You can configure a FortiClient EMS connector on FortiManager to retrieve or generate EMS tag addresses from a FortiClient EMS server. When an EMS connector is configured, FortiManager automatically registers the FortiGate on FortiClient EMS, allowing FortiGate to retrieve dynamic object details from FortiClient EMS.
In order for the FortiClient connector to import dynamic object details from FortiClient EMS, FortiClient EMS and FortiOS must be on version 7.0.3 or later.
- Go to Fabric View > Fabric > Connectors.
- Click Create New, and select FortiClient EMS under Endpoint/Identity.
FortiClient EMS connectors can also be configured from Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.
- Fill in the EMS server details, and click OK.
Name Enter a name for the FortiClient EMS connector. Type Select FortiClient EMS as the connector type, depending on your EMS server. IP/Domain name
Enter the IP or domain name for the FortiClient EMS.
Enter the HTTPS port for the FortiClient EMS.
User Name Enter the administrator user name.
Enter the administrator password.
EMS Threat Feed
Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.
Synchronize firewall addresses
Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.
- Configure the ZTNA policy and object settings. See Zero Trust Network Access (ZTNA) rules.
- Once the policy is configured under ZTNA Rules, you can install the policy using the Device Manger's Install Wizard. FortiManager installs the ZTNA Rules to the FortiGate along with the EMS server configuration which includes the Fingerprint from EMS Server. This eliminates the need for manual authorization, and FortiGate is able to retrieve dynamic object details from EMS for use.
- Go to Fabric View > Fabric > Connectors, and edit the configured FortiClient EMS connector.
- Click Apply & Refresh.
Any changes on the EMS server are dynamically populated on the FortiManager.
- Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Tags.
You can see imported IP and MAC tags available on the page. See Viewing ZTNA tags.
- Log in on the FortiGate.
- Navigate to Security Fabric > Fabric Connectors > FortiClient EMS.
- Confirm the server details installed on the FortiGate are correct and that the status displays as Connected.
To check the policy that is installed on the FortiGate, navigate to Policy & Objects > ZTNA Rules.
- You can also confirm that FortiGate is authorized on the FortiClient EMS server by going to Administration > Fabric Devices on FortiClient EMS.
The FortiGate should be present in the list to interact with the EMS server.