Fortinet black logo

ZTNA Deployment

7.2.5
7.2.5

Connect the FortiGate to EMS

Connect the FortiGate to EMS

FortiGate must securely connect to FortiClient EMS in order to protect the synchronization of endpoint and ZTNA tag information. As such, the FortiGate must have a trusted certificate chain for the EMS server certificate. The first step before connecting to EMS is to upload the CA certificate, if the EMS server certificate is not signed by a public CA.

To manually upload the CA certificate on the FortiGate:

  1. Go to System > Certificates.

  2. Click Create/Import > CA Certificate to import a certificate.

    The imported certificate will appear under Remote CA Certificate as CA_Cert_1.

  3. (Optional) The certificate can be renamed in the CLI using the following command:

    config vpn certificate ca
    rename CA_Cert_1 to <new name of cert>
end

Next, using the Fabric Connector GUI on the FortiGate, configure the EMS fabric connector to connect to FortiClient EMS. As part of the connection process, the certificate chain to the EMS server certificate will be verified. Administrators must also examine the server certificate for authenticity and accept the certificate.

To configure the FortiGate EMS Fabric connector:

  1. Go to Security Fabric > Fabric Connectors.

  2. In the Core Network Security Connectors page, double-click FortiClient EMS to open the FortiClient EMS Settings pane.

  3. Under EMS 1, enable the Status.

  4. Configure the settings for your EMS server:

    Name Name
    IP/Domain name IP address or hostname of the EMS server
    HTTPS port 443 (default)
    EMS threat feed Enable to receive malware hashes from EMS for use in the FortiGate AV
    Synchronize firewall addresses Must be enabled to pull ZTNA tags from EMS

  5. Click OK. A pane opens.

  6. Verify the EMS server certificate, then click Accept. A second pane will appear.

  7. Clicking on Authorize will open a window to launch the FortiClient EMS login page. You can authorize the FortiGate from there.

  8. Alternatively, log in to EMS on another browser window to authorize.

  9. Once logged in, a dialog is displayed requesting to authorize the FortiGate. Select Authorize.

  10. Alternatively, navigate to Administration > Fabric Devices to authorize the FortiGate.

To verify ZTNA tags on the FortiGate:

  1. Go to Policy & Objects > ZTNA and then navigate to the ZTNA Tags tab.

    ZTNA tags that were created in EMS are displayed on the page.

    The ZTNA tags do not have any matched endpoints yet. Once ZTNA policies are set up and a connection is made, the endpoints will be populated on their associated tags.

For more information about connecting the FortiGate to EMS, see Configuring FortiClient EMS.

Previous
Next

Connect the FortiGate to EMS

FortiGate must securely connect to FortiClient EMS in order to protect the synchronization of endpoint and ZTNA tag information. As such, the FortiGate must have a trusted certificate chain for the EMS server certificate. The first step before connecting to EMS is to upload the CA certificate, if the EMS server certificate is not signed by a public CA.

To manually upload the CA certificate on the FortiGate:

  1. Go to System > Certificates.

  2. Click Create/Import > CA Certificate to import a certificate.

    The imported certificate will appear under Remote CA Certificate as CA_Cert_1.

  3. (Optional) The certificate can be renamed in the CLI using the following command:

    config vpn certificate ca
    rename CA_Cert_1 to <new name of cert>
end

Next, using the Fabric Connector GUI on the FortiGate, configure the EMS fabric connector to connect to FortiClient EMS. As part of the connection process, the certificate chain to the EMS server certificate will be verified. Administrators must also examine the server certificate for authenticity and accept the certificate.

To configure the FortiGate EMS Fabric connector:

  1. Go to Security Fabric > Fabric Connectors.

  2. In the Core Network Security Connectors page, double-click FortiClient EMS to open the FortiClient EMS Settings pane.

  3. Under EMS 1, enable the Status.

  4. Configure the settings for your EMS server:

    Name Name
    IP/Domain name IP address or hostname of the EMS server
    HTTPS port 443 (default)
    EMS threat feed Enable to receive malware hashes from EMS for use in the FortiGate AV
    Synchronize firewall addresses Must be enabled to pull ZTNA tags from EMS

  5. Click OK. A pane opens.

  6. Verify the EMS server certificate, then click Accept. A second pane will appear.

  7. Clicking on Authorize will open a window to launch the FortiClient EMS login page. You can authorize the FortiGate from there.

  8. Alternatively, log in to EMS on another browser window to authorize.

  9. Once logged in, a dialog is displayed requesting to authorize the FortiGate. Select Authorize.

  10. Alternatively, navigate to Administration > Fabric Devices to authorize the FortiGate.

To verify ZTNA tags on the FortiGate:

  1. Go to Policy & Objects > ZTNA and then navigate to the ZTNA Tags tab.

    ZTNA tags that were created in EMS are displayed on the page.

    The ZTNA tags do not have any matched endpoints yet. Once ZTNA policies are set up and a connection is made, the endpoints will be populated on their associated tags.

For more information about connecting the FortiGate to EMS, see Configuring FortiClient EMS.

Previous
Next