Symantec endpoint connector
With the Fabric connector for Symantec Endpoint Protection Manager (SEPM), you can use the client IP information from SEPM to assign to dynamic IP addresses on FortiOS.
When communication between FortiGate and SEPM is established, FortiGate polls every minute for updates via TLS over port 8446. You can use the CLI to change the default one minute polling interval.
For example, you can create a dynamic Fabric Connector IP address subtype and use it in firewall policies as the source address. The dynamic IP address contains all IP addresses sent by SEPM.
This example shows a dynamic IP address with SEPM and one client PC managed by SEPM using FortiGate as the default gateway.
To configure SEPM on a managed client PC:
- In SEPM, create client packages for client hosts and group them into SEPM groups.
You can install packages locally on clients or download them directly from SEPM.
- When a package is installed on the client host, the host is considered managed by SEPM.
Even if the host has multiple interfaces, only one IP per host is displayed.
To configure Symantec endpoint connector on FortiGate in the GUI:
- Go to Security Fabric > Fabric Connectors.
- Click Create New.
- Click Symantec Endpoint Protection.
- In the Connector Settings section, if options are left empty, then all SEPM domains and groups are monitored.
- In the Symantec Connector section:
- In the Server field, enter the SEPM IP address.
- Enter the Username and Password.
- If you want to limit the domains or groups that are monitored, enter the information in Domain and Group name.
- Click OK.
When the connection is established, you can see a green up arrow in the bottom right of the tile. You might need to refresh your browser to see the established connection.
- Go to Policy & Objects > Addresses.
- Click Create New > Address.
- Set Type to Dynamic.
- Set Sub Type to Fabric Connector Address.
- Set SDN Connector to the Fabric Connector that you just created.
- Click OK.
- Edit the address to see the configuration.
- Filter shows the hostnames of the client PCs managed by SEPM. The GUI shows the ComputerName by default. You can change this using the CLI; see Specify filters for details.
Filter options are only available for active computers that are configured and registered in SEPM. Free-form filters can be created manually by clicking Create and entering the filter, in the format:
filter_type=value.Possible manual filter types are:
GroupName,GroupID,ComputerName,ComputerUUID, andOSName. For example:GroupName=MyGroup. - In Policy & Objects > Addresses, you can see all the IP addresses of the host.
- Go to Policy & Objects > IPv4 Policy, click Create New and add the dynamic IP address to the firewall policy.
To verify the configuration:
- On the client PC, check that it is managed by SEPM to access the Internet.
- In FortiGate, you can check in FortiView > Sources.
- In FortiGate, you can also check in Log & Report > Forward Traffic.
Since this traffic is not authenticated traffic but is based on source IP address only, this traffic is not shown in the GUI firewall monitor or in the CLI
diagnose firewall auth listcommand.
To configure Symantec endpoint connector on FortiGate in the CLI:
- Create the fabric connector:
config system sdn-connector edit "sepm-217" set type sepm set server "172.18.60.217" set username "admin" set password ********** set status enable next end - Create the dynamic IP address:
config firewall address edit "sepm-ip" set uuid 645552a0-d0c9-51e9-282d-c7ed6d7ee7de set type dynamic set sdn "sepm-217" set filter "ComputerName=win10-1" config list edit "10.1.100.187" next edit "10.6.30.187" next edit "172.16.200.187" next end next endYou can specify other filters and combine them with
|and&, for example:FGTH (sepm-ip) # set filter <key1=value1> [& <key2=value2>] [| <key3=value3>] Available filter keys are: <ComputerName><ComputerUuid><GroupId><GroupName> <DomainId><DomainName><OsName> - Add the dynamic IP address to the firewall policy:
config firewall policy edit 1 set name "pol1" set uuid 9174563c-d0c9-51e9-1a32-4e14385239e9 set srcintf "port2" set dstintf "port1" set srcaddr "sepm-ip" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set logtraffic all set fsso disable set nat enable next end
To troubleshoot Symantec SD connector in the CLI:
# diagnose debug application sepmd -1
Output is sent every minute (default). All IPv4 learned from SEPM. IPv6 also sent but not yet supported.
2019-09-09 12:01:09 sepmd sdn connector sepm-217 start updating IP addresses
2019-09-09 12:01:09 sepmd checking firewall address object sepm-ip, vd 0
2019-09-09 12:01:09 sepmd sdn connector sepm-217 finish updating IP addresses
2019-09-09 12:01:09 sepmd reap child pid: 18079
2019-09-09 12:02:09 sepmd sdn connector sepm-217 prepare to update
2019-09-09 12:02:09 sepmd sdn connector sepm-217 start updating
2019-09-09 12:02:09 sepm-217 sdn connector will retrieve token after 9526 secs
2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 172.16.200.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 10.6.30.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 10.1.100.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:02:09 2001:0000:0000:0000:0000:0000:0000:0187 is not in IPv4 presentation format
2019-09-09 12:02:09 sepmd sdn connector sepm-217 start updating IP addresses
2019-09-09 12:02:09 sepmd checking firewall address object sepm-ip, vd 0
2019-09-09 12:02:09 sepmd sdn connector sepm-217 finish updating IP addresses
2019-09-09 12:02:09 sepmd reap child pid: 18089
2019-09-09 12:03:09 sepmd sdn connector sepm-217 prepare to update
2019-09-09 12:03:09 sepmd sdn connector sepm-217 start updating
2019-09-09 12:03:09 sepm-217 sdn connector will retrieve token after 9466 secs
2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 172.16.200.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 10.6.30.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1
ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
IP 10.1.100.187
GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:03:09 2001:0000:0000:0000:0000:0000:0000:0187 is not in IPv4 presentation format
To list the SEPM daemon SDN connectors:
diagnose test application sepmd 1 sepm SDN connector list: name: sepm-217, status: enabled, updater_interval: 60
To list the SEPM daemon SDN filters:
diagnose test application sepmd 2 sepm SDN connector sepm-217 filter list: name: sepm-ip, vd 0, filter 'ComputerName=win10-1'