ZTNA user control
When ZTNA control is set up on FortiPAM, you can only connect to FortiPAM and launch a secret from the endpoint PC with allowed ZTNA tags. The endpoint PC must install FortiClient and connect to the same EMS server.
To use the FortiPAM ZTNA control feature:
-
You must connect to the same EMS server for the client where the FortiClient runs.
-
You must enable the ZTNA Control option when editing a proxy rule. See Editing a proxy rule.
-
You must configure another access proxy with a different VIP and client certificate disabled to launch secrets without ZTNA control successfully for clients not connected to the same EMS as FortiPAM.
To set up EMS in the GUI:
- Go to Network > Fabric Connectors.
- Select FortiClient EMS and click Edit.
- In Name, enter the EMS name.
- In IP/Domain name, enter the IP address or the domain name of the EMS.
- In HTTPS port, enter the HTTPS port for the EMS.
- Click OK.
Refer to FortiClient EMS Status to check the status of the FortiClient EMS.
If there is an error connecting to the EMS server, log in to the EMS server, authorize FortiPAM in Administration > Fabric Device, and click Accept in Verify EMS Server Certificate.
For more information, see Fabric Connectors.
To set EMS using the CLI:
-
In the CLI console, enter the following commands to configure an EMS:
config endpoint-control fctems
edit "ems_200"
set server "10.59.112.200"
next
end
-
After adding an EMS server, the CLI asks you to verify using
execute fctems verify ems_200
.example
execute fctems verify ems_200
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiClient, CN = FCTEMS8822002925, emailAddress = support@fortinet.com
Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com
Valid from: 2022-04-25 18:17:42 GMT
Valid to: 2038-01-19 03:14:07 GMT
Fingerprint: 35:12:95:DA:A5:2E:20:F9:8F:99:88:75:25:BC:D8:A3
Root CA: No
Version: 3
Serial Num:
a4:35:c8
Extensions:
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:FALSE
EMS configuration needs user to confirm server certificate.
Do you wish to add the above certificate to trusted remote certificates? (y/n)y
Certificate successfully configured and verified.
If authentication is denied, log in to the EMS server and authorize FortiPAM in Administration > Fabric Device.
Using EMS tag for endpoint control
You can create Zero Trust tagging rules for endpoints on an EMS server based on operating system versions, logged-in domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints with different tags. FortiPAM can use these ZTNA tags in proxy rules (firewall policy) to control which endpoint has access to FortiPAM. For this, at least one FortiClient EMS must be added in Network > Fabric Connectors, and FortiPAM must be successfully connected to this EMS server.
FortiClient EMS is a security management solution that enables scalable and centralized management of endpoints. See ZTNA tag control example.