Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Improve communication performance between EMS and FortiGate with WebSockets

The performance of updates between the FortiGate and FortiClient EMS is improved by using WebSockets. On supported FortiClient EMS firmware, the FortiGate can open a WebSocket connection with EMS to register for notifications about system information, host tags, avatars, and vulnerabilities. When these tables are updated, EMS pushes notifications to the corresponding FortiGate. The FortiGate then fetches the updated information using the REST API.

When WebSockets are not used (due to an override or unsupported EMS version), updates are triggered on demand from the FortiGate side over the REST API. If the WebSocket capability is detected, the capabilities setting will automatically display the WebSocket option. Users can also use the diagnose test application fcnacd 2 command to view the status of the WebSocket connection.

Example

WebSockets can be used in a scenario using ZTNA tags. When a FortiClient detects changes in the endpoint client, this information is sent to EMS. EMS may re-tag the client, so a quick notification to the FortiGate and corresponding REST API call from the FortiGate to EMS means the turnaround for the FortiGate to synchronize with current the FortiClient status is much quicker.

To use the WebSocket service:
  1. Configure the EMS entry:
    config endpoint-control fctems
        edit "ems139"
            set fortinetone-cloud-authentication disable
            set server "172.16.200.139"
            set https-port 443
            set source-ip 0.0.0.0
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set pull-malware-hash enable
            unset capabilities
            set call-timeout 30
            set websocket-override disable
        next
    end

    When the entry is created, the capabilities are unset by default.

  2. Authenticate the FortiGate with EMS:
    # execute fctems verify ems_139
    ...

    The FortiGate will enable the WebSocket server based on the EMS supported capabilities.

    config endpoint-control fctems
        edit "ems139"
            set server "172.18.62.12"
            set capabilities fabric-auth silent-approval websocket
        next
    end
To verify the WebSocket connection status:
# diagnose test application fcnacd 2
EMS context status:

FortiClient EMS number 1:
        name: ems139 confirmed: yes
        fetched-serial-number: FCTEMS8821000000

Websocket status: connected

        Object ID: 0, base-path: api/v1/system/serial_number, priority: 0.
        Description: REST API to get EMS Serial Number..
        Not a valid object.
        Object ID: 2, base-path: api/v1/fabric_device_auth/fortigate, priority: 3.
        Description: REST API to send updates regarding FortiGate Serial numbers..
        Not a valid object.
        Object ID: 4, base-path: api/v1/fgt/gateway_details/gateway_mac, priority: 3.
        Description: REST API to send Gateway MAC info.
        Object ID: 5, base-path: api/v1/fgt/gateway_details/vpn, priority: 2.
        Description: REST API to send updated regarding VPN updates..
        Object ID: 6, base-path: api/v1/report/fct/sysinfo, priority: 4.
        Description: REST API to get updates about system info..
        Object ID: 7, base-path: api/v1/report/fct/vuln, priority: 5.
        Description: REST API to get updates about vulnerabilities..
        Object ID: 8, base-path: api/v1/report/fct/avatar, priority: 3.
        Description: REST API to get updates about avatars..
        Object ID: 9, base-path: api/v1/report/fct/host_tags, priority: 2.
        Description: REST API to get updates about host tags..
        Object ID: 10, base-path: api/v1/malware/hash, priority: 4.
        Description: REST API to get updates about malware hashes.
        Object ID: 11, base-path: api/v1/clients/action, priority: 3.
        Description: REST API to send client actions.
        Object ID: 12, base-path: api/v1/report/fct/subscribe, priority: 3.
        Description: REST API to subscribe to/unsubscribe from different UIDs..
        Object ID: 13, base-path: api/v1/ztna_certificates/download, priority: 3.
        Description: REST API to get ZTNA certificate..
        Object ID: 14, base-path: api/v1/settings/server/websocket_port, priority: 3.
        Description: REST API to send updates regarding FortiGate Serial numbers..
        Worker 0 is idle.
        Worker 1 is idle.

Improve communication performance between EMS and FortiGate with WebSockets

The performance of updates between the FortiGate and FortiClient EMS is improved by using WebSockets. On supported FortiClient EMS firmware, the FortiGate can open a WebSocket connection with EMS to register for notifications about system information, host tags, avatars, and vulnerabilities. When these tables are updated, EMS pushes notifications to the corresponding FortiGate. The FortiGate then fetches the updated information using the REST API.

When WebSockets are not used (due to an override or unsupported EMS version), updates are triggered on demand from the FortiGate side over the REST API. If the WebSocket capability is detected, the capabilities setting will automatically display the WebSocket option. Users can also use the diagnose test application fcnacd 2 command to view the status of the WebSocket connection.

Example

WebSockets can be used in a scenario using ZTNA tags. When a FortiClient detects changes in the endpoint client, this information is sent to EMS. EMS may re-tag the client, so a quick notification to the FortiGate and corresponding REST API call from the FortiGate to EMS means the turnaround for the FortiGate to synchronize with current the FortiClient status is much quicker.

To use the WebSocket service:
  1. Configure the EMS entry:
    config endpoint-control fctems
        edit "ems139"
            set fortinetone-cloud-authentication disable
            set server "172.16.200.139"
            set https-port 443
            set source-ip 0.0.0.0
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set pull-malware-hash enable
            unset capabilities
            set call-timeout 30
            set websocket-override disable
        next
    end

    When the entry is created, the capabilities are unset by default.

  2. Authenticate the FortiGate with EMS:
    # execute fctems verify ems_139
    ...

    The FortiGate will enable the WebSocket server based on the EMS supported capabilities.

    config endpoint-control fctems
        edit "ems139"
            set server "172.18.62.12"
            set capabilities fabric-auth silent-approval websocket
        next
    end
To verify the WebSocket connection status:
# diagnose test application fcnacd 2
EMS context status:

FortiClient EMS number 1:
        name: ems139 confirmed: yes
        fetched-serial-number: FCTEMS8821000000

Websocket status: connected

        Object ID: 0, base-path: api/v1/system/serial_number, priority: 0.
        Description: REST API to get EMS Serial Number..
        Not a valid object.
        Object ID: 2, base-path: api/v1/fabric_device_auth/fortigate, priority: 3.
        Description: REST API to send updates regarding FortiGate Serial numbers..
        Not a valid object.
        Object ID: 4, base-path: api/v1/fgt/gateway_details/gateway_mac, priority: 3.
        Description: REST API to send Gateway MAC info.
        Object ID: 5, base-path: api/v1/fgt/gateway_details/vpn, priority: 2.
        Description: REST API to send updated regarding VPN updates..
        Object ID: 6, base-path: api/v1/report/fct/sysinfo, priority: 4.
        Description: REST API to get updates about system info..
        Object ID: 7, base-path: api/v1/report/fct/vuln, priority: 5.
        Description: REST API to get updates about vulnerabilities..
        Object ID: 8, base-path: api/v1/report/fct/avatar, priority: 3.
        Description: REST API to get updates about avatars..
        Object ID: 9, base-path: api/v1/report/fct/host_tags, priority: 2.
        Description: REST API to get updates about host tags..
        Object ID: 10, base-path: api/v1/malware/hash, priority: 4.
        Description: REST API to get updates about malware hashes.
        Object ID: 11, base-path: api/v1/clients/action, priority: 3.
        Description: REST API to send client actions.
        Object ID: 12, base-path: api/v1/report/fct/subscribe, priority: 3.
        Description: REST API to subscribe to/unsubscribe from different UIDs..
        Object ID: 13, base-path: api/v1/ztna_certificates/download, priority: 3.
        Description: REST API to get ZTNA certificate..
        Object ID: 14, base-path: api/v1/settings/server/websocket_port, priority: 3.
        Description: REST API to send updates regarding FortiGate Serial numbers..
        Worker 0 is idle.
        Worker 1 is idle.