Establish device identity and trust context with FortiClient EMS
How device identity is established through client certificates, and how device trust context is established between FortiClient, FortiClient EMS, and the FortiGate, are integral to ZTNA.
Device roles
FortiClient
FortiClient endpoints provide the following information to FortiClient EMS when they register to the EMS:
-
Device information (network details, operating system, model, and others)
-
Logged on user information
-
Security posture (On-net/Off-net, antivirus software, vulnerability status, and others)
It also requests and obtains a client device certificate from the EMS ZTNA Certificate Authority (CA) when it registers to FortiClient EMS. The client uses this certificate to identify itself to the FortiGate.
FortiClient EMS
FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate serial number, and EMS serial number. The certificate is then synchronized to the FortiGate. EMS also shares its EMS ZTNA CA certificate with the FortiGate, so that the FortiGate can use it to authenticate the clients.
FortiClient EMS uses zero trust tagging rules to tag endpoints based on the information that it has on each endpoint. The tags are also shared with the FortiGate. See Endpoint Posture Check Reference for a list of the endpoint posture checks that EMS can perform.
Each ZTNA tag creates two firewall addresses in all VDOMs on a FortiGate. One firewall address is the IP address, and the other firewall address is the MAC address. Because each FortiGate model has a global limit and a per-VDOM limit for the maximum number of supported firewall addresses, the FortiGate model determines the maximum number of ZTNA tags allowable by that unit, which is the maximum number of firewall address divided by two. For each FortiGate model's limit, see the Maximum Values table. |
FortiGate
The FortiGate maintains a continuous connection to the EMS server to synchronize endpoint device information, including primarily:
-
FortiClient UID
-
Client certificate SN
-
EMS SN
-
Device credentials (user/domain)
-
Network details (IP and MAC address and routing to the FortiGate)
When a device's information changes, such as when a client moves from on-net to off-net, or their security posture changes, EMS is updated with the new device information and then updates the FortiGate. The FortiGate's WAD daemon can use this information when processing ZTNA traffic. If an endpoint's security posture change causes it to no longer match the ZTNA policy criteria on an existing session, then the session is terminated.
Certificate management on FortiClient EMS
FortiClient EMS has a default_ZTNARootCA certificate generated by default that the ZTNA CA uses to sign CSRs from the FortiClient endpoints. Clicking the refresh button revokes and updates the root CA, forcing updates to the FortiGate and FortiClient endpoints by generating new certificates for each client.
Do not confuse the EMS CA certificate (ZTNA) with the SSL certificate. The latter is the server certificate that is used by EMS for HTTPS access and fabric connectivity to the EMS server. |
EMS can also manage individual client certificates. To revoke the current client certificate that is used by the endpoint: go to Endpoint > All Endpoints, select the client, and click Action > Revoke Client Certificate.
Locating and viewing the client certificate on an endpoint
In Windows, FortiClient automatically installs certificates into the certificate store. The certificate information in the store, such as certificate UID and SN, should match the information on EMS and the FortiGate.
To locate certificates on other operating systems, consult the vendor documentation.
To locate the client certificate and EMS ZTNA CA certificate on a Windows PC:
-
In the Windows search box, enter user certificate and click Manage user certificates from the results.
-
In the certificate manager, go to Certificates - Current User > Personal > Certificates and find the certificate that is issued by the FortiClient EMS.
-
Right-click on it and select Properties.
-
The General tab shows the client certificate UID and the issue and expiry dates. The Details tab show the certificate SN.
-
Go to the Certificate Path tab to see the full certificate chain.
-
Select the root CA and click View Certificate to view the details about the EMS ZTNA CA certificate.
Verifying that the client information is synchronized to the FortiGate
The following diagnose commands help to verify the presence of matching endpoint record, and information such as the client UID, client certificate SN, and EMS certificate SN on the FortiGate. If any of the information is missing or incomplete, client certificate authentication might fail because the corresponding endpoint entry is not found. More in-depth diagnosis would be needed to determine the reason for the missing records.
Command |
Description |
---|---|
# diagnose endpoint record list <ip> |
Show the endpoint record list. Optionally, filter by the endpoint IP address. |
# diagnose wad dev query-by uid <uid> <ems sn> <ems tenant id> |
Query from WAD diagnose command by UID. |
# diagnose wad dev query-by ipv4 <ip> |
Query from WAD diagnose command by IP address. |
# diagnose test application fcnacd 7 # diagnose test application fcnacd 8 |
Check the FortiClient NAC daemon ZTNA and route cache. |
#diagnose test application fcnacd 5 |
Force a sync with the FortiClient EMS server. |
To check the endpoint record list for IP address 10.0.3.2:
# diagnose endpoint record list 10.0.3.2 Record #1: IP Address = 10.0.3.2 MAC Address = 02:09:0f:00:03:03 MAC list = VDOM = (-1) EMS serial number: FCTEMS8822001975 EMS tenant id: 00000000000000000000000000000000 Client cert SN: 2B8D4FF0E71FE7E064288FE1B4F87E25232092D0 Public IP address: 34.23.223.220 Quarantined: no Online status: online Registration status: registered On-net status: on-net Gateway Interface: FortiClient version: 7.2.0 AVDB version: 1.0 FortiClient app signature version: 23.544 FortiClient vulnerability scan engine version: 2.34 FortiClient UID: 9A016B5A6E914B42AD4168C066EB04CA … Number of Routes: (0) online records: 1; offline records: 0; quarantined records: 0; out-of-sync records: 0
To check the tags that are processed by the WAD daemon for a particular device:
# diagnose wad dev query-by uid 9A016B5A6E914B42AD4168C066EB04CA FCTEMS8822001975 00000000000000000000000000000000 Attr of type=0, length=83, value(ascii)=9A016B5A6E914B42AD4168C066EB04CA Attr of type=4, length=0, value(ascii)= Attr of type=6, length=1, value(ascii)=true Attr of type=5, length=40, value(ascii)=2B8D4FF0E71FE7E064288FE1B4F87E25232092D0 Attr of type=3, length=66, value(ascii)=ZTNA_Domain-Users_FCTEMS882200197500000000000000000000000000000000 Attr of type=3, length=68, value(ascii)=ZTNA_Remote-Allowed_FCTEMS882200197500000000000000000000000000000000 Attr of type=3, length=83, value(ascii)=ZTNA_Group-Membership-Domain-Users_FCTEMS882200197500000000000000000000000000000000 Attr of type=3, length=58, value(ascii)=CLASS_Low_FCTEMS882200197500000000000000000000000000000000 Attr of type=3, length=77, value(ascii)=ZTNA_Malicious-File-Detected_FCTEMS882200197500000000000000000000000000000000 Attr of type=3, length=61, value(ascii)=CLASS_Remote_FCTEMS882200197500000000000000000000000000000000 Attr of type=3, length=76, value(ascii)=ZTNA_all_registered_clients_FCTEMS882200197500000000000000000000000000000000 Response termination due to no more data
To check the FortiNAC daemon cache:
# diagnose test application fcnacd 7 Entry #1: - UID: 9A016B5A6E914B42AD4168C066EB04CA - EMS Fabric ID: FCTEMS8822001975:00000000000000000000000000000000 - Sys upd time: 2023-05-03 16:48:15.1107479 - Tag upd time: 2023-05-03 16:48:15.1107479 lls_idx_mask = 0x00000001 #ID:0 UID: 9A016B5A6E914B42AD4168C066EB04CA State: sysinfo:1, tag:1, tagsz:1, out-of-sync:0 Owner: Cert SN: 2B8D4FF0E71FE7E064288FE1B4F87E25232092D0 online: Yes Route IP:0.0.0.0 vfid: 0 has more:No Tags: idx:0, ttdl:1 name:Domain-Users idx:1, ttdl:1 name:Remote-Allowed idx:2, ttdl:1 name:Group-Membership-Domain-Users idx:3, ttdl:2 name:Low idx:4, ttdl:1 name:Malicious-File-Detected idx:5, ttdl:2 name:Remote idx:6, ttdl:1 name:all_registered_clients
ZTNA scalability support for concurrent endpoints
ZTNA scalability supports up to 50 thousand concurrent endpoints. Communication between FortiOS and FortiClient EMS has efficient queries that request incremental updates. Retrieved device information can be written to the FortiClient NAC daemon cache.
FortiOS can receive tag information from the EMS common tags API. This feature requires FortiClient EMS 7.0.3 or later.
The APIs api/v1/report/fct/uid_tags
and api/v1/report/fct/tags
replace the API api/v1/report/fct/host_tags
.
To use the common tags API capability:
-
Enable the common tags API when connecting the EMS:
config endpoint-control fctems edit "local.ems" set server "10.6.30.213" set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api next end
-
The FortiGate uses the new APIs to obtain device information from the EMS:
[ec_ems_context_submit_work:414] Call submitted successfully. obj-id: 11, desc: REST API to get updates of tag endpoints., entry: api/v1/report/fct/tags. [ec_ems_context_submit_work:414] Call submitted successfully. obj-id: 12, desc: REST API to get updates of tags associated with FCT UID., entry: api/v1/report/fct/uid_tags. [ec_ez_worker_process:334] Processing call for obj-id: 11, entry: "api/v1/report/fct/tags" [dynamic_addr_ha_act:215] called (EMS SN N/A). [dynamic_addr_ha_act:215] called (EMS SN N/A). [ec_ez_worker_process:441] Call completed successfully. obj-id: 11, desc: "REST API to get updates of tag endpoints.", entry: "api/v1/report/fct/tags". [ec_ez_worker_process:334] Processing call for obj-id: 12, entry: "api/v1/report/fct/uid_tags" [ec_record_sync_tags_info_store:1419] Received 1 tags for 3D86DF70B85E16CBAD67908A897B4494 with sn FCTEMS8888888888 [ec_record_sync_tags_info_store:1419] Received 1 tags for DA12930442F13F84D2441F03FCB6A10E with sn FCTEMS8888888888 [ec_record_sync_tags_info_store:1419] Received 1 tags for 25C59C275F257F4C5FBC7F6F5F56788E with sn FCTEMS8888888888 [ec_ez_worker_process:441] Call completed successfully. obj-id: 12, desc: "REST API to get updates of tags associated with FCT UID.", entry: "api/v1/report/fct/uid_tags". [ec_ems_context_submit_work:414] Call submitted successfully. obj-id: 7, desc: REST API to get updates about system info., entry: api/v1/report/fct/sysinfo. [ec_ems_context_submit_work:414] Call submitted successfully. obj-id: 11, desc: REST API to get updates of tag endpoints., entry: api/v1/report/fct/tags. [ec_ez_worker_process:334] Processing call for obj-id: 11, entry: "api/v1/report/fct/tags" [ec_ez_worker_process:441] Call completed successfully. obj-id: 11, desc: "REST API to get updates of tag endpoints.", entry: "api/v1/report/fct/tags". (......)
-
Confirm that the device information from the EMS is written to the FortiClient NAC daemon cache:
# diagnose endpoint record list ... Avatar source: OS Phone number: Number of Routes: (1) Gateway Route #0: - IP:10.1.91.6, MAC: 4f:8d:c2:73:dd:fe, Indirect: no - Interface:port2, VFID:1, SN: FG5H1E5999999999 online records: 37174; offline records: 0; quarantined records: 0; out-of-sync records: 0
-
Use the tags that are pulled from the EMS in a firewall address:
config firewall address edit "FCTEMS8888888888_ZT_AD_MGMT" set type dynamic set sub-type ems-tag set obj-tag "ZT_AD_MGMT" set tag-type "zero_trust" next end
-
Check the tags' resolved IP and MAC addresses:
# diagnose firewall fqdn getinfo-ip FCTEMS8888888888_ZT_AD_MGMT getinfo FCTEMS8888888888_ZT_AD_MGMT id:114 generation:106 count:187 data_len:6160 flag 0
# diagnose firewall fqdn getinfo-mac MAC_FCTEMS8888888888_ZT_AD_MGMT getinfo MAC_FCTEMS8888888888_ZT_AD_MGMT id:163 generation:105 count:371 data_len:2226 flag 0
# diagnose firewall dynamic address FCTEMS8888888888_ZT_AD_MGMT CMDB name: FCTEMS8888888888_ZT_AD_MGMT TAG name: ZT_AD_MGMT FCTEMS8888888888_ZT_AD_MGMT: ID(114) ADDR(10.1.10.4) (......) ADDR(10.1.99.195) Total IP dynamic range blocks: 190. Total IP dynamic addresses: 281.
# diagnose firewall dynamic address MAC_FCTEMS8888888888_ZT_AD_MGMT CMDB name: MAC_FCTEMS8888888888_ZT_AD_MGMT TAG name: ZT_AD_MGMT MAC_FCTEMS8888888888_ZT_AD_MGMT: ID(163) MAC(52:f1:9d:06:1c:db) MAC(4b:77:2b:db:82:15) MAC(df:6e:9e:d9:04:1e) Total MAC dynamic addresses: 393.