Symantec endpoint connector

With the Fabric connector for Symantec Endpoint Protection Manager (SEPM), you can use the client IP information from SEPM to assign to dynamic IP addresses on FortiOS.

When communication between FortiGate and SEPM is established, FortiGate polls every minute for updates via TLS over port 8446. You can use the CLI to change the default one minute polling interval.

For example, you can create a dynamic Fabric Connector IP address subtype and use it in firewall policies as the source address. The dynamic IP address contains all IP addresses sent by SEPM.

This example shows a dynamic IP address with SEPM and one client PC managed by SEPM using FortiGate as the default gateway.

To configure SEPM on a managed client PC:

1. In SEPM, create client packages for client hosts and group them into SEPM groups.

   You can install packages locally on clients or download them directly from SEPM.

   

2. When a package is installed on the client host, the host is considered managed by SEPM.

   Even if the host has multiple interfaces, only one IP per host is displayed.

   

To configure Symantec endpoint connector on FortiGate in the GUI:

1. Go to Security Fabric > External Connectors and click Create New:
1. In the Endpoint/Identity section, click Symantec Endpoint Protection.
2. Fill in the Name, and set the Status and Update Interval.
3. Set Server to the SEPM IP address.
4. Enter the Username and Password for the server.
5. To limit the domain or group that is monitored, enter them in the requisite fields.

   

6. Click OK.

   When the connection is established, you can see a green up arrow in the bottom right of the card. You might need to refresh your browser to see the established connection.

2. Go to Policy & Objects > Addresses and click Create New > Address:
   1. Fill in the address Name.
   2. Set Type to Dynamic.
   3. Set Sub Type to Fabric Connector Address.
   4. Set SDN Connector to the fabric connector that you just created.
   5. Add Filters as needed.

      

   6. Click OK.

      Filter options are only available for active computers that are configured and registered in SEPM. Free-form filters can be created manually by clicking Create and entering the filter, in the format: filter_type=value. Possible manual filter types are: GroupName, GroupID, ComputerName, ComputerUUID, and OSName. For example: GroupName=MyGroup.

3. Go to Policy & Objects > Addresses and hover the cursor over the name of the new address to see the resolved IP addresses of the host.

   

4. Go to Policy & Objects > Firewall Policy, click Create New, and add a policy that uses the dynamic IP address.

   

To verify the configuration:

1. On the client PC, check that it is managed by SEPM to access the Internet.

   

2. On the FortiGate, you can check in Dashboard > FortiView Sources and Log & Report > Forward Traffic.

   

   Because this traffic is not authenticated traffic but is based on source IP address only, it is not shown in the GUI firewall monitor or in the diagnose firewall auth list CLI command.

To configure Symantec endpoint connector on FortiGate in the CLI:

1. Create the fabric connector:

   config system sdn-connector
       edit "sepm-217"
           set type sepm
           set server "172.18.60.217"
           set username "admin"
           set password **********
           set status enable
       next
   end

2. Create the dynamic IP address:

   config firewall address
       edit "sepm-ip"
           set type dynamic
           set sdn "sepm-217"
           set filter "ComputerName=win10-1"
           config list
               edit "10.1.100.187"
               next
               edit "10.6.30.187"
               next
               edit "172.16.200.187"
               next
           end
       next
   end

3. Add the dynamic IP address to the firewall policy:

   config firewall policy
       edit 1
           set name "pol1"
           set srcintf "port2"
           set dstintf "port1"
           set srcaddr "sepm-ip"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set ssl-ssh-profile "certificate-inspection"
           set av-profile "default"
           set logtraffic all
           set fsso disable
           set nat enable
       next
   end

To troubleshoot Symantec SD connector in the CLI:

# diagnose debug application sepmd -1

Output is sent every minute (default). All IPv4 learned from SEPM. IPv6 also sent but not yet supported.

2019-09-09 12:01:09 sepmd sdn connector sepm-217 start updating IP addresses
2019-09-09 12:01:09 sepmd checking firewall address object sepm-ip, vd 0
2019-09-09 12:01:09 sepmd sdn connector sepm-217 finish updating IP addresses
2019-09-09 12:01:09 sepmd reap child pid: 18079
2019-09-09 12:02:09 sepmd sdn connector sepm-217 prepare to update
2019-09-09 12:02:09 sepmd sdn connector sepm-217 start updating
2019-09-09 12:02:09 sepm-217 sdn connector will retrieve token after 9526 secs
2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1
    ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
    IP 172.16.200.187
    GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
    DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1
    ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
    IP 10.6.30.187
    GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
    DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1
    ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
    IP 10.1.100.187
    GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
    DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:02:09 2001:0000:0000:0000:0000:0000:0000:0187 is not in IPv4 presentation format


2019-09-09 12:02:09 sepmd sdn connector sepm-217 start updating IP addresses
2019-09-09 12:02:09 sepmd checking firewall address object sepm-ip, vd 0
2019-09-09 12:02:09 sepmd sdn connector sepm-217 finish updating IP addresses
2019-09-09 12:02:09 sepmd reap child pid: 18089
2019-09-09 12:03:09 sepmd sdn connector sepm-217 prepare to update
2019-09-09 12:03:09 sepmd sdn connector sepm-217 start updating
2019-09-09 12:03:09 sepm-217 sdn connector will retrieve token after 9466 secs
2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1
    ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
    IP 172.16.200.187
    GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
    DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1
    ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
    IP 10.6.30.187
    GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
    DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1
    ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10
    IP 10.1.100.187
    GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3
    DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E
2019-09-09 12:03:09 2001:0000:0000:0000:0000:0000:0000:0187 is not in IPv4 presentation format

To list the SEPM daemon SDN connectors:

# diagnose test application sepmd 1
sepm SDN connector list:
  name: sepm-217, status: enabled, updater_interval: 60

To list the SEPM daemon SDN filters:

# diagnose test application sepmd 2
sepm SDN connector sepm-217 filter list:
  name: sepm-ip, vd 0, filter 'ComputerName=win10-1'