named ems_QA_group, and includes six dynamic endpoint groups that were pulled from EMS as members.
To configure a user group based on EMS tags in the GUI:
- Go to User & Device > User Groups.
- Click Create New.
- In the Name field, enter ems_QA_group.
- For Type, select Fortinet Single Sign-On (FSSO).
- In the Members field, click +. The Select Entries pane appears. The dynamic endpoint groups pulled from EMS have names that begin with TAG_, followed by the tag name in EMS.
- Select the desired dynamic endpoint groups. Endpoints that currently belong to these groups in EMS will be members of this FortiOS user group.
- Click OK.
To configure a user group based on EMS tags in the CLI:
config user group edit "ems_QA_group" set group-type fsso-service set authtimeout 0 set http-digest-realm '' set member "TAG_FILE_QA_EMS" "TAG_LINUX1604_QA_EMS" "TAG_MACOS_QA_EMS" "TAG_WIN10_QA_EMS" "TAG_WIN7_QA_EMS" "TAG_WINSCP_QA_EMS" next end
You can create a dynamic firewall policy for the user group. This example shows how to create an IPv4 policy for the user group.
To create a dynamic firewall policy for the user group in the GUI:
- Go to Policy & Objects > IPv4 Policy.
- Click Create New.
- In the Source field, click +. The Select Entries pane opens.
- On the User tab, select the ems_QA_group group.
- Click Close.
- Configure the other policy settings options as required.
- Click OK.
- Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group.
FortiOS will update this policy when it receives updates from EMS.
To create a dynamic firewall policy for the user group in the CLI:
config firewall policy edit 4 set name 44 set srcintf port12 set dstintf port11 set srcaddr "all" "ems_QA_group" "Win10_group" set dstaddr pc5-address set action accept set schedule always set service ALL next end
To list endpoint records, use the following CLI command:
diagnose endpoint record-list Record #1: IP_Address = 10.1.100.120(3) MAC_Address = 00:0c:29:36:4e:61 Host MAC_Address = 00:0c:29:36:4e:61 MAC list = 00-0c-29-36-4e-57;00-0c-29-36-4e-61; VDOM = vdom1 EMS serial number: FCTEMS3688727941 Quarantined: no Online status: online On-net status: on-net FortiClient connection route: Direct FortiClient communication interface index: 19 DHCP server: Dirty_onnet_addr: yes FortiClient version: 6.2.0 AVDB version: 67.558 FortiClient app signature version: 14.586 FortiClient vulnerability scan engine version: 2.28 FortiClient feature version status: 0 FortiClient UID: FA4AFAF6F92442E69DC7D67ABE64BDBA (0) FortiClient KA interval dirty: 0 FortiClient Full KA interval dirty: 0 Auth_AD_groups: Auth_group: ems_QA_group Auth_user: FRANK Host_Name: DESKTOP-FJEVH8U OS_Version: Microsoft Windows 10 Professional Edition, 64-bit (build 17763) Host_Description: AT/AT COMPATIBLE Domain: Last_Login_User: frank Host_Model: VMware Virtual Platform Host_Manufacturer: VMware, Inc. CPU_Model: Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz Memory_Size: 4096 Installed features: 375 Enabled features: 177 Last vul message received time: N/A Last vul scanned time: N/A Last vul statistic: critical=0, high=0, medium=0, low=0, info=0 Avatar source username: frank Avatar source email: Avatar source: Client Operating System Phone number: online records: 1; offline records: 0; quarantined records: 0
To list authenticated IPv4 users, use the following CLI command:
diagnose firewall auth list 184.108.40.206, JONATHANWONG type: fsso, id: 0, duration: 18955, idled: 18955 server: ems_QA_connector packets: in 0 out 0, bytes: in 0 out 0 10.1.100.111, FRANK111 type: fsso, id: 0, duration: 18955, idled: 18955 server: ems_QA_connector packets: in 0 out 0, bytes: in 0 out 0 group_id: 5 group_name: ems_QA_group 10.1.100.120, FRANK type: fsso, id: 0, duration: 18955, idled: 4 server: ems_QA_connector packets: in 10643 out 11379, bytes: in 6014568 out 3224342 group_id: 5 group_name: ems_QA_group 10.1.100.141, ADMINISTRATOR type: fsso, id: 0, duration: 18955, idled: 1 server: ems_QA_connector packets: in 9669 out 10433, bytes: in 5043948 out 2823319 group_id: 5 group_name: ems_QA_group ... ... ----- 23 listed, 0 filtered ------ FGT_EC_A (vdom1) # diagnose debug authd fsso list ----FSSO logons---- IP: 220.127.116.11 User: JONATHANWONG Groups: 6B8028751BF3457BA172EE3795A2BDA8 Workstation: VAN-201740-PC IP: 10.1.100.111 User: FRANK111 Groups: ECF57781AE384D6A9A4D2D72CB5169C6+TAG_LINUX1604_QA_EMS Workstation: FRANK111- VIRTUAL-MACHINE MemberOf: ems_QA_group IP: 10.1.100.120 User: FRANK Groups: FA4AFAF6F92442E69DC7D67ABE64BDBA+TAG_WIN10_QA_EMS Workstation: DESKTOP-FJEVH8U MemberOf: ems_QA_group IP: 10.1.100.141 User: ADMINISTRATOR Groups: 6D21827915CE445F8A85F9E6BAA0C57A+TAG_VULN_EMS_QA+TAG_WIN7_QA_EMS Workstation: LHWIN7A MemberOf: ems_QA_group .... .... Total number of logons listed: 23, filtered: 0 ----end of FSSO logons----