Fortinet black logo

Administration Guide

Synchronizing FortiClient EMS tags and configurations

Synchronizing FortiClient EMS tags and configurations

An option under the FortiClient EMS settings on the FortiGate consolidates the setup of EMS connectors to support EMS tags. EMS tags are pulled into the FortiGate via TCP/8013 and automatically synced with the EMS server. They are converted into read-only dynamic firewall addresses that can be used in firewall policies, routing, and so on.

Note

You can test connectivity to the EMS on the FortiGate with the diagnose endpoint fctems test-connectivity <EMS_ENTRY_NAME> command.

These examples presume the following have been configured in FortiClient EMS:

  • Tags have been created on the Compliance Verification > Compliance Verification Rules page.

  • There are registered users who match the defined tags that are visible on the Compliance Verification > Host Tag Monitor page.

To configure FortiClient EMS with tag synchronization in the GUI:
  1. Configure the EMS Fabric Connector:
    1. On the root FortiGate, go to Security Fabric > Fabric Connectors.
    2. Click Create New and click FortiClient EMS.
    3. Enable Synchronize firewall addresses.

    4. Configure the other settings as needed and validate the certificate.
    5. Click OK.
  2. Go to Policy & Objects > Addresses and hover over the EMS tag to view which IPs it resolves to.
  3. Configure a firewall policy:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. For the Source Address, add the EMS tag dynamic address.

    3. Configure the other settings as needed.
    4. Click OK.
To configure FortiClient EMS with tag synchronization in the CLI:
  1. Configure the EMS Fabric Connector:
    config endpoint-control fctems
        edit "ems137"
            set fortinetone-cloud-authentication disable
            set server "172.16.200.137"
            set https-port 443
            set source-ip 0.0.0.0
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set call-timeout 5000
            set certificate "REMOTE_Cert_1"
        next
    end
  2. Verify which IPs the dynamic firewall address resolves to:
    # diagnose firewall dynamic list 
    List all dynamic addresses:
    FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
            ADDR(10.1.100.120)
            ADDR(10.1.100.198)
    
    FCTEMS0580226579_ems137_winscp_tag: ID(155)
            ADDR(100.100.100.141)
    
    FCTEMS0580226579_ems137_win10_tag: ID(182)
            ADDR(10.1.100.120)
    # diagnose firewall dynamic address FCTEMS0580226579_ems137_vuln_critical_tag
    FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
            ADDR(10.1.100.120)
            ADDR(10.1.100.198)
    
    Total dynamic list entries: 1.
    Total dynamic addresses: 2
    Total dynamic ranges: 0
  3. Configure a firewall policy that uses the EMS tag dynamic firewall address as a source.

Synchronizing FortiClient EMS tags and configurations

An option under the FortiClient EMS settings on the FortiGate consolidates the setup of EMS connectors to support EMS tags. EMS tags are pulled into the FortiGate via TCP/8013 and automatically synced with the EMS server. They are converted into read-only dynamic firewall addresses that can be used in firewall policies, routing, and so on.

Note

You can test connectivity to the EMS on the FortiGate with the diagnose endpoint fctems test-connectivity <EMS_ENTRY_NAME> command.

These examples presume the following have been configured in FortiClient EMS:

  • Tags have been created on the Compliance Verification > Compliance Verification Rules page.

  • There are registered users who match the defined tags that are visible on the Compliance Verification > Host Tag Monitor page.

To configure FortiClient EMS with tag synchronization in the GUI:
  1. Configure the EMS Fabric Connector:
    1. On the root FortiGate, go to Security Fabric > Fabric Connectors.
    2. Click Create New and click FortiClient EMS.
    3. Enable Synchronize firewall addresses.

    4. Configure the other settings as needed and validate the certificate.
    5. Click OK.
  2. Go to Policy & Objects > Addresses and hover over the EMS tag to view which IPs it resolves to.
  3. Configure a firewall policy:
    1. Go to Policy & Objects > Firewall Policy and create a new policy.
    2. For the Source Address, add the EMS tag dynamic address.

    3. Configure the other settings as needed.
    4. Click OK.
To configure FortiClient EMS with tag synchronization in the CLI:
  1. Configure the EMS Fabric Connector:
    config endpoint-control fctems
        edit "ems137"
            set fortinetone-cloud-authentication disable
            set server "172.16.200.137"
            set https-port 443
            set source-ip 0.0.0.0
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set call-timeout 5000
            set certificate "REMOTE_Cert_1"
        next
    end
  2. Verify which IPs the dynamic firewall address resolves to:
    # diagnose firewall dynamic list 
    List all dynamic addresses:
    FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
            ADDR(10.1.100.120)
            ADDR(10.1.100.198)
    
    FCTEMS0580226579_ems137_winscp_tag: ID(155)
            ADDR(100.100.100.141)
    
    FCTEMS0580226579_ems137_win10_tag: ID(182)
            ADDR(10.1.100.120)
    # diagnose firewall dynamic address FCTEMS0580226579_ems137_vuln_critical_tag
    FCTEMS0580226579_ems137_vuln_critical_tag: ID(118)
            ADDR(10.1.100.120)
            ADDR(10.1.100.198)
    
    Total dynamic list entries: 1.
    Total dynamic addresses: 2
    Total dynamic ranges: 0
  3. Configure a firewall policy that uses the EMS tag dynamic firewall address as a source.