Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Simplify EMS pairing with Security Fabric so one approval is needed for all devices

FortiClient EMS with Fabric authorization and silent approval capabilities will be able to approve the root FortiGate in a Security Fabric once, and then silently approve remaining downstream FortiGates in the Fabric. Similarly in an HA scenario, an approval only needs to be made once to the HA primary unit. The remaining cluster members are approved silently.

To use EMS silent approval:
  1. Configure the EMS entry on the root FortiGate or HA primary:
    config endpoint-control fctems
        edit "ems139"
            set fortinetone-cloud-authentication disable
            set server "172.16.200.139"
            set https-port 443
            set source-ip 0.0.0.0
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set pull-malware-hash enable
            unset capabilities
            set call-timeout 30
            set websocket-override disable
        next
    end

    When the entry is created, the capabilities are unset by default.

  2. Authenticate the FortiGate with EMS:
    # execute fctems verify ems_139
    ...

    The FortiGate will enable the Fabric authorization and silent approval based on the EMS supported capabilities.

    config endpoint-control fctems
        edit "ems139"
            set server "172.18.62.12"
            set capabilities fabric-auth silent-approval websocket
        next
    end
  3. Configure a downstream device in the Security Fabric (see Configuring the root FortiGate and downstream FortiGates for more details). The downstream device will be silently approved.
  4. Configure a secondary device in an HA system (see HA active-passive cluster setup and HA active-active cluster setup for more details). The secondary device will be silently approved.

Simplify EMS pairing with Security Fabric so one approval is needed for all devices

FortiClient EMS with Fabric authorization and silent approval capabilities will be able to approve the root FortiGate in a Security Fabric once, and then silently approve remaining downstream FortiGates in the Fabric. Similarly in an HA scenario, an approval only needs to be made once to the HA primary unit. The remaining cluster members are approved silently.

To use EMS silent approval:
  1. Configure the EMS entry on the root FortiGate or HA primary:
    config endpoint-control fctems
        edit "ems139"
            set fortinetone-cloud-authentication disable
            set server "172.16.200.139"
            set https-port 443
            set source-ip 0.0.0.0
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set pull-malware-hash enable
            unset capabilities
            set call-timeout 30
            set websocket-override disable
        next
    end

    When the entry is created, the capabilities are unset by default.

  2. Authenticate the FortiGate with EMS:
    # execute fctems verify ems_139
    ...

    The FortiGate will enable the Fabric authorization and silent approval based on the EMS supported capabilities.

    config endpoint-control fctems
        edit "ems139"
            set server "172.18.62.12"
            set capabilities fabric-auth silent-approval websocket
        next
    end
  3. Configure a downstream device in the Security Fabric (see Configuring the root FortiGate and downstream FortiGates for more details). The downstream device will be silently approved.
  4. Configure a secondary device in an HA system (see HA active-passive cluster setup and HA active-active cluster setup for more details). The secondary device will be silently approved.