Simplify FortiClient EMS setup

EMS configurations are now centralized under one configuration card on the Fabric Connectors page. Certificates are the main mode of authentication and authorization. The certificate validity is verified against the issuer CA, and then presented to the user to authorize. A certificate attribute has been added to endpoint-control fctems, and EMS certificates can be verified with execute fctems verify.

The following examples presume the EMS certificate has already been configured.

To configure an on-premise FortiClient EMS server to the Security Fabric in the GUI:

1. On the root FortiGate, go to Security Fabric > Fabric Connectors.
2. Click Create New and click FortiClient EMS.
3. For Type, click FortiClient EMS.
4. Enter a name and IP address.
5. Click OK.

   

   A window appears to verify the EMS server certificate:

   

6. Click Accept.

   The FortiClient EMS Status section displays a Successful connection and an Authorized certificate:

   

To configure a FortiClient EMS Cloud server to the Security Fabric in the GUI:

1. Go to Security Fabric > Fabric Connectors.
2. Click Create New and click FortiClient EMS.
3. For Type, click FortiClient EMS Cloud.
4. Enter a name.
5. Click OK.

   

   A window appears to verify the EMS server certificate.

6. Click Accept.

   The FortiClient EMS Status section displays a Successful connection and an Authorized certificate.

   To configure an on-premise FortiClient EMS server to the Security Fabric in the CLI:

   config endpoint-control fctems
       edit "ems138"
           set server "172.16.200.138"
           set certificate "REMOTE_Cert_1"
       next
   end

   To configure a FortiClient EMS Cloud server to the Security Fabric in the CLI:

   config endpoint-control fctems
       edit "Cloud_EMS"
           set fortinetone-cloud-authentication enable
           set certificate "REMOTE_Cert_1"
       next
   end

To verify an EMS certificate in the CLI:

# execute fctems verify ems137

        Subject:     C = CA, ST = bc, L = burnaby, O = devqa, OU = top3, CN = sys169.qa.fortinet.cm, emailAddress = xxxx@xxxxxxxx.xxx
        Issuer:      CN = 155-sub1.fortinet.com
        Valid from:  2017-12-05 00:37:57  GMT
        Valid to:    2027-12-02 18:08:13  GMT
        Fingerprint: D3:7A:1B:84:CC:B7:5C:F0:A5:73:3D:BB:ED:21:F2:E0
        Root CA:     No
        Version:     3
        Serial Num:
                01:86:a2
        Extensions:
                Name:     X509v3 Basic Constraints
                Critical: yes
                Content:
                CA:FALSE

                Name:     X509v3 Subject Key Identifier
                Critical: no
                Content:
                35:B0:E2:62:AF:9A:7A:E6:A6:8E:AD:CB:A4:CF:4D:7A:DE:27:39:A4

                Name:     X509v3 Authority Key Identifier
                Critical: no
                Content:
                keyid:66:54:0F:78:78:91:F2:E4:08:BB:80:2C:F6:BC:01:8E:3F:47:43:B1
DirName:/C=CA/ST=bc/L=burnaby/O=devqa/OU=top3/CN=fac155.fortinet.com/emailAddress=xyguo@fortinet.com
serial:01:86:A4


                Name:     X509v3 Subject Alternative Name
                Critical: no
                Content:
                DNS:sys169.qa.fortinet.cm

                Name:     X509v3 Key Usage
                Critical: no
                Content:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only

                Name:     X509v3 Extended Key Usage
                Critical: no
                Content:
                TLS Web Server Authentication, TLS Web Client Authentication

EMS configuration needs user to confirm server certificate.
Do you wish to add the above certificate to trusted remote certificates? (y/n)y