Fortinet black logo

Administration Guide

Creating FortiClient EMS connectors

Creating FortiClient EMS connectors

You can configure a FortiClient EMS connector on FortiManager to retrieve or generate EMS tag addresses from a FortiClient EMS or FortiClient EMS Cloud server.

When a FortiClient EMS connector is configured, FortiManager automatically registers the FortiGate on FortiClient EMS, allowing FortiGate to retrieve dynamic object details from FortiClient EMS.

Once the FortiClient EMS connector has been created, you can configure a ZTNA server and use the ZTNA tags in policies. See Zero Trust Network Access (ZTNA) objects and Configuring a ZTNA server.

Note

FortiClient EMS connectors can also be configured from Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.

Tooltip

In order for the FortiClient EMS connector to import dynamic object details from FortiClient EMS, FortiClient EMS and FortiOS must be on version 7.0.3 or later.

To create a FortiClient EMS connector:
  1. Go to Fabric View > Fabric > Connectors.
  2. Select one of the five available FortiClient EMS connectors, and click Edit.
  3. Fill in the EMS server details, and click OK.
    NameEnter a name for the FortiClient EMS connector.

    Status

    Set the status of the connector to enabled.

    TypeSelect FortiClient EMS.
    IP/Domain name

    Enter the IP or domain name for the FortiClient EMS.

    HTTPS port

    Enter the HTTPS port for the FortiClient EMS.

    User NameEnter the FortiClient EMS administrator user name.

    Password

    Enter the FortiClient EMS administrator password.

    EMS Threat Feed

    Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

    Synchronize firewall addresses

    Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

  4. Click OK to create the connector.
  5. After the connector has been authenticated, FortiManager will retrieve tags and the certificate-fingerprint from the EMS server. FortiManager will not appear on the FortiClient EMS server under Fabric Devices.
To create a FortiClient EMS Cloud connector:
  1. Go to Fabric View > Fabric > Connectors.
  2. Select one of the five available FortiClient EMS connectors, and click Edit.
  3. Fill in the EMS Cloud server details, and click OK.
    NameEnter a name for the FortiClient EMS connector.

    Status

    Set the status of the connector to enabled.

    Type

    Select FortiClient EMS Cloud.

    Caution

    FortiManager can only connect to the FortiClient EMS Cloud that is registered to the same FortiCloud account.

    EMS Threat Feed

    Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

    Synchronize firewall addresses

    Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

    Advanced Options

    Click to open and configure advanced options for the FortiClient EMS Cloud connector.

  4. Click OK to create the connector.
  5. Once the connector is configured, FortiManager will appear on the EMS Cloud server under Administration > Fabric Devices, and you must authorize it before FortiManager is able to retrieve the EMS tags.
To manually import and view tags from the EMS server:
  1. Go to Fabric View > Fabric > Connectors, and edit the configured FortiClient EMS connector.
  2. Click Apply & Refresh.
    Any changes on the EMS server are dynamically populated on the FortiManager.
  3. Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Tags.
    You can see imported IP and MAC tags available on the page. See Viewing ZTNA tags.
To use ZTNA tags imported from the EMS server in a policy:
  1. Configure the ZTNA policy and object settings on FortiManager as required. See Create a new Zero Trust Network Access (ZTNA) rule.
  2. Install the ZTNA policy to FortiGate using the Device Manager Install Wizard.
    While performing the installation to FortiGate, FortiManager also installs the digital fingerprint from the EMS server, removing the requirement to authorize the FortiGate on the EMS server.
  3. Confirm that FortiGate is authorized on the EMS server:
    1. Log in on the FortiGate, and go to Security Fabric > Fabric Connectors > FortiClient EMS.
    2. Confirm the server details installed on the FortiGate are correct and that the status displays as Connected.

Creating FortiClient EMS connectors

You can configure a FortiClient EMS connector on FortiManager to retrieve or generate EMS tag addresses from a FortiClient EMS or FortiClient EMS Cloud server.

When a FortiClient EMS connector is configured, FortiManager automatically registers the FortiGate on FortiClient EMS, allowing FortiGate to retrieve dynamic object details from FortiClient EMS.

Once the FortiClient EMS connector has been created, you can configure a ZTNA server and use the ZTNA tags in policies. See Zero Trust Network Access (ZTNA) objects and Configuring a ZTNA server.

Note

FortiClient EMS connectors can also be configured from Policy & Objects > Object Configurations > Fabric Connectors > Endpoint/Identity.

Tooltip

In order for the FortiClient EMS connector to import dynamic object details from FortiClient EMS, FortiClient EMS and FortiOS must be on version 7.0.3 or later.

To create a FortiClient EMS connector:
  1. Go to Fabric View > Fabric > Connectors.
  2. Select one of the five available FortiClient EMS connectors, and click Edit.
  3. Fill in the EMS server details, and click OK.
    NameEnter a name for the FortiClient EMS connector.

    Status

    Set the status of the connector to enabled.

    TypeSelect FortiClient EMS.
    IP/Domain name

    Enter the IP or domain name for the FortiClient EMS.

    HTTPS port

    Enter the HTTPS port for the FortiClient EMS.

    User NameEnter the FortiClient EMS administrator user name.

    Password

    Enter the FortiClient EMS administrator password.

    EMS Threat Feed

    Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

    Synchronize firewall addresses

    Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

  4. Click OK to create the connector.
  5. After the connector has been authenticated, FortiManager will retrieve tags and the certificate-fingerprint from the EMS server. FortiManager will not appear on the FortiClient EMS server under Fabric Devices.
To create a FortiClient EMS Cloud connector:
  1. Go to Fabric View > Fabric > Connectors.
  2. Select one of the five available FortiClient EMS connectors, and click Edit.
  3. Fill in the EMS Cloud server details, and click OK.
    NameEnter a name for the FortiClient EMS connector.

    Status

    Set the status of the connector to enabled.

    Type

    Select FortiClient EMS Cloud.

    Caution

    FortiManager can only connect to the FortiClient EMS Cloud that is registered to the same FortiCloud account.

    EMS Threat Feed

    Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

    Synchronize firewall addresses

    Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

    Advanced Options

    Click to open and configure advanced options for the FortiClient EMS Cloud connector.

  4. Click OK to create the connector.
  5. Once the connector is configured, FortiManager will appear on the EMS Cloud server under Administration > Fabric Devices, and you must authorize it before FortiManager is able to retrieve the EMS tags.
To manually import and view tags from the EMS server:
  1. Go to Fabric View > Fabric > Connectors, and edit the configured FortiClient EMS connector.
  2. Click Apply & Refresh.
    Any changes on the EMS server are dynamically populated on the FortiManager.
  3. Go to Policy & Objects > Object Configurations > Firewall Objects > ZTNA Tags.
    You can see imported IP and MAC tags available on the page. See Viewing ZTNA tags.
To use ZTNA tags imported from the EMS server in a policy:
  1. Configure the ZTNA policy and object settings on FortiManager as required. See Create a new Zero Trust Network Access (ZTNA) rule.
  2. Install the ZTNA policy to FortiGate using the Device Manager Install Wizard.
    While performing the installation to FortiGate, FortiManager also installs the digital fingerprint from the EMS server, removing the requirement to authorize the FortiGate on the EMS server.
  3. Confirm that FortiGate is authorized on the EMS server:
    1. Log in on the FortiGate, and go to Security Fabric > Fabric Connectors > FortiClient EMS.
    2. Confirm the server details installed on the FortiGate are correct and that the status displays as Connected.