Simplify EMS pairing with Security Fabric so one approval is needed for all devices

FortiClient EMS with Fabric authorization and silent approval capabilities will be able to approve the root FortiGate in a Security Fabric once, and then silently approve remaining downstream FortiGates in the Fabric. Similarly in an HA scenario, an approval only needs to be made once to the HA primary unit. The remaining cluster members are approved silently.

To use EMS silent approval:

1. Configure the EMS entry on the root FortiGate or HA primary:

   config endpoint-control fctems
       edit "ems139"
           set fortinetone-cloud-authentication disable
           set server "172.16.200.139"
           set https-port 443
           set source-ip 0.0.0.0
           set pull-sysinfo enable
           set pull-vulnerabilities enable
           set pull-avatars enable
           set pull-tags enable
           set pull-malware-hash enable
           unset capabilities
           set call-timeout 30
           set websocket-override disable
       next
   end

   When the entry is created, the capabilities are unset by default.

2. Authenticate the FortiGate with EMS:

   # execute fctems verify ems_139
   ...

   The FortiGate will enable the Fabric authorization and silent approval based on the EMS supported capabilities.

   config endpoint-control fctems
       edit "ems139"
           set server "172.18.62.12"
           set capabilities fabric-auth silent-approval websocket
       next
   end

3. Configure a downstream device in the Security Fabric (see Configuring the root FortiGate and downstream FortiGates for more details). The downstream device will be silently approved.
4. Configure a secondary device in an HA system (see HA active-passive cluster setup and HA active-active cluster setup for more details). The secondary device will be silently approved.