Improve communication performance between EMS and FortiGate with WebSockets
The performance of updates between the FortiGate and FortiClient EMS is improved by using WebSockets. On supported FortiClient EMS firmware, the FortiGate can open a WebSocket connection with EMS to register for notifications about system information, host tags, avatars, and vulnerabilities. When these tables are updated, EMS pushes notifications to the corresponding FortiGate. The FortiGate then fetches the updated information using the REST API.
When WebSockets are not used (due to an override or unsupported EMS version), updates are triggered on demand from the FortiGate side over the REST API. If the WebSocket capability is detected, the capabilities setting will automatically display the WebSocket option. Users can also use the diagnose test application fcnacd 2 command to view the status of the WebSocket connection.
Example
WebSockets can be used in a scenario using ZTNA tags. When a FortiClient detects changes in the endpoint client, this information is sent to EMS. EMS may re-tag the client, so a quick notification to the FortiGate and corresponding REST API call from the FortiGate to EMS means the turnaround for the FortiGate to synchronize with current the FortiClient status is much quicker.
To use the WebSocket service:
- Configure the EMS entry:
config endpoint-control fctems edit "ems139" set fortinetone-cloud-authentication disable set server "172.16.200.139" set https-port 443 set source-ip 0.0.0.0 set pull-sysinfo enable set pull-vulnerabilities enable set pull-avatars enable set pull-tags enable set pull-malware-hash enable unset capabilities set call-timeout 30 set websocket-override disable next endWhen the entry is created, the capabilities are unset by default.
- Authenticate the FortiGate with EMS:
# execute fctems verify ems_139 ...
The FortiGate will enable the WebSocket server based on the EMS supported capabilities.
config endpoint-control fctems edit "ems139" set server "172.18.62.12" set capabilities fabric-auth silent-approval websocket next end
To verify the WebSocket connection status:
# diagnose test application fcnacd 2
EMS context status:
FortiClient EMS number 1:
name: ems139 confirmed: yes
fetched-serial-number: FCTEMS8821000000
Websocket status: connected
Object ID: 0, base-path: api/v1/system/serial_number, priority: 0.
Description: REST API to get EMS Serial Number..
Not a valid object.
Object ID: 2, base-path: api/v1/fabric_device_auth/fortigate, priority: 3.
Description: REST API to send updates regarding FortiGate Serial numbers..
Not a valid object.
Object ID: 4, base-path: api/v1/fgt/gateway_details/gateway_mac, priority: 3.
Description: REST API to send Gateway MAC info.
Object ID: 5, base-path: api/v1/fgt/gateway_details/vpn, priority: 2.
Description: REST API to send updated regarding VPN updates..
Object ID: 6, base-path: api/v1/report/fct/sysinfo, priority: 4.
Description: REST API to get updates about system info..
Object ID: 7, base-path: api/v1/report/fct/vuln, priority: 5.
Description: REST API to get updates about vulnerabilities..
Object ID: 8, base-path: api/v1/report/fct/avatar, priority: 3.
Description: REST API to get updates about avatars..
Object ID: 9, base-path: api/v1/report/fct/host_tags, priority: 2.
Description: REST API to get updates about host tags..
Object ID: 10, base-path: api/v1/malware/hash, priority: 4.
Description: REST API to get updates about malware hashes.
Object ID: 11, base-path: api/v1/clients/action, priority: 3.
Description: REST API to send client actions.
Object ID: 12, base-path: api/v1/report/fct/subscribe, priority: 3.
Description: REST API to subscribe to/unsubscribe from different UIDs..
Object ID: 13, base-path: api/v1/ztna_certificates/download, priority: 3.
Description: REST API to get ZTNA certificate..
Object ID: 14, base-path: api/v1/settings/server/websocket_port, priority: 3.
Description: REST API to send updates regarding FortiGate Serial numbers..
Worker 0 is idle.
Worker 1 is idle.