Fortinet white logo
Fortinet white logo

Administration Guide

Establish device identity and trust context with FortiClient EMS

Establish device identity and trust context with FortiClient EMS

How device identity is established through client certificates, and how device trust context is established between FortiClient, FortiClient EMS, and the FortiGate, are integral to ZTNA.

Device roles

FortiClient

FortiClient endpoints provide the following information to FortiClient EMS when they register to the EMS:

  • Device information (network details, operating system, model, and others)

  • Logged on user information

  • Security posture (On-net/Off-net, antivirus software, vulnerability status, and others)

It also requests and obtains a client device certificate from the EMS ZTNA Certificate Authority (CA) when it registers to FortiClient EMS. The client uses this certificate to identify itself to the FortiGate.

FortiClient EMS

FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate serial number, and EMS serial number. The certificate is then synchronized to the FortiGate. EMS also shares its EMS ZTNA CA certificate with the FortiGate, so that the FortiGate can use it to authenticate the clients.

FortiClient EMS uses zero trust tagging rules to tag endpoints based on the information that it has on each endpoint. The tags are also shared with the FortiGate. See Endpoint Posture Check Reference for a list of the endpoint posture checks that EMS can perform.

Note

Each ZTNA tag creates two firewall addresses in all VDOMs on a FortiGate. One firewall address is the IP address, and the other firewall address is the MAC address. Because each FortiGate model has a global limit and a per-VDOM limit for the maximum number of supported firewall addresses, the FortiGate model determines the maximum number of ZTNA tags allowable by that unit, which is the maximum number of firewall address divided by two. For each FortiGate model's limit, see the Maximum Values table.

FortiGate

The FortiGate maintains a continuous connection to the EMS server to synchronize endpoint device information, including primarily:

  • FortiClient UID

  • Client certificate SN

  • EMS SN

  • Device credentials (user/domain)

  • Network details (IP and MAC address and routing to the FortiGate)

When a device's information changes, such as when a client moves from on-net to off-net, or their security posture changes, EMS is updated with the new device information and then updates the FortiGate. The FortiGate's WAD daemon can use this information when processing ZTNA traffic. If an endpoint's security posture change causes it to no longer match the ZTNA rule criteria on an existing session, then the session is terminated.

Certificate management on FortiClient EMS

FortiClient EMS has a default_ZTNARootCA certificate generated by default that the ZTNA CA uses to sign CSRs from the FortiClient endpoints. Clicking the refresh button revokes and updates the root CA, forcing updates to the FortiGate and FortiClient endpoints by generating new certificates for each client.

Note

Do not confuse the EMS CA certificate (ZTNA) with the SSL certificate. The latter is the server certificate that is used by EMS for HTTPS access and fabric connectivity to the EMS server.

EMS can also manage individual client certificates. To revoke the current client certificate that is used by the endpoint: go to Endpoint > All Endpoints, select the client, and click Action > Revoke Client Certificate.

Locating and viewing the client certificate on an endpoint

In Windows, FortiClient automatically installs certificates into the certificate store. The certificate information in the store, such as certificate UID and SN, should match the information on EMS and the FortiGate.

To locate certificates on other operating systems, consult the vendor documentation.

To locate the client certificate and EMS ZTNA CA certificate on a Windows PC:
  1. In the Windows search box, enter user certificate and click Manage user certificates from the results.

  2. In the certificate manager, go to Certificates - Current User > Personal > Certificates and find the certificate that is issued by the FortiClient EMS.

  3. Right-click on it and select Properties.

  4. The General tab shows the client certificate UID and the issue and expiry dates. The Details tab show the certificate SN.

  5. Go to the Certificate Path tab to see the full certificate chain.

  6. Select the root CA and click View Certificate to view the details about the EMS ZTNA CA certificate.

Verifying that the client information is synchronized to the FortiGate

The following diagnose commands help to verify the presence of matching endpoint record, and information such as the client UID, client certificate SN, and EMS certificate SN on the FortiGate. If any of the information is missing or incomplete, client certificate authentication might fail because the corresponding endpoint entry is not found. More in-depth diagnosis would be needed to determine the reason for the missing records.

Command

Description

# diagnose endpoint record list <ip>

Show the endpoint record list. Optionally, filter by the endpoint IP address.

# diagnose endpoint lls-comm send ztna find-uid <uid>

Query endpoints by client UID.

# diagnose endpoint lls-comm send ztna find-ip-vdom <ip> <vdom>

Query endpoints by the client IP-VDOM pair.

# diagnose wad dev query-by uid <uid>

Query from WAD diagnose command by UID.

# diagnose wad dev query-by ipv4 <ip>

Query from WAD diagnose command by IP address.

# diagnose test application fcnacd 7

# diagnose test application fcnacd 8

Check the FortiClient NAC daemon ZTNA and route cache.

To check the endpoint record list for IP address 10.6.30.214:
# diagnose endpoint record list 10.6.30.214
Record #1:
                IP Address = 10.6.30.214
                MAC Address = 00:0c:29:ba:1e:61
                MAC list = 00:0c:29:ba:1e:61;00:0c:29:ba:1e:6b;
                VDOM = root (0)
                EMS serial number: FCTEMS8821001322  
                Client cert SN: 17FF6595600A1AF53B87627AB4EBEDD032593E64   
                Quarantined: no
                Online status: online
                Registration status: registered
                On-net status: on-net
                Gateway Interface: port2
                FortiClient version: 7.0.0
                AVDB version: 84.778
                FortiClient app signature version: 18.43
                FortiClient vulnerability scan engine version: 2.30
                FortiClient UID: 5FCFA3ECDE4D478C911D9232EC9299FD  
                …
                Number of Routes: (1)
                        Gateway Route #0:
                                - IP:10.1.100.214, MAC: 00:0c:29:ba:1e:6b, Indirect: no
                                - Interface:port2, VFID:0, SN: FG5H1E5819902474
online records: 1; offline records: 0; quarantined records: 0

Related Videos

sidebar video

ZTNA - Establish Device Identity with EMS Certificates

  • 5,550 views
  • 3 years ago
sidebar video

Using Endpoint Posture Check to Provide Context Based ZTNA Access

  • 18,510 views
  • 2 years ago

Establish device identity and trust context with FortiClient EMS

Establish device identity and trust context with FortiClient EMS

How device identity is established through client certificates, and how device trust context is established between FortiClient, FortiClient EMS, and the FortiGate, are integral to ZTNA.

Device roles

FortiClient

FortiClient endpoints provide the following information to FortiClient EMS when they register to the EMS:

  • Device information (network details, operating system, model, and others)

  • Logged on user information

  • Security posture (On-net/Off-net, antivirus software, vulnerability status, and others)

It also requests and obtains a client device certificate from the EMS ZTNA Certificate Authority (CA) when it registers to FortiClient EMS. The client uses this certificate to identify itself to the FortiGate.

FortiClient EMS

FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate serial number, and EMS serial number. The certificate is then synchronized to the FortiGate. EMS also shares its EMS ZTNA CA certificate with the FortiGate, so that the FortiGate can use it to authenticate the clients.

FortiClient EMS uses zero trust tagging rules to tag endpoints based on the information that it has on each endpoint. The tags are also shared with the FortiGate. See Endpoint Posture Check Reference for a list of the endpoint posture checks that EMS can perform.

Note

Each ZTNA tag creates two firewall addresses in all VDOMs on a FortiGate. One firewall address is the IP address, and the other firewall address is the MAC address. Because each FortiGate model has a global limit and a per-VDOM limit for the maximum number of supported firewall addresses, the FortiGate model determines the maximum number of ZTNA tags allowable by that unit, which is the maximum number of firewall address divided by two. For each FortiGate model's limit, see the Maximum Values table.

FortiGate

The FortiGate maintains a continuous connection to the EMS server to synchronize endpoint device information, including primarily:

  • FortiClient UID

  • Client certificate SN

  • EMS SN

  • Device credentials (user/domain)

  • Network details (IP and MAC address and routing to the FortiGate)

When a device's information changes, such as when a client moves from on-net to off-net, or their security posture changes, EMS is updated with the new device information and then updates the FortiGate. The FortiGate's WAD daemon can use this information when processing ZTNA traffic. If an endpoint's security posture change causes it to no longer match the ZTNA rule criteria on an existing session, then the session is terminated.

Certificate management on FortiClient EMS

FortiClient EMS has a default_ZTNARootCA certificate generated by default that the ZTNA CA uses to sign CSRs from the FortiClient endpoints. Clicking the refresh button revokes and updates the root CA, forcing updates to the FortiGate and FortiClient endpoints by generating new certificates for each client.

Note

Do not confuse the EMS CA certificate (ZTNA) with the SSL certificate. The latter is the server certificate that is used by EMS for HTTPS access and fabric connectivity to the EMS server.

EMS can also manage individual client certificates. To revoke the current client certificate that is used by the endpoint: go to Endpoint > All Endpoints, select the client, and click Action > Revoke Client Certificate.

Locating and viewing the client certificate on an endpoint

In Windows, FortiClient automatically installs certificates into the certificate store. The certificate information in the store, such as certificate UID and SN, should match the information on EMS and the FortiGate.

To locate certificates on other operating systems, consult the vendor documentation.

To locate the client certificate and EMS ZTNA CA certificate on a Windows PC:
  1. In the Windows search box, enter user certificate and click Manage user certificates from the results.

  2. In the certificate manager, go to Certificates - Current User > Personal > Certificates and find the certificate that is issued by the FortiClient EMS.

  3. Right-click on it and select Properties.

  4. The General tab shows the client certificate UID and the issue and expiry dates. The Details tab show the certificate SN.

  5. Go to the Certificate Path tab to see the full certificate chain.

  6. Select the root CA and click View Certificate to view the details about the EMS ZTNA CA certificate.

Verifying that the client information is synchronized to the FortiGate

The following diagnose commands help to verify the presence of matching endpoint record, and information such as the client UID, client certificate SN, and EMS certificate SN on the FortiGate. If any of the information is missing or incomplete, client certificate authentication might fail because the corresponding endpoint entry is not found. More in-depth diagnosis would be needed to determine the reason for the missing records.

Command

Description

# diagnose endpoint record list <ip>

Show the endpoint record list. Optionally, filter by the endpoint IP address.

# diagnose endpoint lls-comm send ztna find-uid <uid>

Query endpoints by client UID.

# diagnose endpoint lls-comm send ztna find-ip-vdom <ip> <vdom>

Query endpoints by the client IP-VDOM pair.

# diagnose wad dev query-by uid <uid>

Query from WAD diagnose command by UID.

# diagnose wad dev query-by ipv4 <ip>

Query from WAD diagnose command by IP address.

# diagnose test application fcnacd 7

# diagnose test application fcnacd 8

Check the FortiClient NAC daemon ZTNA and route cache.

To check the endpoint record list for IP address 10.6.30.214:
# diagnose endpoint record list 10.6.30.214
Record #1:
                IP Address = 10.6.30.214
                MAC Address = 00:0c:29:ba:1e:61
                MAC list = 00:0c:29:ba:1e:61;00:0c:29:ba:1e:6b;
                VDOM = root (0)
                EMS serial number: FCTEMS8821001322  
                Client cert SN: 17FF6595600A1AF53B87627AB4EBEDD032593E64   
                Quarantined: no
                Online status: online
                Registration status: registered
                On-net status: on-net
                Gateway Interface: port2
                FortiClient version: 7.0.0
                AVDB version: 84.778
                FortiClient app signature version: 18.43
                FortiClient vulnerability scan engine version: 2.30
                FortiClient UID: 5FCFA3ECDE4D478C911D9232EC9299FD  
                …
                Number of Routes: (1)
                        Gateway Route #0:
                                - IP:10.1.100.214, MAC: 00:0c:29:ba:1e:6b, Indirect: no
                                - Interface:port2, VFID:0, SN: FG5H1E5819902474
online records: 1; offline records: 0; quarantined records: 0