Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.6.0 Administration Guide
    7.6.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Creating FortiClient EMS connectors

    Creating FortiClient EMS connectors

    You can configure a FortiClient EMS connector on FortiManager to retrieve or generate EMS tag addresses from a FortiClient EMS or FortiClient EMS Cloud server.

    When a FortiClient EMS connector is configured, FortiManager automatically registers the FortiGate on FortiClient EMS, allowing FortiGate to retrieve dynamic object details from FortiClient EMS. Once the FortiClient EMS connector has been created, you can configure a ZTNA server and use the security posture tags in policies. See Zero Trust Network Access (ZTNA) objects and Configuring a ZTNA server.

    Caution

    Importing the FortiClient EMS configuration from FortiGate is not supported

    You cannot import FortiGate's FortiClient EMS configuration into FortiManager.

    When an install is performed from FortiManager, the FortiClient EMS connectors configured on FortiManager are installed to the target FortiGate, replacing all existing device-level configurations.

    When adding a FortiGate to FortiManager with pre-existing connection to FortiClient EMS, you must manually configure a FortiClient EMS connector on FortiManager with matching settings before performing an install.

    Fields that support metadata variables are identified with the following magnifying glass icon . See ADOM-level metadata variables..

    Note

    FortiClient EMS connectors can also be configured from Policy & Objects > Security Fabric > Endpoint/Identity.
    Tooltip

    In order for the FortiClient EMS connector to import dynamic object details from FortiClient EMS, FortiClient EMS and FortiOS must be on version 7.0.3 or later.
    To create a FortiClient EMS connector:

    1. Go to Fabric View > Fabric > Fabric Connectors.

    2. Select one of the five available FortiClient EMS connectors, and click Edit.

    3. Fill in the EMS server details, and click OK.

      Name

      Enter a name for the FortiClient EMS connector.

      Status

      Set the status of the connector to enabled.
      Type Select FortiClient EMS.
      IP/Domain name

      Enter the IP or domain name for the FortiClient EMS.
      HTTPS port

      Enter the HTTPS port for the FortiClient EMS.
      User Name Enter the FortiClient EMS administrator user name.

      Password

      Enter the FortiClient EMS administrator password.

      EMS Threat Feed

      Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

      Synchronize firewall addresses

      Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

      Multi Site

      Enable to retrieve EMS tags with site information when multiple sites are configured on FortiClient EMS.

      Advanced Options

      Click to open and configure advanced options for the FortiClient EMS connector.

      The source-ip field supports metadata variables. See ADOM-level metadata variables.

    4. Click OK to create the connector.

    5. After the connector has been authenticated, FortiManager will retrieve tags and the certificate-fingerprint from the EMS server. FortiManager will not appear on the FortiClient EMS server under Fabric Devices.

    To create a FortiClient EMS Cloud connector:

    1. Go to Fabric View > Fabric > Fabric Connectors.

    2. Select one of the five available FortiClient EMS connectors, and click Edit.

    3. Fill in the EMS Cloud server details, and click OK.

      Name

      Enter a name for the FortiClient EMS connector.

      Status

      Set the status of the connector to enabled.
      Type

      Select FortiClient EMS Cloud.

      Caution

      FortiManager can only connect to the FortiClient EMS Cloud that is registered to the same FortiCloud account.

      EMS Threat Feed

      Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

      Synchronize firewall addresses

      Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

      Multi Site

      Enable to retrieve EMS tags with site information when multiple sites are configured on FortiClient EMS.

      Advanced Options

      Click to open and configure advanced options for the FortiClient EMS Cloud connector.

      The source-ip field supports metadata variables. See ADOM-level metadata variables.

    4. Click OK to create the connector.

    5. Once the connector is configured, FortiManager will appear on the EMS Cloud server under Administration > Fabric Devices, and you must authorize it before FortiManager is able to retrieve the EMS tags.

    To manually import and view tags from the EMS server:

    1. Go to Fabric View > Fabric > Fabric Connectors, and edit the configured FortiClient EMS connector.

    2. Click Apply & Refresh.
      Any changes on the EMS server are dynamically populated on the FortiManager.

    3. Go to Policy & Objects > Firewall Objects > Security Posture Tag.
      You can see imported IP and MAC tags available on the page. See Viewing security posture tags.

    To use security posture tags imported from the EMS server in a policy:

    1. Configure the proxy policy and object settings on FortiManager as required. See Create a new proxy policy.

    2. Install the ZTNA policy to FortiGate using the Device Manager Install Wizard.
      While performing the installation to FortiGate, FortiManager also installs the digital fingerprint from the EMS server, removing the requirement to authorize the FortiGate on the EMS server.

    3. Confirm that FortiGate is authorized on the EMS server:

      1. Log in on the FortiGate, and go to Security Fabric > Fabric Connectors > FortiClient EMS.

      2. Confirm the server details installed on the FortiGate are correct and that the status displays as Connected.

    Previous
    Next

    Creating FortiClient EMS connectors

    Creating FortiClient EMS connectors

    You can configure a FortiClient EMS connector on FortiManager to retrieve or generate EMS tag addresses from a FortiClient EMS or FortiClient EMS Cloud server.

    When a FortiClient EMS connector is configured, FortiManager automatically registers the FortiGate on FortiClient EMS, allowing FortiGate to retrieve dynamic object details from FortiClient EMS. Once the FortiClient EMS connector has been created, you can configure a ZTNA server and use the security posture tags in policies. See Zero Trust Network Access (ZTNA) objects and Configuring a ZTNA server.

    Caution

    Importing the FortiClient EMS configuration from FortiGate is not supported

    You cannot import FortiGate's FortiClient EMS configuration into FortiManager.

    When an install is performed from FortiManager, the FortiClient EMS connectors configured on FortiManager are installed to the target FortiGate, replacing all existing device-level configurations.

    When adding a FortiGate to FortiManager with pre-existing connection to FortiClient EMS, you must manually configure a FortiClient EMS connector on FortiManager with matching settings before performing an install.

    Fields that support metadata variables are identified with the following magnifying glass icon . See ADOM-level metadata variables..

    Note

    FortiClient EMS connectors can also be configured from Policy & Objects > Security Fabric > Endpoint/Identity.
    Tooltip

    In order for the FortiClient EMS connector to import dynamic object details from FortiClient EMS, FortiClient EMS and FortiOS must be on version 7.0.3 or later.
    To create a FortiClient EMS connector:

    1. Go to Fabric View > Fabric > Fabric Connectors.

    2. Select one of the five available FortiClient EMS connectors, and click Edit.

    3. Fill in the EMS server details, and click OK.

      Name

      Enter a name for the FortiClient EMS connector.

      Status

      Set the status of the connector to enabled.
      Type Select FortiClient EMS.
      IP/Domain name

      Enter the IP or domain name for the FortiClient EMS.
      HTTPS port

      Enter the HTTPS port for the FortiClient EMS.
      User Name Enter the FortiClient EMS administrator user name.

      Password

      Enter the FortiClient EMS administrator password.

      EMS Threat Feed

      Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

      Synchronize firewall addresses

      Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

      Multi Site

      Enable to retrieve EMS tags with site information when multiple sites are configured on FortiClient EMS.

      Advanced Options

      Click to open and configure advanced options for the FortiClient EMS connector.

      The source-ip field supports metadata variables. See ADOM-level metadata variables.

    4. Click OK to create the connector.

    5. After the connector has been authenticated, FortiManager will retrieve tags and the certificate-fingerprint from the EMS server. FortiManager will not appear on the FortiClient EMS server under Fabric Devices.

    To create a FortiClient EMS Cloud connector:

    1. Go to Fabric View > Fabric > Fabric Connectors.

    2. Select one of the five available FortiClient EMS connectors, and click Edit.

    3. Fill in the EMS Cloud server details, and click OK.

      Name

      Enter a name for the FortiClient EMS connector.

      Status

      Set the status of the connector to enabled.
      Type

      Select FortiClient EMS Cloud.

      Caution

      FortiManager can only connect to the FortiClient EMS Cloud that is registered to the same FortiCloud account.

      EMS Threat Feed

      Toggle ON to allow FortiManager to pull FortiClient malware hash from FortiClient EMS.

      Synchronize firewall addresses

      Toggle ON to automatically create and synchronize firewall addresses for all EMS tags.

      Multi Site

      Enable to retrieve EMS tags with site information when multiple sites are configured on FortiClient EMS.

      Advanced Options

      Click to open and configure advanced options for the FortiClient EMS Cloud connector.

      The source-ip field supports metadata variables. See ADOM-level metadata variables.

    4. Click OK to create the connector.

    5. Once the connector is configured, FortiManager will appear on the EMS Cloud server under Administration > Fabric Devices, and you must authorize it before FortiManager is able to retrieve the EMS tags.

    To manually import and view tags from the EMS server:

    1. Go to Fabric View > Fabric > Fabric Connectors, and edit the configured FortiClient EMS connector.

    2. Click Apply & Refresh.
      Any changes on the EMS server are dynamically populated on the FortiManager.

    3. Go to Policy & Objects > Firewall Objects > Security Posture Tag.
      You can see imported IP and MAC tags available on the page. See Viewing security posture tags.

    To use security posture tags imported from the EMS server in a policy:

    1. Configure the proxy policy and object settings on FortiManager as required. See Create a new proxy policy.

    2. Install the ZTNA policy to FortiGate using the Device Manager Install Wizard.
      While performing the installation to FortiGate, FortiManager also installs the digital fingerprint from the EMS server, removing the requirement to authorize the FortiGate on the EMS server.

    3. Confirm that FortiGate is authorized on the EMS server:

      1. Log in on the FortiGate, and go to Security Fabric > Fabric Connectors > FortiClient EMS.

      2. Confirm the server details installed on the FortiGate are correct and that the status displays as Connected.

    Previous
    Next