Fortinet black logo

Administration Guide

Synchronizing FortiClient ZTNA tags

Synchronizing FortiClient ZTNA tags

ZTNA tags (formerly FortiClient EMS tags in FortiOS 6.4 and earlier) are tags synchronized from FortiClient EMS as dynamic address objects on the FortiGate. FortiClient EMS uses zero-trust tagging rules to automatically tag managed endpoints based on various attributes detected by the FortiClient. When the FortiGate establishes a connection with the FortiClient EMS server via the EMS Fabric connector, it pulls zero-trust tags containing device IP and MAC addresses and converts them to read-only dynamic address objects. It also establishes a persistent WebSocket connection to monitor for changes in zero-trust tags, which keeps the device information current. These ZTNA tags can then be used in ZTNA rules, firewall rules, and NAC policies to perform security posture checks. ZTNA tags are displayed in the Device Inventory widget, FortiClient widget, and Asset Identity Center page.

When using WebSocket, EMS pushes notifications to the corresponding FortiGate when there are updates to tags or other monitored attributes. The FortiGate then fetches the updated information using the REST API over TCP/8013. When WebSocket is not used (due to an override or unsupported EMS version), updates are triggered on demand from the FortiGate side over the REST API.

If the WebSocket capability is detected, the capabilities setting will automatically display the WebSocket option. You can use the diagnose test application fcnacd 2 command to view the status of the WebSocket connection.

In the following example, the FortiGate connects to and retrieves ZTNA tags from a FortiClient EMS configured with tagging rules. It is assumed that zero-trust tags and rules are already created on the FortiClient EMS. For more information, see the Zero Trust Tags section of the EMS Administration Guide.

To verify zero-trust tags in FortiClient EMS:
  1. Go to Zero Trust Tags > Zero Trust Tagging Rules to view the tags.

  2. Go to Zero Trust Tags > Zero Trust Tag Monitor to view the registered users who match the defined tag.

To configure the EMS Fabric connector to synchronize ZTNA tags in the GUI:
  1. Configure the EMS Fabric connector:
    1. On the root FortiGate, go to Security Fabric > Fabric Connectors.
    2. Click Create New and click FortiClient EMS.
    3. Enable Synchronize firewall addresses.

    4. Configure the other settings as needed and validate the certificate.
    5. Click OK.
  2. Enable ZTNA:
    1. Go to System > Feature Visibility and enable Zero Trust Network Access.
    2. Click Apply.
  3. Go to Policy & Objects > ZTNA and select the ZTNA Tags tab. You will see the ZTNA IP and ZTNA MAC tags synchronized from the FortiClient EMS.

To configure the EMS Fabric connector to synchronize ZTNA tags in the CLI:
  1. Configure the EMS Fabric connector on the root FortiGate:
    config endpoint-control fctems
        edit "WIN10-EMS"
            set server "192.168.20.10"
            set https-port 443
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set pull-malware-hash enable
            set capabilities fabric-auth silent-approval websocket
        next
    end
  2. Verify which IPs the dynamic firewall address resolves to:
    # diagnose firewall dynamic list 
    List all dynamic addresses:
    FCTEMS0000100000_all_registered_clients: ID(51)
            ADDR(172.17.194.209)
            ADDR(10.10.10.20)
    …
    
    FCTEMS0000100000_Low: ID(78)
            ADDR(172.17.194.209)
            ADDR(10.10.10.20)
    …
    
    FCTEMS0000100000_Malicious-File-Detected: ID(190)
            ADDR(172.17.194.209)
            ADDR(10.10.10.20)
    …

More Links

Synchronizing FortiClient ZTNA tags

ZTNA tags (formerly FortiClient EMS tags in FortiOS 6.4 and earlier) are tags synchronized from FortiClient EMS as dynamic address objects on the FortiGate. FortiClient EMS uses zero-trust tagging rules to automatically tag managed endpoints based on various attributes detected by the FortiClient. When the FortiGate establishes a connection with the FortiClient EMS server via the EMS Fabric connector, it pulls zero-trust tags containing device IP and MAC addresses and converts them to read-only dynamic address objects. It also establishes a persistent WebSocket connection to monitor for changes in zero-trust tags, which keeps the device information current. These ZTNA tags can then be used in ZTNA rules, firewall rules, and NAC policies to perform security posture checks. ZTNA tags are displayed in the Device Inventory widget, FortiClient widget, and Asset Identity Center page.

When using WebSocket, EMS pushes notifications to the corresponding FortiGate when there are updates to tags or other monitored attributes. The FortiGate then fetches the updated information using the REST API over TCP/8013. When WebSocket is not used (due to an override or unsupported EMS version), updates are triggered on demand from the FortiGate side over the REST API.

If the WebSocket capability is detected, the capabilities setting will automatically display the WebSocket option. You can use the diagnose test application fcnacd 2 command to view the status of the WebSocket connection.

In the following example, the FortiGate connects to and retrieves ZTNA tags from a FortiClient EMS configured with tagging rules. It is assumed that zero-trust tags and rules are already created on the FortiClient EMS. For more information, see the Zero Trust Tags section of the EMS Administration Guide.

To verify zero-trust tags in FortiClient EMS:
  1. Go to Zero Trust Tags > Zero Trust Tagging Rules to view the tags.

  2. Go to Zero Trust Tags > Zero Trust Tag Monitor to view the registered users who match the defined tag.

To configure the EMS Fabric connector to synchronize ZTNA tags in the GUI:
  1. Configure the EMS Fabric connector:
    1. On the root FortiGate, go to Security Fabric > Fabric Connectors.
    2. Click Create New and click FortiClient EMS.
    3. Enable Synchronize firewall addresses.

    4. Configure the other settings as needed and validate the certificate.
    5. Click OK.
  2. Enable ZTNA:
    1. Go to System > Feature Visibility and enable Zero Trust Network Access.
    2. Click Apply.
  3. Go to Policy & Objects > ZTNA and select the ZTNA Tags tab. You will see the ZTNA IP and ZTNA MAC tags synchronized from the FortiClient EMS.

To configure the EMS Fabric connector to synchronize ZTNA tags in the CLI:
  1. Configure the EMS Fabric connector on the root FortiGate:
    config endpoint-control fctems
        edit "WIN10-EMS"
            set server "192.168.20.10"
            set https-port 443
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set pull-malware-hash enable
            set capabilities fabric-auth silent-approval websocket
        next
    end
  2. Verify which IPs the dynamic firewall address resolves to:
    # diagnose firewall dynamic list 
    List all dynamic addresses:
    FCTEMS0000100000_all_registered_clients: ID(51)
            ADDR(172.17.194.209)
            ADDR(10.10.10.20)
    …
    
    FCTEMS0000100000_Low: ID(78)
            ADDR(172.17.194.209)
            ADDR(10.10.10.20)
    …
    
    FCTEMS0000100000_Malicious-File-Detected: ID(190)
            ADDR(172.17.194.209)
            ADDR(10.10.10.20)
    …