Fortinet black logo

Administration Guide

Home FortiPAM 1.3.0 Administration Guide
1.3.0
1.3.0
1.2.0
1.1.2
1.1.1
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0

ZTNA user control

ZTNA user control

When ZTNA control is set up on FortiPAM, you can only connect to FortiPAM and launch a secret from the endpoint PC with allowed ZTNA tags. The endpoint PC must install FortiClient and connect to the same EMS server.

To use the FortiPAM ZTNA control feature:

  • You must connect to the same EMS server for the client where the FortiClient runs.

  • You must enable the ZTNA Control option when editing a proxy rule. See Editing a proxy rule.

  • You must configure another access proxy with a different VIP and client certificate disabled to launch secrets without ZTNA control successfully for clients not connected to the same EMS as FortiPAM.

To set up EMS in the GUI:
  1. Go to Network > Fabric Connectors.
  2. Select FortiClient EMS and click Edit.
  3. In Name, enter the EMS name.
  4. In IP/Domain name, enter the IP address or the domain name of the EMS.
  5. In HTTPS port, enter the HTTPS port for the EMS.
  6. Click OK.

    Refer to FortiClient EMS Status to check the status of the FortiClient EMS.

    If there is an error connecting to the EMS server, log in to the EMS server, authorize FortiPAM in Administration > Fabric Device, and click Accept in Verify EMS Server Certificate.

    For more information, see Fabric Connectors.

To set EMS using the CLI:
  1. In the CLI console, enter the following commands to configure an EMS:

    config endpoint-control fctems

    edit "ems_200"

    set server "10.59.112.200"

    next

    end

  2. After adding an EMS server, the CLI asks you to verify using execute fctems verify ems_200.

    example

    execute fctems verify ems_200

    Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiClient, CN = FCTEMS8822002925, emailAddress = support@fortinet.com

    Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com

    Valid from: 2022-04-25 18:17:42 GMT

    Valid to: 2038-01-19 03:14:07 GMT

    Fingerprint: 35:12:95:DA:A5:2E:20:F9:8F:99:88:75:25:BC:D8:A3

    Root CA: No

    Version: 3

    Serial Num:

    a4:35:c8

    Extensions:

    Name: X509v3 Basic Constraints

    Critical: no

    Content:

    CA:FALSE

    EMS configuration needs user to confirm server certificate.

    Do you wish to add the above certificate to trusted remote certificates? (y/n)y

    Certificate successfully configured and verified.

    If authentication is denied, log in to the EMS server and authorize FortiPAM in Administration > Fabric Device.

Using EMS tag for endpoint control

You can create Zero Trust tagging rules for endpoints on an EMS server based on operating system versions, logged-in domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints with different tags. FortiPAM can use these ZTNA tags in proxy rules (firewall policy) to control which endpoint has access to FortiPAM. For this, at least one FortiClient EMS must be added in Network > Fabric Connectors, and FortiPAM must be successfully connected to this EMS server.

FortiClient EMS is a security management solution that enables scalable and centralized management of endpoints. See ZTNA tag control example.

Previous
Next

ZTNA user control

When ZTNA control is set up on FortiPAM, you can only connect to FortiPAM and launch a secret from the endpoint PC with allowed ZTNA tags. The endpoint PC must install FortiClient and connect to the same EMS server.

To use the FortiPAM ZTNA control feature:

  • You must connect to the same EMS server for the client where the FortiClient runs.

  • You must enable the ZTNA Control option when editing a proxy rule. See Editing a proxy rule.

  • You must configure another access proxy with a different VIP and client certificate disabled to launch secrets without ZTNA control successfully for clients not connected to the same EMS as FortiPAM.

To set up EMS in the GUI:
  1. Go to Network > Fabric Connectors.
  2. Select FortiClient EMS and click Edit.
  3. In Name, enter the EMS name.
  4. In IP/Domain name, enter the IP address or the domain name of the EMS.
  5. In HTTPS port, enter the HTTPS port for the EMS.
  6. Click OK.

    Refer to FortiClient EMS Status to check the status of the FortiClient EMS.

    If there is an error connecting to the EMS server, log in to the EMS server, authorize FortiPAM in Administration > Fabric Device, and click Accept in Verify EMS Server Certificate.

    For more information, see Fabric Connectors.

To set EMS using the CLI:
  1. In the CLI console, enter the following commands to configure an EMS:

    config endpoint-control fctems

    edit "ems_200"

    set server "10.59.112.200"

    next

    end

  2. After adding an EMS server, the CLI asks you to verify using execute fctems verify ems_200.

    example

    execute fctems verify ems_200

    Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiClient, CN = FCTEMS8822002925, emailAddress = support@fortinet.com

    Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com

    Valid from: 2022-04-25 18:17:42 GMT

    Valid to: 2038-01-19 03:14:07 GMT

    Fingerprint: 35:12:95:DA:A5:2E:20:F9:8F:99:88:75:25:BC:D8:A3

    Root CA: No

    Version: 3

    Serial Num:

    a4:35:c8

    Extensions:

    Name: X509v3 Basic Constraints

    Critical: no

    Content:

    CA:FALSE

    EMS configuration needs user to confirm server certificate.

    Do you wish to add the above certificate to trusted remote certificates? (y/n)y

    Certificate successfully configured and verified.

    If authentication is denied, log in to the EMS server and authorize FortiPAM in Administration > Fabric Device.

Using EMS tag for endpoint control

You can create Zero Trust tagging rules for endpoints on an EMS server based on operating system versions, logged-in domains, running processes, and other criteria. EMS uses the rules to dynamically group endpoints with different tags. FortiPAM can use these ZTNA tags in proxy rules (firewall policy) to control which endpoint has access to FortiPAM. For this, at least one FortiClient EMS must be added in Network > Fabric Connectors, and FortiPAM must be successfully connected to this EMS server.

FortiClient EMS is a security management solution that enables scalable and centralized management of endpoints. See ZTNA tag control example.

Previous
Next