Fortinet white logo
Fortinet white logo

CLI Reference

config endpoint-control fctems

config endpoint-control fctems

Configure FortiClient Enterprise Management Server (EMS) entries.

config endpoint-control fctems
    Description: Configure FortiClient Enterprise Management Server (EMS) entries.
    edit <ems-id>
        set call-timeout {integer}
        set capabilities {option1}, {option2}, ...
        set dirty-reason [none|mismatched-ems-sn]
        set fortinetone-cloud-authentication [enable|disable]
        set https-port {integer}
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set name {string}
        set out-of-sync-threshold {integer}
        set preserve-ssl-session [enable|disable]
        set pull-avatars [enable|disable]
        set pull-malware-hash [enable|disable]
        set pull-sysinfo [enable|disable]
        set pull-tags [enable|disable]
        set pull-vulnerabilities [enable|disable]
        set send-tags-to-all-vdoms [enable|disable]
        set serial-number {string}
        set server {string}
        set source-ip {ipv4-address-any}
        set status [enable|disable]
        set tenant-id {string}
        set trust-ca-cn [enable|disable]
        set verifying-ca {string}
        set websocket-override [enable|disable]
    next
end

config endpoint-control fctems

Parameter

Description

Type

Size

Default

call-timeout

FortiClient EMS call timeout in seconds.

integer

Minimum value: 1 Maximum value: 180

30

capabilities

List of EMS capabilities.

option

-

Option

Description

fabric-auth

Allow this FortiGate unit to load the authentication page provided by EMS to authenticate itself with EMS.

silent-approval

Allow silent approval of non-root or FortiGate HA clusters on EMS in the Security Fabric.

websocket

Enable/disable websockets for this FortiGate unit. Override behavior using websocket-override.

websocket-malware

Allow this FortiGate unit to request malware hash notifications over websocket.

push-ca-certs

Enable/disable syncing deep inspection certificates with EMS.

common-tags-api

Can recieve tag information from New Common Tags API from EMS.

tenant-id

Allow this FortiGate to retrieve Tenant-ID from EMS.

client-avatars

Allow this FortiGate to retrieve avatars from EMS by fingerprint.

single-vdom-connector

Allow this FortiGate to create a vdom connector to EMS.

dirty-reason

Dirty Reason for FortiClient EMS.

option

-

none

Option

Description

none

FortiClient EMS entry not dirty.

mismatched-ems-sn

FortiClient EMS entry dirty because EMS SN is mismatched with configured SN.

ems-id

EMS ID in order.

integer

Minimum value: 1 Maximum value: 7

0

fortinetone-cloud-authentication

Enable/disable authentication of FortiClient EMS Cloud through FortiCloud account.

option

-

disable

Option

Description

enable

Enable authentication of FortiClient EMS Cloud through FortiCloud account.

disable

Disable authentication of FortiClient EMS Cloud through FortiCloud account.

https-port

FortiClient EMS HTTPS access port number.

integer

Minimum value: 1 Maximum value: 65535

443

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

name

FortiClient Enterprise Management Server (EMS) name.

string

Maximum length: 35

out-of-sync-threshold

Outdated resource threshold in seconds.

integer

Minimum value: 10 Maximum value: 3600

180

preserve-ssl-session

Enable/disable preservation of EMS SSL session connection. Warning, most users should not touch this setting.

option

-

disable

Option

Description

enable

Allow preservation of EMS SSL session connection.

disable

Don't allow preservation of EMS SSL session connection.

pull-avatars

Enable/disable pulling avatars from EMS.

option

-

enable

Option

Description

enable

Enable pulling FortiClient user avatars from EMS.

disable

Disable pulling FortiClient user avatars from EMS.

pull-malware-hash

Enable/disable pulling FortiClient malware hash from EMS.

option

-

enable

Option

Description

enable

Enable pulling FortiClient malware hash from EMS.

disable

Disable pulling FortiClient malware hash from EMS.

pull-sysinfo

Enable/disable pulling SysInfo from EMS.

option

-

enable

Option

Description

enable

Enable pulling FortiClient user SysInfo from EMS.

disable

Disable pulling FortiClient user SysInfo from EMS.

pull-tags

Enable/disable pulling FortiClient user tags from EMS.

option

-

enable

Option

Description

enable

Enable pulling FortiClient user tags from EMS.

disable

Disable pulling FortiClient user tags from EMS.

pull-vulnerabilities

Enable/disable pulling vulnerabilities from EMS.

option

-

enable

Option

Description

enable

Enable pulling client vulnerabilities from EMS.

disable

Disable pulling client vulnerabilities from EMS.

send-tags-to-all-vdoms

Relax restrictions on tags to send all EMS tags to all VDOMs

option

-

disable

Option

Description

enable

Enable sending tags to all vdoms.

disable

Disable sending tags to all vdoms.

serial-number

EMS Serial Number.

string

Maximum length: 16

server

FortiClient EMS FQDN or IPv4 address.

string

Maximum length: 255

source-ip

REST API call source IP.

ipv4-address-any

Not Specified

0.0.0.0

status

Enable or disable this EMS configuration.

option

-

disable

Option

Description

enable

Enable EMS configuration and operation.

disable

Disable EMS configuration and operation.

tenant-id

EMS Tenant ID.

string

Maximum length: 32

trust-ca-cn

Enable/disable trust of the EMS certificate issuer(CA) and common name(CN) for certificate auto-renewal.

option

-

enable

Option

Description

enable

Trust EMS certificate CA & CN to automatically renew certificate.

disable

Do not trust EMS certificate CA & CN to automatically renew certificate.

verifying-ca

Lowest CA cert on Fortigate in verified EMS cert chain.

string

Maximum length: 79

websocket-override

Enable/disable override behavior for how this FortiGate unit connects to EMS using a WebSocket connection.

option

-

disable

Option

Description

enable

Do not override the WebSocket connection. Connect to WebSocket of this EMS server if it is capable (default).

disable

Override the WebSocket connection. Do not connect to WebSocket even if EMS is capable of a WebSocket connection.

config endpoint-control fctems

config endpoint-control fctems

Configure FortiClient Enterprise Management Server (EMS) entries.

config endpoint-control fctems
    Description: Configure FortiClient Enterprise Management Server (EMS) entries.
    edit <ems-id>
        set call-timeout {integer}
        set capabilities {option1}, {option2}, ...
        set dirty-reason [none|mismatched-ems-sn]
        set fortinetone-cloud-authentication [enable|disable]
        set https-port {integer}
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set name {string}
        set out-of-sync-threshold {integer}
        set preserve-ssl-session [enable|disable]
        set pull-avatars [enable|disable]
        set pull-malware-hash [enable|disable]
        set pull-sysinfo [enable|disable]
        set pull-tags [enable|disable]
        set pull-vulnerabilities [enable|disable]
        set send-tags-to-all-vdoms [enable|disable]
        set serial-number {string}
        set server {string}
        set source-ip {ipv4-address-any}
        set status [enable|disable]
        set tenant-id {string}
        set trust-ca-cn [enable|disable]
        set verifying-ca {string}
        set websocket-override [enable|disable]
    next
end

config endpoint-control fctems

Parameter

Description

Type

Size

Default

call-timeout

FortiClient EMS call timeout in seconds.

integer

Minimum value: 1 Maximum value: 180

30

capabilities

List of EMS capabilities.

option

-

Option

Description

fabric-auth

Allow this FortiGate unit to load the authentication page provided by EMS to authenticate itself with EMS.

silent-approval

Allow silent approval of non-root or FortiGate HA clusters on EMS in the Security Fabric.

websocket

Enable/disable websockets for this FortiGate unit. Override behavior using websocket-override.

websocket-malware

Allow this FortiGate unit to request malware hash notifications over websocket.

push-ca-certs

Enable/disable syncing deep inspection certificates with EMS.

common-tags-api

Can recieve tag information from New Common Tags API from EMS.

tenant-id

Allow this FortiGate to retrieve Tenant-ID from EMS.

client-avatars

Allow this FortiGate to retrieve avatars from EMS by fingerprint.

single-vdom-connector

Allow this FortiGate to create a vdom connector to EMS.

dirty-reason

Dirty Reason for FortiClient EMS.

option

-

none

Option

Description

none

FortiClient EMS entry not dirty.

mismatched-ems-sn

FortiClient EMS entry dirty because EMS SN is mismatched with configured SN.

ems-id

EMS ID in order.

integer

Minimum value: 1 Maximum value: 7

0

fortinetone-cloud-authentication

Enable/disable authentication of FortiClient EMS Cloud through FortiCloud account.

option

-

disable

Option

Description

enable

Enable authentication of FortiClient EMS Cloud through FortiCloud account.

disable

Disable authentication of FortiClient EMS Cloud through FortiCloud account.

https-port

FortiClient EMS HTTPS access port number.

integer

Minimum value: 1 Maximum value: 65535

443

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

-

auto

Option

Description

auto

Set outgoing interface automatically.

sdwan

Set outgoing interface by SD-WAN or policy routing rules.

specify

Set outgoing interface manually.

name

FortiClient Enterprise Management Server (EMS) name.

string

Maximum length: 35

out-of-sync-threshold

Outdated resource threshold in seconds.

integer

Minimum value: 10 Maximum value: 3600

180

preserve-ssl-session

Enable/disable preservation of EMS SSL session connection. Warning, most users should not touch this setting.

option

-

disable

Option

Description

enable

Allow preservation of EMS SSL session connection.

disable

Don't allow preservation of EMS SSL session connection.

pull-avatars

Enable/disable pulling avatars from EMS.

option

-

enable

Option

Description

enable

Enable pulling FortiClient user avatars from EMS.

disable

Disable pulling FortiClient user avatars from EMS.

pull-malware-hash

Enable/disable pulling FortiClient malware hash from EMS.

option

-

enable

Option

Description

enable

Enable pulling FortiClient malware hash from EMS.

disable

Disable pulling FortiClient malware hash from EMS.

pull-sysinfo

Enable/disable pulling SysInfo from EMS.

option

-

enable

Option

Description

enable

Enable pulling FortiClient user SysInfo from EMS.

disable

Disable pulling FortiClient user SysInfo from EMS.

pull-tags

Enable/disable pulling FortiClient user tags from EMS.

option

-

enable

Option

Description

enable

Enable pulling FortiClient user tags from EMS.

disable

Disable pulling FortiClient user tags from EMS.

pull-vulnerabilities

Enable/disable pulling vulnerabilities from EMS.

option

-

enable

Option

Description

enable

Enable pulling client vulnerabilities from EMS.

disable

Disable pulling client vulnerabilities from EMS.

send-tags-to-all-vdoms

Relax restrictions on tags to send all EMS tags to all VDOMs

option

-

disable

Option

Description

enable

Enable sending tags to all vdoms.

disable

Disable sending tags to all vdoms.

serial-number

EMS Serial Number.

string

Maximum length: 16

server

FortiClient EMS FQDN or IPv4 address.

string

Maximum length: 255

source-ip

REST API call source IP.

ipv4-address-any

Not Specified

0.0.0.0

status

Enable or disable this EMS configuration.

option

-

disable

Option

Description

enable

Enable EMS configuration and operation.

disable

Disable EMS configuration and operation.

tenant-id

EMS Tenant ID.

string

Maximum length: 32

trust-ca-cn

Enable/disable trust of the EMS certificate issuer(CA) and common name(CN) for certificate auto-renewal.

option

-

enable

Option

Description

enable

Trust EMS certificate CA & CN to automatically renew certificate.

disable

Do not trust EMS certificate CA & CN to automatically renew certificate.

verifying-ca

Lowest CA cert on Fortigate in verified EMS cert chain.

string

Maximum length: 79

websocket-override

Enable/disable override behavior for how this FortiGate unit connects to EMS using a WebSocket connection.

option

-

disable

Option

Description

enable

Do not override the WebSocket connection. Connect to WebSocket of this EMS server if it is capable (default).

disable

Override the WebSocket connection. Do not connect to WebSocket even if EMS is capable of a WebSocket connection.