Creating FortiClient EMS connector
You can configure a FortiClient EMS connector on FortiManager to retrieve or generate EMS tag addresses from a FortiClient EMS server or FortiClient EMS Cloud server.
When an EMS connector is configured, FortiManager automatically registers the FortiGate on FortiClient EMS, allowing FortiGate to retrieve dynamic object details from FortiClient EMS.
Once the FortiClient EMS connector has been created, you can configure a ZTNA server and use the ZTNA tags in policies. See Zero Trust Network Access (ZTNA) objects and Configuring a ZTNA server.
FortiClient EMS connectors can also be configured from Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity. |
In order for the FortiClient connector to import dynamic object details from FortiClient EMS, FortiClient EMS and FortiOS must be on version 7.0.3 or later. |
To create a FortiClient EMS connector:
- Go to Fabric View > Fabric > Connectors.
- Select one of the five available FortiClient EMS connectors, and click Edit.
- Fill in the EMS server details:
Name Enter a name for the FortiClient EMS connector. Status
Set the status of the connector to enabled.
Type Select FortiClient EMS. IP/Domain name Enter the IP or domain name for the FortiClient EMS.
HTTPS port Enter the HTTPS port for the FortiClient EMS.
User Name Enter the administrator user name. Password
Enter the administrator password.
EMS Threat Feed
Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.
Synchronize firewall addresses
Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.
Multi Site
Enable to retrieve EMS tags with site information when multiple sites are configured on FortiClient EMS.
- Click OK to create the connector.
- After the connector has been authenticated, FortiManager will retrieve tags and the certificate-fingerprint from the EMS server. FortiManager will not appear on the FortiClient EMS server under Fabric Devices.
To create a FortiClient EMS Cloud connector:
- Go to Fabric View > Fabric > Connectors.
- Select one of the five available FortiClient EMS connectors, and click Edit.
- Fill in the EMS Cloud server details:
Name Enter a name for the FortiClient EMS connector. Status
Set the status of the connector to enabled.
Type Select FortiClient EMS Cloud.
FortiManager can only connect to the FortiClient EMS Cloud that is registered to the same FortiCloud account.
EMS Threat Feed
Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.
Synchronize firewall addresses
Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.
Multi Site
Enable to retrieve EMS tags with site information when multiple sites are configured on FortiClient EMS.
- Click OK to create the connector.
- Once the connector is configured, FortiManager will appear on the EMS Cloud server under Administration > Fabric Devices, and you must authorize it before FortiManager is able to retrieve the EMS tags.
To manually import and view tags from FortiClient EMS:
- Go to Fabric View > Fabric > Connectors, and edit the configured FortiClient EMS connector.
- Click Apply & Refresh.
Any changes on the EMS server are dynamically populated on the FortiManager. - Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Tags.
You can see imported IP and MAC tags available on the page. See Viewing ZTNA tags.
To confirm that FortiGate is authorized on the EMS Server:
- Log in on the FortiGate.
- Navigate to Security Fabric > Fabric Connectors > FortiClient EMS.
- Confirm the server details installed on the FortiGate are correct and that the status displays as Connected.
To check the policy that is installed on the FortiGate, navigate to Policy & Objects > ZTNA Rules. - You can also confirm that FortiGate is authorized on the FortiClient EMS server by going to Administration > Fabric Devices on FortiClient EMS.
The FortiGate should be present in the list to interact with the EMS server.
To use ZTNA tags imported from the EMS server in a policy:
- Configure the ZTNA policy and object settings on FortiManager as required. See Zero Trust Network Access (ZTNA) rules.
- Install the ZTNA policy to FortiGate using the Device Manager Install Wizard.
While performing the installation to FortiGate, FortiManager also installs the digital fingerprint from the EMS server, removing the requirement to authorize the FortiGate on the EMS server. - Confirm that FortiGate is authorized on the EMS server:
- Log in on the FortiGate, and go to Security Fabric > Fabric Connectors > FortiClient EMS.
- Confirm the server details installed on the FortiGate are correct and that the status displays as Connected.