Symantec endpoint connector
With the Fabric connector for Symantec Endpoint Protection Manager (SEPM), you can use the client IP information from SEPM to assign to dynamic IP addresses on FortiOS.
When communication between FortiGate and SEPM is established, FortiGate polls every minute for updates via TLS over port 8446. You can use the CLI to change the default one minute polling interval.
For example, you can create a dynamic Fabric Connector IP address subtype and use it in firewall policies as the source address. The dynamic IP address contains all IP addresses sent by SEPM.
This example shows a dynamic IP address with SEPM and one client PC managed by SEPM using FortiGate as the default gateway.
To configure SEPM on a managed client PC:
- In SEPM, create client packages for client hosts and group them into SEPM groups.
You can install packages locally on clients or download them directly from SEPM.
- When a package is installed on the client host, the host is considered managed by SEPM.
Even if the host has multiple interfaces, only one IP per host is displayed.
To configure Symantec endpoint connector on FortiGate in the GUI:
- Go to Security Fabric > External Connectors and click Create New:
- In the Endpoint/Identity section, click Symantec Endpoint Protection.
- Fill in the Name, and set the Status and Update Interval.
- Set Server to the SEPM IP address.
- Enter the Username and Password for the server.
- To limit the domain or group that is monitored, enter them in the requisite fields.
- Click OK.
When the connection is established, you can see a green up arrow in the bottom right of the card. You might need to refresh your browser to see the established connection.
- Go to Policy & Objects > Addresses and click Create New > Address:
- Fill in the address Name.
- Set Type to Dynamic.
- Set Sub Type to Fabric Connector Address.
- Set SDN Connector to the fabric connector that you just created.
- Add Filters as needed.
- Click OK.
Filter options are only available for active computers that are configured and registered in SEPM. Free-form filters can be created manually by clicking Create and entering the filter, in the format:
filter_type=value
.Possible manual filter types are:
GroupName
,GroupID
,ComputerName
,ComputerUUID
, andOSName
. For example:GroupName=MyGroup
.
- Go to Policy & Objects > Addresses and hover the cursor over the name of the new address to see the resolved IP addresses of the host.
- Go to Policy & Objects > Firewall Policy, click Create New, and add a policy that uses the dynamic IP address.
To verify the configuration:
- On the client PC, check that it is managed by SEPM to access the Internet.
- On the FortiGate, you can check in Dashboard > FortiView Sources and Log & Report > Forward Traffic.
Because this traffic is not authenticated traffic but is based on source IP address only, it is not shown in the GUI firewall monitor or in the
diagnose firewall auth list
CLI command.
To configure Symantec endpoint connector on FortiGate in the CLI:
- Create the fabric connector:
config system sdn-connector edit "sepm-217" set type sepm set server "172.18.60.217" set username "admin" set password ********* set status enable next end
- Create the dynamic IP address:
config firewall address edit "sepm-ip" set type dynamic set sdn "sepm-217" set filter "ComputerName=win10-1" config list edit "10.1.100.187" next edit "10.6.30.187" next edit "172.16.200.187" next end next end
- Add the dynamic IP address to the firewall policy:
config firewall policy edit 1 set name "pol1" set srcintf "port2" set dstintf "port1" set srcaddr "sepm-ip" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set av-profile "default" set logtraffic all set fsso disable set nat enable next end
To troubleshoot Symantec SD connector in the CLI:
# diagnose debug application sepmd -1 Output is sent every minute (default). All IPv4 learned from SEPM. IPv6 also sent but not yet supported. 2019-09-09 12:01:09 sepmd sdn connector sepm-217 start updating IP addresses 2019-09-09 12:01:09 sepmd checking firewall address object sepm-ip, vd 0 2019-09-09 12:01:09 sepmd sdn connector sepm-217 finish updating IP addresses 2019-09-09 12:01:09 sepmd reap child pid: 18079 2019-09-09 12:02:09 sepmd sdn connector sepm-217 prepare to update 2019-09-09 12:02:09 sepmd sdn connector sepm-217 start updating 2019-09-09 12:02:09 sepm-217 sdn connector will retrieve token after 9526 secs 2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1 ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10 IP 172.16.200.187 GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3 DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E 2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1 ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10 IP 10.6.30.187 GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3 DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E 2019-09-09 12:02:09 sym_new_ip_addr ComputerName win10-1 ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10 IP 10.1.100.187 GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3 DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E 2019-09-09 12:02:09 2001:0000:0000:0000:0000:0000:0000:0187 is not in IPv4 presentation format 2019-09-09 12:02:09 sepmd sdn connector sepm-217 start updating IP addresses 2019-09-09 12:02:09 sepmd checking firewall address object sepm-ip, vd 0 2019-09-09 12:02:09 sepmd sdn connector sepm-217 finish updating IP addresses 2019-09-09 12:02:09 sepmd reap child pid: 18089 2019-09-09 12:03:09 sepmd sdn connector sepm-217 prepare to update 2019-09-09 12:03:09 sepmd sdn connector sepm-217 start updating 2019-09-09 12:03:09 sepm-217 sdn connector will retrieve token after 9466 secs 2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1 ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10 IP 172.16.200.187 GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3 DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E 2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1 ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10 IP 10.6.30.187 GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3 DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E 2019-09-09 12:03:09 sym_new_ip_addr ComputerName win10-1 ComputerUuid AC894D56-BD86-A786-7DDB-7FD98B718AE0, OsName Windows 10 IP 10.1.100.187 GroupName My Company\Windows-desktops, GroupId E61FDEA2AC10C80E46D0B31BB58D7CB3 DomainName Default, DomainId 6C507580AC10C80E5F3CAED5B1711A8E 2019-09-09 12:03:09 2001:0000:0000:0000:0000:0000:0000:0187 is not in IPv4 presentation format
To list the SEPM daemon SDN connectors:
# diagnose test application sepmd 1 sepm SDN connector list: name: sepm-217, status: enabled, updater_interval: 60
To list the SEPM daemon SDN filters:
# diagnose test application sepmd 2 sepm SDN connector sepm-217 filter list: name: sepm-ip, vd 0, filter 'ComputerName=win10-1'
Using a self-signed certificate
Users can explicitly specify a certificate or series of certificates for FortiGate to trust during the connection to the Symantec Endpoint Protection Manager (SEPM) server. For example, a self-signed certificate without proper SAN.
The following new options are added in SEPM sdn-connector
:
Option |
Description |
---|---|
server-cert
|
Trust servers that contain this certificate only. |
server-ca-cert
|
Trust only those servers whose certificate is directly or indirectly signed by this certificate. |
When these options are enabled, only the specified certificate or series of certificates will be allowed for SEPM server connection ensuring some level of security by blocking off all unspecified certificates.
To specify SEPM certificates:
config system sdn-connector edit "sepm-217" set type sepm set server "172.18.60.217" set username "admin" set password ********* set status enable set server-cert "REMOTE_Cert_1” set server-ca-cert "REMOTE_Cert_2” next end
The |