config endpoint-control fctems

Configure FortiClient Enterprise Management Server (EMS) entries.

config endpoint-control fctems
    Description: Configure FortiClient Enterprise Management Server (EMS) entries.
    edit <ems-id>
        set call-timeout {integer}
        set capabilities {option1}, {option2}, ...
        set cloud-authentication-access-key {password}
        set dirty-reason [none|mismatched-ems-sn]
        set fortinetone-cloud-authentication [enable|disable]
        set https-port {integer}
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set name {string}
        set out-of-sync-threshold {integer}
        set pull-malware-hash [enable|disable]
        set pull-sysinfo [enable|disable]
        set pull-tags [enable|disable]
        set pull-vulnerabilities [enable|disable]
        set send-tags-to-all-vdoms [enable|disable]
        set serial-number {string}
        set server {string}
        set source-ip {ipv4-address-any}
        set status [enable|disable]
        set tenant-id {string}
        set trust-ca-cn [enable|disable]
        set verifying-ca {string}
        set websocket-override [enable|disable]
    next
end

config endpoint-control fctems

Parameter

Description

Type

Size

Default

call-timeout

FortiClient EMS call timeout in seconds (1 - 180 seconds, default = 30).

integer

Minimum value: 1 Maximum value: 180

capabilities

List of EMS capabilities.

option

Option	Description
fabric-auth	Allow this FortiGate unit to load the authentication page provided by EMS to authenticate itself with EMS.
silent-approval	Allow silent approval of non-root or FortiGate HA clusters on EMS in the Security Fabric.
websocket	Enable/disable websockets for this FortiGate unit. Override behavior using websocket-override.
websocket-malware	Allow this FortiGate unit to request malware hash notifications over websocket.
push-ca-certs	Enable/disable syncing deep inspection certificates with EMS.
common-tags-api	Can recieve tag information from New Common Tags API from EMS.
tenant-id	Allow this FortiGate to retrieve Tenant-ID from EMS.
client-avatars	Allow this FortiGate to retrieve avatars from EMS by fingerprint.
single-vdom-connector	Allow this FortiGate to create a vdom connector to EMS.
fgt-sysinfo-api	Allow this FortiGate to send additional info to EMS.
ztna-server-info	Allow this FortiGate to send vdom's ZTNA server information to EMS.

cloud-authentication-access-key

FortiClient EMS Cloud multitenancy access key

password

Not Specified

dirty-reason

Dirty Reason for FortiClient EMS.

option

none

Option	Description
none	FortiClient EMS entry not dirty.
mismatched-ems-sn	FortiClient EMS entry dirty because EMS SN is mismatched with configured SN.

ems-id

EMS ID in order (1 - 7).

integer

Minimum value: 1 Maximum value: 7

fortinetone-cloud-authentication

Enable/disable authentication of FortiClient EMS Cloud through FortiCloud account.

option

disable

Option	Description
enable	Enable authentication of FortiClient EMS Cloud through FortiCloud account.
disable	Disable authentication of FortiClient EMS Cloud through FortiCloud account.

https-port

FortiClient EMS HTTPS access port number. (1 - 65535, default: 443).

integer

Minimum value: 1 Maximum value: 65535

443

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

auto

Option	Description
auto	Set outgoing interface automatically.
sdwan	Set outgoing interface by SD-WAN or policy routing rules.
specify	Set outgoing interface manually.

name

FortiClient Enterprise Management Server (EMS) name.

string

Maximum length: 35

out-of-sync-threshold

Outdated resource threshold in seconds (10 - 3600, default = 180).

integer

Minimum value: 10 Maximum value: 3600

180

pull-malware-hash

Enable/disable pulling FortiClient malware hash from EMS.

option

enable

Option	Description
enable	Enable pulling FortiClient malware hash from EMS.
disable	Disable pulling FortiClient malware hash from EMS.

pull-sysinfo

Enable/disable pulling SysInfo from EMS.

option

enable

Option	Description
enable	Enable pulling FortiClient user SysInfo from EMS.
disable	Disable pulling FortiClient user SysInfo from EMS.

pull-tags

Enable/disable pulling FortiClient user tags from EMS.

option

enable

Option	Description
enable	Enable pulling FortiClient user tags from EMS.
disable	Disable pulling FortiClient user tags from EMS.

pull-vulnerabilities

Enable/disable pulling vulnerabilities from EMS.

option

enable

Option	Description
enable	Enable pulling client vulnerabilities from EMS.
disable	Disable pulling client vulnerabilities from EMS.

send-tags-to-all-vdoms

Relax restrictions on tags to send all EMS tags to all VDOMs

option

disable

Option	Description
enable	Enable sending tags to all vdoms.
disable	Disable sending tags to all vdoms.

serial-number

EMS Serial Number.

string

Maximum length: 16

server

FortiClient EMS FQDN or IPv4 address.

string

Maximum length: 255

source-ip

REST API call source IP.

ipv4-address-any

Not Specified

0.0.0.0

status

Enable or disable this EMS configuration.

option

disable

Option	Description
enable	Enable EMS configuration and operation.
disable	Disable EMS configuration and operation.

tenant-id

EMS Tenant ID.

string

Maximum length: 32

trust-ca-cn

Enable/disable trust of the EMS certificate issuer(CA) and common name(CN) for certificate auto-renewal.

option

enable

Option	Description
enable	Trust EMS certificate CA & CN to automatically renew certificate.
disable	Do not trust EMS certificate CA & CN to automatically renew certificate.

verifying-ca

Lowest CA cert on Fortigate in verified EMS cert chain.

string

Maximum length: 79

websocket-override

Enable/disable override behavior for how this FortiGate unit connects to EMS using a WebSocket connection.

option

disable

Option	Description
enable	Do not override the WebSocket connection. Connect to WebSocket of this EMS server if it is capable (default).
disable	Override the WebSocket connection. Do not connect to WebSocket even if EMS is capable of a WebSocket connection.

config endpoint-control fctems

Configure FortiClient Enterprise Management Server (EMS) entries.

config endpoint-control fctems
    Description: Configure FortiClient Enterprise Management Server (EMS) entries.
    edit <ems-id>
        set call-timeout {integer}
        set capabilities {option1}, {option2}, ...
        set cloud-authentication-access-key {password}
        set dirty-reason [none|mismatched-ems-sn]
        set fortinetone-cloud-authentication [enable|disable]
        set https-port {integer}
        set interface {string}
        set interface-select-method [auto|sdwan|...]
        set name {string}
        set out-of-sync-threshold {integer}
        set pull-malware-hash [enable|disable]
        set pull-sysinfo [enable|disable]
        set pull-tags [enable|disable]
        set pull-vulnerabilities [enable|disable]
        set send-tags-to-all-vdoms [enable|disable]
        set serial-number {string}
        set server {string}
        set source-ip {ipv4-address-any}
        set status [enable|disable]
        set tenant-id {string}
        set trust-ca-cn [enable|disable]
        set verifying-ca {string}
        set websocket-override [enable|disable]
    next
end

config endpoint-control fctems

Parameter

Description

Type

Size

Default

call-timeout

FortiClient EMS call timeout in seconds (1 - 180 seconds, default = 30).

integer

Minimum value: 1 Maximum value: 180

capabilities

List of EMS capabilities.

option

Option	Description
fabric-auth	Allow this FortiGate unit to load the authentication page provided by EMS to authenticate itself with EMS.
silent-approval	Allow silent approval of non-root or FortiGate HA clusters on EMS in the Security Fabric.
websocket	Enable/disable websockets for this FortiGate unit. Override behavior using websocket-override.
websocket-malware	Allow this FortiGate unit to request malware hash notifications over websocket.
push-ca-certs	Enable/disable syncing deep inspection certificates with EMS.
common-tags-api	Can recieve tag information from New Common Tags API from EMS.
tenant-id	Allow this FortiGate to retrieve Tenant-ID from EMS.
client-avatars	Allow this FortiGate to retrieve avatars from EMS by fingerprint.
single-vdom-connector	Allow this FortiGate to create a vdom connector to EMS.
fgt-sysinfo-api	Allow this FortiGate to send additional info to EMS.
ztna-server-info	Allow this FortiGate to send vdom's ZTNA server information to EMS.

cloud-authentication-access-key

FortiClient EMS Cloud multitenancy access key

password

Not Specified

dirty-reason

Dirty Reason for FortiClient EMS.

option

none

Option	Description
none	FortiClient EMS entry not dirty.
mismatched-ems-sn	FortiClient EMS entry dirty because EMS SN is mismatched with configured SN.

ems-id

EMS ID in order (1 - 7).

integer

Minimum value: 1 Maximum value: 7

fortinetone-cloud-authentication

Enable/disable authentication of FortiClient EMS Cloud through FortiCloud account.

option

disable

Option	Description
enable	Enable authentication of FortiClient EMS Cloud through FortiCloud account.
disable	Disable authentication of FortiClient EMS Cloud through FortiCloud account.

https-port

FortiClient EMS HTTPS access port number. (1 - 65535, default: 443).

integer

Minimum value: 1 Maximum value: 65535

443

interface

Specify outgoing interface to reach server.

string

Maximum length: 15

interface-select-method

Specify how to select outgoing interface to reach server.

option

auto

Option	Description
auto	Set outgoing interface automatically.
sdwan	Set outgoing interface by SD-WAN or policy routing rules.
specify	Set outgoing interface manually.

name

FortiClient Enterprise Management Server (EMS) name.

string

Maximum length: 35

out-of-sync-threshold

Outdated resource threshold in seconds (10 - 3600, default = 180).

integer

Minimum value: 10 Maximum value: 3600

180

pull-malware-hash

Enable/disable pulling FortiClient malware hash from EMS.

option

enable

Option	Description
enable	Enable pulling FortiClient malware hash from EMS.
disable	Disable pulling FortiClient malware hash from EMS.

pull-sysinfo

Enable/disable pulling SysInfo from EMS.

option

enable

Option	Description
enable	Enable pulling FortiClient user SysInfo from EMS.
disable	Disable pulling FortiClient user SysInfo from EMS.

pull-tags

Enable/disable pulling FortiClient user tags from EMS.

option

enable

Option	Description
enable	Enable pulling FortiClient user tags from EMS.
disable	Disable pulling FortiClient user tags from EMS.

pull-vulnerabilities

Enable/disable pulling vulnerabilities from EMS.

option

enable

Option	Description
enable	Enable pulling client vulnerabilities from EMS.
disable	Disable pulling client vulnerabilities from EMS.

send-tags-to-all-vdoms

Relax restrictions on tags to send all EMS tags to all VDOMs

option

disable

Option	Description
enable	Enable sending tags to all vdoms.
disable	Disable sending tags to all vdoms.

serial-number

EMS Serial Number.

string

Maximum length: 16

server

FortiClient EMS FQDN or IPv4 address.

string

Maximum length: 255

source-ip

REST API call source IP.

ipv4-address-any

Not Specified

0.0.0.0

status

Enable or disable this EMS configuration.

option

disable

Option	Description
enable	Enable EMS configuration and operation.
disable	Disable EMS configuration and operation.

tenant-id

EMS Tenant ID.

string

Maximum length: 32

trust-ca-cn

Enable/disable trust of the EMS certificate issuer(CA) and common name(CN) for certificate auto-renewal.

option

enable

Option	Description
enable	Trust EMS certificate CA & CN to automatically renew certificate.
disable	Do not trust EMS certificate CA & CN to automatically renew certificate.

verifying-ca

Lowest CA cert on Fortigate in verified EMS cert chain.

string

Maximum length: 79

websocket-override

Enable/disable override behavior for how this FortiGate unit connects to EMS using a WebSocket connection.

option

disable

Option	Description
enable	Do not override the WebSocket connection. Connect to WebSocket of this EMS server if it is capable (default).
disable	Override the WebSocket connection. Do not connect to WebSocket even if EMS is capable of a WebSocket connection.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config endpoint-control fctems

config endpoint-control fctems

config endpoint-control fctems

config endpoint-control fctems

config endpoint-control fctems

config endpoint-control fctems