Dynamic policies - FortiClient EMS

The FortiClient EMS FSSO connector allows objects to be defined in FortiOS that map to tags and groups on EMS. EMS dynamically updates these endpoint groups when host compliance or other events occur, causing FortiOS to dynamically adjust its security policies based on the group definitions.

EMS supports creating compliance verification rules based on various criteria. When a FortiClient endpoint registers to EMS, EMS dynamically groups them based on these rules. FortiOS can receive the dynamic endpoint groups from EMS as tags via the FSSO protocol using an FSSO agent that supports SSL and imports trusted certificates.

After FortiOS pulls the tags from EMS, they can be used as members in user groups that can have dynamic firewall policies applied to them. When an event occur, EMS sends an update to FortiOS, and the dynamic policies are updated.

The following instructions assume EMS is installed, configured, and has endpoints connected. For information on configuring EMS, see the FortiClient EMS Administration Guide.

The following steps provide an example of configuring a dynamic policy:

1. Add a compliance verification rule in EMS
2. Configure an EMS FSSO agent
3. Configure user groups
4. Create a dynamic firewall policy

Add a compliance verification rule in EMS

This example creates a compliance verification rule that applies to endpoints that have Windows 10 installed.

For more information see Compliance verification in the FortiClient EMS Administration Guide.

To create a compliance verification rule in EMS:

1. In EMS, go to Compliance Verification > Compliance Verification Rules.
2. Click Add.
3. In the Name field, enter the desired rule name.

   EMS uses the tag name to dynamically group endpoints, not the rule name configured in this field.

4. Turn Status on to enable the rule.
5. For Type, select Windows, Mac, or Linux. This affects what rule types are available. In this example, Windows is selected.
6. From the Rule dropdown list, select the rule type and configure the related options. Ensure you click the + button after entering each criterion.

   In this example, OS Version is selected from the Rule dropdown list, and Windows 10 is selected from the OS Version dropdown list.

7. Under Assign to, select All.
8. In the Tag endpoint as dropdown list, select an existing tag or enter a new tag. In this example, a new tag, WIN10_EMS134, is created. EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.

   

9. Click Save.
10. Go to Compliance Verification > Host Tag Monitor. All endpoints that have Windows 10 installed are shown grouped by the WIN10_EMS134 tag.

Configure an EMS FSSO agent

In this example, the FSSO agent name is EMS_FSSO_connector, and the EMS server is located at 172.18.64.7.

To configure the EMS FSSO agent in FortiOS in the GUI:

1. Go to Security Fabric > Fabric Connectors.
2. Click Create New.
3. In the SSO/Identity section, click Fortinet Single Sign-On Agent.

   

4. Fill in the Name, and Primary FSSO Agent server IP address or name and Password.
5. Set the User Group Source to Collector Agent.

   User groups will be pushed to the FortiGate from the collector agent. Click Apply & Refresh to fetch group filters from the collector agent.

   

6. Click OK.

To configure the EMS FSSO agent in FortiOS in the CLI:

config user fsso
    edit "ems_QA_connector"
        set server "172.18.64.7"
        set password  ******
        set type fortiems
        set ssl enable
    next
end

Configure user groups

In this example, the user group is named ems_QA_group, and includes six dynamic endpoint groups that were pulled from EMS as members.

To configure a user group based on EMS tags in the GUI:

1. Go to User & Device > User Groups.
2. Click Create New.
3. In the Name field, enter ems_QA_group.
4. For Type, select Fortinet Single Sign-On (FSSO).
5. In the Members field, click +. The Select Entries pane appears. The dynamic endpoint groups pulled from EMS have names that begin with TAG_, followed by the tag name in EMS.
6. Select the desired dynamic endpoint groups. Endpoints that currently belong to these groups in EMS will be members of this FortiOS user group.

   

7. Click OK.

To configure a user group based on EMS tags in the CLI:

config user group
    edit "ems_QA_group"
        set group-type fsso-service
        set authtimeout 0
        set http-digest-realm ''
        set member "TAG_FILE_QA_EMS" "TAG_LINUX1604_QA_EMS" "TAG_MACOS_QA_EMS" "TAG_WIN10_QA_EMS" "TAG_WIN7_QA_EMS" "TAG_WINSCP_QA_EMS"
    next
end​​​​​​​​​​​​​​

Create a dynamic firewall policy

You can create a dynamic firewall policy for the user group. This example shows how to create an IPv4 policy for the user group.

To create a dynamic firewall policy for the user group in the GUI:

1. Go to Policy & Objects > IPv4 Policy.
2. Click Create New.
3. In the Source field, click +. The Select Entries pane opens.
   1. On the User tab, select the ems_QA_group group.
   2. Click Close.
4. Configure the other policy settings options as required.

   

5. Click OK.
6. Go to Policy & Objects > IPv4 Policy to ensure the policy was created and applied to the desired user group.

   FortiOS will update this policy when it receives updates from EMS.

To create a dynamic firewall policy for the user group in the CLI:

config firewall policy
    edit 4
        set name 44
        set srcintf port12
        set dstintf port11
        set srcaddr "all" "ems_QA_group" "Win10_group"
        set dstaddr pc5-address
        set action accept
        set schedule always
        set service ALL
    next
end

Diagnostics

To list endpoint records, use the following CLI command:

diagnose endpoint record-list
    Record #1:
        IP_Address = 10.1.100.120(3)
        MAC_Address = 00:0c:29:36:4e:61
        Host MAC_Address = 00:0c:29:36:4e:61
        MAC list = 00-0c-29-36-4e-57;00-0c-29-36-4e-61;
        VDOM = vdom1
        EMS serial number: FCTEMS3688727941
        Quarantined: no
        Online status: online
        On-net status: on-net
        FortiClient connection route: Direct
        FortiClient communication interface index: 19
        DHCP server: 
        Dirty_onnet_addr: yes
        FortiClient version: 6.2.0
        AVDB version: 67.558
        FortiClient app signature version: 14.586
        FortiClient vulnerability scan engine version: 2.28
        FortiClient feature version status: 0
        FortiClient UID: FA4AFAF6F92442E69DC7D67ABE64BDBA (0)
        FortiClient KA interval dirty: 0
        FortiClient Full KA interval dirty: 0
        Auth_AD_groups: 
        Auth_group: ems_QA_group
        Auth_user: FRANK
        Host_Name: DESKTOP-FJEVH8U
        OS_Version: Microsoft Windows 10 Professional Edition, 64-bit (build 17763)
        Host_Description: AT/AT COMPATIBLE
        Domain: 
        Last_Login_User: frank
        Host_Model: VMware Virtual Platform
        Host_Manufacturer: VMware, Inc.
        CPU_Model: Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
        Memory_Size: 4096
        Installed features: 375
        Enabled features: 177
        Last vul message received time: N/A
        Last vul scanned time: N/A
        Last vul statistic: critical=0, high=0, medium=0, low=0, info=0
        Avatar source username: frank
        Avatar source email: 
        Avatar source: Client Operating System
        Phone number: 
    online records: 1; offline records: 0; quarantined records: 0

To list authenticated IPv4 users, use the following CLI command:

diagnose firewall auth list 
    2.2.2.1, JONATHANWONG
        type: fsso, id: 0, duration: 18955, idled: 18955
        server: ems_QA_connector
        packets: in 0 out 0, bytes: in 0 out 0
    10.1.100.111, FRANK111
        type: fsso, id: 0, duration: 18955, idled: 18955
        server: ems_QA_connector
        packets: in 0 out 0, bytes: in 0 out 0
        group_id: 5
        group_name: ems_QA_group
    10.1.100.120, FRANK
        type: fsso, id: 0, duration: 18955, idled: 4
        server: ems_QA_connector
        packets: in 10643 out 11379, bytes: in 6014568 out 3224342
        group_id: 5
        group_name: ems_QA_group
    10.1.100.141, ADMINISTRATOR
        type: fsso, id: 0, duration: 18955, idled: 1
        server: ems_QA_connector
        packets: in 9669 out 10433, bytes: in 5043948 out 2823319
        group_id: 5
        group_name: ems_QA_group
    ...
    ...

    ----- 23 listed, 0 filtered ------
    
    FGT_EC_A (vdom1) # diagnose debug authd fsso list
    ----FSSO logons----
    IP: 2.2.2.1  User: JONATHANWONG  Groups: 6B8028751BF3457BA172EE3795A2BDA8  Workstation: VAN-201740-PC 
    IP: 10.1.100.111  User: FRANK111  Groups: ECF57781AE384D6A9A4D2D72CB5169C6+TAG_LINUX1604_QA_EMS  Workstation: FRANK111-    VIRTUAL-MACHINE MemberOf: ems_QA_group 
    IP: 10.1.100.120  User: FRANK  Groups: FA4AFAF6F92442E69DC7D67ABE64BDBA+TAG_WIN10_QA_EMS  Workstation: DESKTOP-FJEVH8U MemberOf: ems_QA_group 
    IP: 10.1.100.141  User: ADMINISTRATOR  Groups: 6D21827915CE445F8A85F9E6BAA0C57A+TAG_VULN_EMS_QA+TAG_WIN7_QA_EMS  Workstation: LHWIN7A MemberOf: ems_QA_group 
    ....
    ....
    
    Total number of logons listed: 23, filtered: 0
    ----end of FSSO logons----