Fortinet black logo

Administration Guide

Creating FortiClient EMS connector

Creating FortiClient EMS connector

You can configure a FortiClient EMS connector on FortiManager to retrieve or generate EMS tag addresses from a FortiClient EMS server. When an EMS connector is configured, FortiManager automatically registers the FortiGate on FortiClient EMS, allowing FortiGate to retrieve dynamic object details from FortiClient EMS.

Once the FortiClient EMS connector has been created, you can configure a ZTNA server and use the ZTNA tags in policies. See Zero Trust Network Access (ZTNA) objects and Configuring a ZTNA server.

Tooltip

In order for the FortiClient connector to import dynamic object details from FortiClient EMS, FortiClient EMS and FortiOS must be on version 7.0.3 or later.

To create a FortiClient EMS connector:
  1. Go to Fabric View > Fabric > Connectors.
  2. Click Create New, and select FortiClient EMS under Endpoint/Identity.
    Note

    FortiClient EMS connectors can also be configured from Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.

  3. Fill in the EMS server details, and click OK.
    NameEnter a name for the FortiClient EMS connector.
    TypeSelect FortiClient EMS as the connector type, depending on your EMS server.
    IP/Domain name

    Enter the IP or domain name for the FortiClient EMS.

    HTTPS port

    Enter the HTTPS port for the FortiClient EMS.

    User NameEnter the administrator user name.

    Password

    Enter the administrator password.

    EMS Threat Feed

    Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

    Synchronize firewall addresses

    Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

  4. Configure the ZTNA policy and object settings. See Zero Trust Network Access (ZTNA) rules.
  5. Once the policy is configured under ZTNA Rules, you can install the policy using the Device Manger's Install Wizard. FortiManager installs the ZTNA Rules to the FortiGate along with the EMS server configuration which includes the Fingerprint from EMS Server. This eliminates the need for manual authorization, and FortiGate is able to retrieve dynamic object details from EMS for use.
To manually import and view tags from FortiClient EMS:
  1. Go to Fabric View > Fabric > Connectors, and edit the configured FortiClient EMS connector.
  2. Click Apply & Refresh.
    Any changes on the EMS server are dynamically populated on the FortiManager.
  3. Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Tags.
    You can see imported IP and MAC tags available on the page. See Viewing ZTNA tags.
To confirm that FortiGate is authorized on the EMS Server:
  1. Log in on the FortiGate.
  2. Navigate to Security Fabric > Fabric Connectors > FortiClient EMS.
  3. Confirm the server details installed on the FortiGate are correct and that the status displays as Connected.
    To check the policy that is installed on the FortiGate, navigate to Policy & Objects > ZTNA Rules.
  4. You can also confirm that FortiGate is authorized on the FortiClient EMS server by going to Administration > Fabric Devices on FortiClient EMS.
    The FortiGate should be present in the list to interact with the EMS server.

Creating FortiClient EMS connector

You can configure a FortiClient EMS connector on FortiManager to retrieve or generate EMS tag addresses from a FortiClient EMS server. When an EMS connector is configured, FortiManager automatically registers the FortiGate on FortiClient EMS, allowing FortiGate to retrieve dynamic object details from FortiClient EMS.

Once the FortiClient EMS connector has been created, you can configure a ZTNA server and use the ZTNA tags in policies. See Zero Trust Network Access (ZTNA) objects and Configuring a ZTNA server.

Tooltip

In order for the FortiClient connector to import dynamic object details from FortiClient EMS, FortiClient EMS and FortiOS must be on version 7.0.3 or later.

To create a FortiClient EMS connector:
  1. Go to Fabric View > Fabric > Connectors.
  2. Click Create New, and select FortiClient EMS under Endpoint/Identity.
    Note

    FortiClient EMS connectors can also be configured from Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.

  3. Fill in the EMS server details, and click OK.
    NameEnter a name for the FortiClient EMS connector.
    TypeSelect FortiClient EMS as the connector type, depending on your EMS server.
    IP/Domain name

    Enter the IP or domain name for the FortiClient EMS.

    HTTPS port

    Enter the HTTPS port for the FortiClient EMS.

    User NameEnter the administrator user name.

    Password

    Enter the administrator password.

    EMS Threat Feed

    Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

    Synchronize firewall addresses

    Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

  4. Configure the ZTNA policy and object settings. See Zero Trust Network Access (ZTNA) rules.
  5. Once the policy is configured under ZTNA Rules, you can install the policy using the Device Manger's Install Wizard. FortiManager installs the ZTNA Rules to the FortiGate along with the EMS server configuration which includes the Fingerprint from EMS Server. This eliminates the need for manual authorization, and FortiGate is able to retrieve dynamic object details from EMS for use.
To manually import and view tags from FortiClient EMS:
  1. Go to Fabric View > Fabric > Connectors, and edit the configured FortiClient EMS connector.
  2. Click Apply & Refresh.
    Any changes on the EMS server are dynamically populated on the FortiManager.
  3. Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Tags.
    You can see imported IP and MAC tags available on the page. See Viewing ZTNA tags.
To confirm that FortiGate is authorized on the EMS Server:
  1. Log in on the FortiGate.
  2. Navigate to Security Fabric > Fabric Connectors > FortiClient EMS.
  3. Confirm the server details installed on the FortiGate are correct and that the status displays as Connected.
    To check the policy that is installed on the FortiGate, navigate to Policy & Objects > ZTNA Rules.
  4. You can also confirm that FortiGate is authorized on the FortiClient EMS server by going to Administration > Fabric Devices on FortiClient EMS.
    The FortiGate should be present in the list to interact with the EMS server.