FortiClient EMS with Fabric authorization and silent approval capabilities will be able to approve the root FortiGate in a Security Fabric once, and then silently approve remaining downstream FortiGates in the Fabric. Similarly in an HA scenario, an approval only needs to be made once to the HA primary unit. The remaining cluster members are approved silently.
To use EMS silent approval:
- Configure the EMS entry on the root FortiGate or HA primary:
config endpoint-control fctems edit "ems139" set fortinetone-cloud-authentication disable set server "172.16.200.139" set https-port 443 set source-ip 0.0.0.0 set pull-sysinfo enable set pull-vulnerabilities enable set pull-avatars enable set pull-tags enable set pull-malware-hash enable unset capabilities set call-timeout 30 set websocket-override disable next end
When the entry is created, the capabilities are unset by default.
- Authenticate the FortiGate with EMS:
# execute fctems verify ems_139 ...
The FortiGate will enable the Fabric authorization and silent approval based on the EMS supported capabilities.
config endpoint-control fctems edit "ems139" set server "172.18.62.12" set capabilities fabric-auth silent-approval websocket next end
- Configure a downstream device in the Security Fabric (see Configuring the root FortiGate and downstream FortiGates for more details). The downstream device will be silently approved.
- Configure a secondary device in an HA system (see HA active-passive cluster setup and HA active-active cluster setup for more details). The secondary device will be silently approved.